sns-alert-hub/vars/buildPodman.groovy
Stefan Reimer 93faaeb6ce Squashed '.ci/' changes from 748a4bd..8df60af
8df60af Fix derp

git-subtree-dir: .ci
git-subtree-split: 8df60afa12bb349e86eab22250ba5644ec9c6069
2023-08-14 10:24:11 +00:00

87 lines
2.1 KiB
Groovy

// Common container builder by ZeroDownTime
def call(Map config=[:]) {
pipeline {
agent {
node {
label 'podman-aws-trivy'
}
}
stages {
stage('Prepare') {
steps {
// pull tags
withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
sh 'git fetch -q --tags ${GIT_URL}'
}
// Optional project specific preparations
sh 'make prepare'
}
}
// Build using rootless podman
stage('Build') {
steps {
sh 'make build'
}
}
stage('Test') {
steps {
sh 'make test'
}
}
// Scan via trivy
stage('Scan') {
environment {
TRIVY_FORMAT = "template"
TRIVY_OUTPUT = "reports/trivy.html"
}
steps {
sh 'mkdir -p reports && make scan'
publishHTML target: [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'trivy.html',
reportName: 'TrivyScan',
reportTitles: 'TrivyScan'
]
// Scan again and fail on CRITICAL vulns, if not overridden
script {
if (config.trivyFail == 'NONE') {
echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
} else {
sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
}
}
}
}
// Push to container registry if not PR
stage('Push') {
when { not { changeRequest() } }
steps {
sh 'make push'
}
}
// generic clean
stage('cleanup') {
steps {
sh 'make clean'
}
// Basic registry retention removing untagged images if not PR only
when { not { changeRequest() } }
steps {
sh 'make rm-remote-untagged'
}
}
}
}
}