Merge latest ci-tools-lib

Squashed '.ci/' changes from c1a48a6..2c44e4f
2c44e4f Disable concurrent builds 7144a42 Improve Trivy scanning logic git-subtree-dir: .ci git-subtree-split: 2c44e4fd8550d30fba503a2bcccec8e0bac1c151
2024-06-25 17:15:39 +00:00 · 2024-06-25 17:15:39 +00:00 · 2023-09-28 13:18:15 +00:00 · 2023-09-28 10:06:34 +00:00 · 2023-09-28 03:12:39 +00:00
5 changed files with 24 additions and 22 deletions
--- a/.ci/podman.mk
+++ b/.ci/podman.mk
@ -46,7 +46,7 @@ test:: ## test built artificats

 scan: ## Scan image using trivy
 	echo "Scanning $(IMAGE):$(TAG)-$(_ARCH) using Trivy $(TRIVY_REMOTE)"
-	trivy image $(TRIVY_OPTS) localhost/$(IMAGE):$(TAG)-$(_ARCH)
+	trivy image $(TRIVY_OPTS) --quiet --no-progress localhost/$(IMAGE):$(TAG)-$(_ARCH)

 # first tag and push all actual images
 # create new manifest for each tag and add all available TAG-ARCH before pushing
--- a/.ci/vars/buildPodman.groovy
+++ b/.ci/vars/buildPodman.groovy
@ -2,6 +2,9 @@

 def call(Map config=[:]) {
    pipeline {
+      options {
+        disableConcurrentBuilds()
+      }
      agent {
        node {
          label 'podman-aws-trivy'
@ -10,6 +13,8 @@ def call(Map config=[:]) {
      stages {
        stage('Prepare') {
          steps {
+            sh 'mkdir -p reports'
+
            // we set pull tags as project adv. options
            // pull tags
            //withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
@ -35,12 +40,13 @@ def call(Map config=[:]) {

        // Scan via trivy
        stage('Scan') {
-          environment {
-            TRIVY_FORMAT = "template"
-            TRIVY_OUTPUT = "reports/trivy.html"
-          }
          steps {
-            sh 'mkdir -p reports && make scan'
+            // we always scan and create the full json report
+            sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
+
+            // render custom full html report
+            sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
+
            publishHTML target: [
              allowMissing: true,
              alwaysLinkToLastBuild: true,
@ -50,13 +56,12 @@ def call(Map config=[:]) {
              reportName: 'TrivyScan',
              reportTitles: 'TrivyScan'
            ]
+            sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'

-            // Scan again and fail on CRITICAL vulns, if not overridden
+            // fail build if issues found above trivy threshold
            script {
-              if (config.trivyFail == 'NONE') {
-                echo 'trivyFail == NONE, review Trivy report manually. Proceeding ...'
-              } else {
-                sh "TRIVY_EXIT_CODE=1 TRIVY_SEVERITY=${config.trivyFail} make scan"
+              if ( config.trivyFail ) {
+                sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
              }
            }
          }
--- a/15
+++ b/15
@ -1,21 +1,16 @@
-FROM golang:1.19-alpine3.17 as builder
-
-RUN apk add --no-cache git make gcc libc-dev
-
-WORKDIR /github.com/vadv/prometheus-exporter-merger
-COPY go.mod .
-COPY go.sum .
-RUN go mod download
+FROM golang:1.20-alpine as builder

+WORKDIR /prometheus-exporter-merger
 COPY . .
-RUN go build --ldflags "-s -w -linkmode external -extldflags -static" --tags netcgo -o /prometheus-exporter-merger
+
+RUN CGO_ENABLED=0 go build -ldflags "-s -w" .

 FROM scratch
 USER nobody

 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY --from=builder /etc/passwd /etc/passwd
-COPY --from=builder  /prometheus-exporter-merger /prometheus-exporter-merger
+COPY --from=builder /prometheus-exporter-merger/prometheus-exporter-merger /prometheus-exporter-merger

 EXPOSE 8080
 CMD ["/prometheus-exporter-merger", "--config", "/config/prometheus-exporter-merger.yaml"]
--- a/go.mod
+++ b/go.mod
@ -7,5 +7,5 @@ require (
 	github.com/prometheus/client_model v0.2.0
 	github.com/prometheus/common v0.10.0
 	golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4
-	gopkg.in/yaml.v2 v2.2.4
+	gopkg.in/yaml.v2 v2.4.0
 )
--- a/go.sum
+++ b/go.sum
@ -63,3 +63,5 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4 h1:/eiJrUcujPVeJ3xlSWaiNi3uSVmDGBK1pDHUHAnao1I=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
Author	SHA1	Message	Date
Stefan Reimer	979e58cdbc	Merge latest ci-tools-lib All checks were successful ZeroDownTime/tty-prometheus-exporter-merger/pipeline/head This commit looks good Details	2024-06-25 17:15:39 +00:00
Stefan Reimer	44766a1df0	Squashed '.ci/' changes from c1a48a6..2c44e4f 2c44e4f Disable concurrent builds 7144a42 Improve Trivy scanning logic git-subtree-dir: .ci git-subtree-split: 2c44e4fd8550d30fba503a2bcccec8e0bac1c151	2024-06-25 17:15:39 +00:00
Stefan Reimer	b65dbcbc43	Clean up Dockerfile All checks were successful ZeroDownTime/tty-prometheus-exporter-merger/pipeline/head This commit looks good Details	2023-09-28 13:18:15 +00:00
Stefan Reimer	49c1615436	Merge pull request 'fix(deps): update module gopkg.in/yaml.v2 to v2.4.0' (#7 ) from renovate/gopkg.in-yaml.v2-2.x into main All checks were successful ZeroDownTime/tty-prometheus-exporter-merger/pipeline/head This commit looks good Details Reviewed-on: #7	2023-09-28 10:06:34 +00:00
Renovate Bot	a72e3ae519	fix(deps): update module gopkg.in/yaml.v2 to v2.4.0 All checks were successful ZeroDownTime/tty-prometheus-exporter-merger/pipeline/pr-main This commit looks good Details	2023-09-28 03:12:39 +00:00