Stefan Reimer
d9320daa34
2c44e4f Disable concurrent builds 7144a42 Improve Trivy scanning logic c1a48a6 Remove auto stash push / pop as being too dangerous 318c19e Add merge comment for subtree 22ed100 Fix custom branch docker tags 227e39f Allow custom GIT_TAG 38a9cda Debug CI pipeline 3efcc81 Debug CI pipeline 5023473 Make branch detection work for tagged commits cdc32e0 Improve cleanup flow 8df60af Fix derp 748a4bd Migrate to :: to allow custom make steps, add generic stubs 955afa7 Apply pep8 5819ded Improve ECR public lifecycle handling via python script 5d4e4ad Make rm-remote-untagged less noisy f00e541 Add cleanup step to remove untagged images by default 0821e91 Ensure tag names are valid for remote branches like PRs 79eebe4 add ARCH support for tests aea1ccc Only add branch name to tags, if not part of actual tag a5875db Make EXTRA_TAGS work again git-subtree-dir: .ci git-subtree-split: 2c44e4fd8550d30fba503a2bcccec8e0bac1c151
89 lines
2.3 KiB
Groovy
89 lines
2.3 KiB
Groovy
// Common container builder by ZeroDownTime
|
|
|
|
def call(Map config=[:]) {
|
|
pipeline {
|
|
options {
|
|
disableConcurrentBuilds()
|
|
}
|
|
agent {
|
|
node {
|
|
label 'podman-aws-trivy'
|
|
}
|
|
}
|
|
stages {
|
|
stage('Prepare') {
|
|
steps {
|
|
sh 'mkdir -p reports'
|
|
|
|
// we set pull tags as project adv. options
|
|
// pull tags
|
|
//withCredentials([gitUsernamePassword(credentialsId: 'gitea-jenkins-user')]) {
|
|
// sh 'git fetch -q --tags ${GIT_URL}'
|
|
//}
|
|
// Optional project specific preparations
|
|
sh 'make prepare'
|
|
}
|
|
}
|
|
|
|
// Build using rootless podman
|
|
stage('Build') {
|
|
steps {
|
|
sh 'make build GIT_BRANCH=$GIT_BRANCH'
|
|
}
|
|
}
|
|
|
|
stage('Test') {
|
|
steps {
|
|
sh 'make test'
|
|
}
|
|
}
|
|
|
|
// Scan via trivy
|
|
stage('Scan') {
|
|
steps {
|
|
// we always scan and create the full json report
|
|
sh 'TRIVY_FORMAT=json TRIVY_OUTPUT="reports/trivy.json" make scan'
|
|
|
|
// render custom full html report
|
|
sh 'trivy convert -f template -t @/home/jenkins/html.tpl -o reports/trivy.html reports/trivy.json'
|
|
|
|
publishHTML target: [
|
|
allowMissing: true,
|
|
alwaysLinkToLastBuild: true,
|
|
keepAll: true,
|
|
reportDir: 'reports',
|
|
reportFiles: 'trivy.html',
|
|
reportName: 'TrivyScan',
|
|
reportTitles: 'TrivyScan'
|
|
]
|
|
sh 'echo "Trivy report at: $BUILD_URL/TrivyScan"'
|
|
|
|
// fail build if issues found above trivy threshold
|
|
script {
|
|
if ( config.trivyFail ) {
|
|
sh "TRIVY_SEVERITY=${config.trivyFail} trivy convert --report summary --exit-code 1 reports/trivy.json"
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
// Push to container registry if not PR
|
|
// incl. basic registry retention removing any untagged images
|
|
stage('Push') {
|
|
when { not { changeRequest() } }
|
|
steps {
|
|
sh 'make push'
|
|
sh 'make rm-remote-untagged'
|
|
}
|
|
}
|
|
|
|
// generic clean
|
|
stage('cleanup') {
|
|
steps {
|
|
sh 'make clean'
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|