pipeline {
  agent any

  options {
    timestamps()
    disableConcurrentBuilds()
  }

  environment {
    // --- Configure these for your registry ---
    // For Gitea Container Registry (Packages), this is typically your Gitea host.
    // Examples:
    //   REGISTRY = "git.brammie15.dev"           (HTTPS)
    //   REGISTRY = "git.brammie15.dev:5050"     (if your registry runs on a port)
    REGISTRY   = "git.brammie15.dev"

    // Image path in the registry. For Gitea/GitLab-style registries this is often:
    //   <owner>/<repo>  (or sometimes <owner>/<repo>/<image>)
    IMAGE_NAME = "brammie15/resendit"

    // Jenkins credential (Username/Password or token-as-password) that can push to the registry.
    // Create it in Jenkins: Manage Jenkins -> Credentials
    REGISTRY_CREDS = "registry-creds"

    IMAGE = "${REGISTRY}/${IMAGE_NAME}"

    DD_URL = "https://DD.brammie15.dev"
    DD_API_KEY = credentials('dd-api-key')
    NVD_API_KEY = credentials("nvd-api-key")
  }

  stages {
    stage('Checkout') {
      steps {
        checkout scm
      }
    }

    stage('SAST - Semgrep') {
      steps {
        sh """
          docker run --rm -v "\$(pwd):/src" \
            returntocorp/semgrep \
            semgrep scan --config=auto /src
        """
      }
    }

    stage('Build image') {
      steps {
        script {
          def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim()
          env.IMAGE_TAG_SHA = shortSha

          sh """
            docker version
            docker build \
              --build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \
              -t ${IMAGE}:${IMAGE_TAG_SHA} .
          """
        }
      }
    }

    stage('Login to registry') {
      steps {
        withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) {
          sh """
            echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin
          """
        }
      }
    }

    stage('Push image') {
      steps {
        script {
          // Always push the commit SHA tag
          sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}"

          // Also push a branch tag (handy for test environments)
          def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim())
          def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-')

          sh """
            docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch}
            docker push ${IMAGE}:${safeBranch}
          """

          // Only push 'latest' from master
          if (branch == 'master') {
            sh """
              docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest
              docker push ${IMAGE}:latest
            """
          }
        }
      }
    }
  }

  post {
    always {
      sh 'docker logout ${REGISTRY} || true'
      // Keep agents from filling up over time
      sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true'
      sh 'docker image prune -f || true'
    }
  }
}
