diff --git a/Jenkinsfile b/Jenkinsfile index 4636e72..78522f1 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -30,6 +30,125 @@ pipeline { } stages { + + pipeline { + agent any + + options { + timestamps() + disableConcurrentBuilds() + } + + environment { + // --- Configure these for your registry --- + // For Gitea Container Registry (Packages), this is typically your Gitea host. + // Examples: + // REGISTRY = "git.brammie15.dev" (HTTPS) + // REGISTRY = "git.brammie15.dev:5050" (if your registry runs on a port) + REGISTRY = "git.brammie15.dev" + + // Image path in the registry. For Gitea/GitLab-style registries this is often: + // / (or sometimes //) + IMAGE_NAME = "brammie15/resendit" + + // Jenkins credential (Username/Password or token-as-password) that can push to the registry. + // Create it in Jenkins: Manage Jenkins -> Credentials + REGISTRY_CREDS = "registry-creds" + + IMAGE = "${REGISTRY}/${IMAGE_NAME}" + + DD_URL = "https://DD.brammie15.dev" + DD_API_KEY = credentials('dd-api-key') + NVD_API_KEY = credentials("nvd-api-key") + } + + stages { + stage('Debug') { + steps { + sh 'echo "WORKSPACE: $WORKSPACE" && echo "PWD: $(pwd)" && ls -la' + } + } + + stage('Checkout') { + steps { + checkout scm + } + } + + stage('SAST - Semgrep') { + steps { + sh """ + docker run --rm -v "\$(pwd):/src" \ + returntocorp/semgrep \ + semgrep scan --config=auto /src + """ + } + } + + stage('Build image') { + steps { + script { + def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim() + env.IMAGE_TAG_SHA = shortSha + + sh """ + docker version + docker build \ + --build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \ + -t ${IMAGE}:${IMAGE_TAG_SHA} . + """ + } + } + } + + stage('Login to registry') { + steps { + withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) { + sh """ + echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin + """ + } + } + } + + stage('Push image') { + steps { + script { + // Always push the commit SHA tag + sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}" + + // Also push a branch tag (handy for test environments) + def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim()) + def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-') + + sh """ + docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch} + docker push ${IMAGE}:${safeBranch} + """ + + // Only push 'latest' from master + if (branch == 'master') { + sh """ + docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest + docker push ${IMAGE}:latest + """ + } + } + } + } + } + + post { + always { + sh 'docker logout ${REGISTRY} || true' + // Keep agents from filling up over time + sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true' + sh 'docker image prune -f || true' + } + } + } + + stage('Checkout') { steps { checkout scm