pipeline {
  agent any

  options {
    timestamps()
    disableConcurrentBuilds()
  }

  environment {
    // --- Configure these for your registry ---
    // For Gitea Container Registry (Packages), this is typically your Gitea host.
    // Examples:
    //   REGISTRY = "git.brammie15.dev"           (HTTPS)
    //   REGISTRY = "git.brammie15.dev:5050"     (if your registry runs on a port)
    REGISTRY   = "git.brammie15.dev"

    // Image path in the registry. For Gitea/GitLab-style registries this is often:
    //   <owner>/<repo>  (or sometimes <owner>/<repo>/<image>)
    IMAGE_NAME = "brammie15/resendit"

    // Jenkins credential (Username/Password or token-as-password) that can push to the registry.
    // Create it in Jenkins: Manage Jenkins -> Credentials
    REGISTRY_CREDS = "registry-creds"

    IMAGE = "${REGISTRY}/${IMAGE_NAME}"

    DD_URL = "https://DD.brammie15.dev"
    DD_API_KEY = credentials('dd-api-key')
    NVD_API_KEY = credentials("nvd-api-key")
  }

  stages {

  pipeline {
    agent any

    options {
      timestamps()
      disableConcurrentBuilds()
    }

    environment {
      // --- Configure these for your registry ---
      // For Gitea Container Registry (Packages), this is typically your Gitea host.
      // Examples:
      //   REGISTRY = "git.brammie15.dev"           (HTTPS)
      //   REGISTRY = "git.brammie15.dev:5050"     (if your registry runs on a port)
      REGISTRY   = "git.brammie15.dev"

      // Image path in the registry. For Gitea/GitLab-style registries this is often:
      //   <owner>/<repo>  (or sometimes <owner>/<repo>/<image>)
      IMAGE_NAME = "brammie15/resendit"

      // Jenkins credential (Username/Password or token-as-password) that can push to the registry.
      // Create it in Jenkins: Manage Jenkins -> Credentials
      REGISTRY_CREDS = "registry-creds"

      IMAGE = "${REGISTRY}/${IMAGE_NAME}"

      DD_URL = "https://DD.brammie15.dev"
      DD_API_KEY = credentials('dd-api-key')
      NVD_API_KEY = credentials("nvd-api-key")
    }

    stages {
        stage('Debug') {
          steps {
            sh 'echo "WORKSPACE: $WORKSPACE" && echo "PWD: $(pwd)" && ls -la'
          }
        }

      stage('Checkout') {
        steps {
          checkout scm
        }
      }

      stage('SAST - Semgrep') {
        steps {
          sh """
            docker run --rm -v "\$(pwd):/src" \
              returntocorp/semgrep \
              semgrep scan --config=auto /src
          """
        }
      }

      stage('Build image') {
        steps {
          script {
            def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim()
            env.IMAGE_TAG_SHA = shortSha

            sh """
              docker version
              docker build \
                --build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \
                -t ${IMAGE}:${IMAGE_TAG_SHA} .
            """
          }
        }
      }

      stage('Login to registry') {
        steps {
          withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) {
            sh """
              echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin
            """
          }
        }
      }

      stage('Push image') {
        steps {
          script {
            // Always push the commit SHA tag
            sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}"

            // Also push a branch tag (handy for test environments)
            def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim())
            def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-')

            sh """
              docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch}
              docker push ${IMAGE}:${safeBranch}
            """

            // Only push 'latest' from master
            if (branch == 'master') {
              sh """
                docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest
                docker push ${IMAGE}:latest
              """
            }
          }
        }
      }
    }

    post {
      always {
        sh 'docker logout ${REGISTRY} || true'
        // Keep agents from filling up over time
        sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true'
        sh 'docker image prune -f || true'
      }
    }
  }


    stage('Checkout') {
      steps {
        checkout scm
      }
    }

    stage('SAST - Semgrep') {
      steps {
        sh """
          docker run --rm -v "\$(pwd):/src" \
            returntocorp/semgrep \
            semgrep scan --config=auto /src
        """
      }
    }

    stage('Build image') {
      steps {
        script {
          def shortSha = sh(script: 'git rev-parse --short=12 HEAD', returnStdout: true).trim()
          env.IMAGE_TAG_SHA = shortSha

          sh """
            docker version
            docker build \
              --build-arg GIT_COMMIT=${IMAGE_TAG_SHA} \
              -t ${IMAGE}:${IMAGE_TAG_SHA} .
          """
        }
      }
    }

    stage('Login to registry') {
      steps {
        withCredentials([usernamePassword(credentialsId: "${REGISTRY_CREDS}", usernameVariable: 'REG_USER', passwordVariable: 'REG_PASS')]) {
          sh """
            echo "$REG_PASS" | docker login ${REGISTRY} -u "$REG_USER" --password-stdin
          """
        }
      }
    }

    stage('Push image') {
      steps {
        script {
          // Always push the commit SHA tag
          sh "docker push ${IMAGE}:${IMAGE_TAG_SHA}"

          // Also push a branch tag (handy for test environments)
          def branch = (env.BRANCH_NAME ?: sh(script: 'git rev-parse --abbrev-ref HEAD', returnStdout: true).trim())
          def safeBranch = branch.replaceAll('[^a-zA-Z0-9_.-]', '-')

          sh """
            docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:${safeBranch}
            docker push ${IMAGE}:${safeBranch}
          """

          // Only push 'latest' from master
          if (branch == 'master') {
            sh """
              docker tag ${IMAGE}:${IMAGE_TAG_SHA} ${IMAGE}:latest
              docker push ${IMAGE}:latest
            """
          }
        }
      }
    }
  }

  post {
    always {
      sh 'docker logout ${REGISTRY} || true'
      // Keep agents from filling up over time
      sh 'docker image rm -f ${IMAGE}:${IMAGE_TAG_SHA} || true'
      sh 'docker image prune -f || true'
    }
  }
}