Skip to content

Commit

Permalink
SCANDOCKER-7 Stage the image to repox instead of Docker Hub
Browse files Browse the repository at this point in the history
  • Loading branch information
henryju committed May 29, 2024
1 parent 7b16036 commit 7a16088
Show file tree
Hide file tree
Showing 3 changed files with 53 additions and 37 deletions.
42 changes: 23 additions & 19 deletions .cirrus.yml
Original file line number Diff line number Diff line change
Expand Up @@ -4,14 +4,16 @@ env:
CIRRUS_VAULT_AUTH_PATH: jwt-cirrusci
CIRRUS_VAULT_ROLE: cirrusci-${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}

DOCKER_USERNAME: VAULT[development/kv/data/docker/sonardockerrw data.username]
DOCKER_PASSWORD: VAULT[development/kv/data/docker/sonardockerrw data.access_token_rwd]
ARTIFACTORY_DEPLOY_USERNAME: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-docker-release username]
ARTIFACTORY_DEPLOY_PASSWORD: VAULT[development/artifactory/token/${CIRRUS_REPO_OWNER}-${CIRRUS_REPO_NAME}-docker-release access_token]

# Mend scan global configuration
# Mend scan global configuration
MEND_API_KEY: VAULT[development/kv/data/mend data.apikey]

# Staging image configuration
STAGING_IMAGE_NAME: sonarsource/sonarqube
DOCKER_REPOX_BUILDS_REGISTRY: repox-sonarsource-docker-builds.jfrog.io
DOCKER_IMAGE: "sonarsource/sonar-scanner-cli"
STAGING_IMAGE_TAG: "${DOCKER_REPOX_BUILDS_REGISTRY}/${DOCKER_IMAGE}:${CI_BUILD_NUMBER}"

vm_instance_template: &VM_TEMPLATE
experimental: true # see https://github.com/cirruslabs/cirrus-ci-docs/issues/1051
Expand All @@ -31,30 +33,32 @@ build_task:
ec2_instance:
<<: *VM_TEMPLATE
login_script:
- docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
- docker login "${DOCKER_REPOX_BUILDS_REGISTRY}" -u "${ARTIFACTORY_DEPLOY_USERNAME}" --password-stdin <<<"${ARTIFACTORY_DEPLOY_PASSWORD}"
build_script:
- echo "Build and push the ${STAGING_IMAGE_NAME}:scanner-${CI_BUILD_NUMBER} image"
- docker build --tag "${STAGING_IMAGE_NAME}:scanner-${CI_BUILD_NUMBER}" --push .
- echo "Build and push the ${STAGING_IMAGE_TAG} image"
- docker build --tag "${STAGING_IMAGE_TAG}" --push .

private_scan_task:
# Scan the current image built and pushed to Artifactory
mend_task:

Check warning on line 42 in .cirrus.yml

View check run for this annotation

Cirrus CI / Build Parsing Results

.cirrus.yml#L42

task "mend" depends on task "build", but their only_if conditions are different

Check warning on line 42 in .cirrus.yml

View check run for this annotation

Cirrus CI / Build Parsing Results

.cirrus.yml#L42

task "mend" depends on task "build", but their only_if conditions are different

Check warning on line 42 in .cirrus.yml

View check run for this annotation

Cirrus CI / Build Parsing Results

.cirrus.yml#L42

task "mend" depends on task "build", but their only_if conditions are different

Check warning on line 42 in .cirrus.yml

View check run for this annotation

Cirrus CI / Build Parsing Results

.cirrus.yml#L42

task "mend" depends on task "build", but their only_if conditions are different

Check warning on line 42 in .cirrus.yml

View check run for this annotation

Cirrus CI / Build Parsing Results

.cirrus.yml#L42

task "mend" depends on task "build", but their only_if conditions are different

Check warning on line 42 in .cirrus.yml

View check run for this annotation

Cirrus CI / Build Parsing Results

.cirrus.yml#L42

task "mend" depends on task "build", but their only_if conditions are different
# run only on default and long-term branches
only_if: $CIRRUS_USER_COLLABORATOR == 'true' && $CIRRUS_TAG == "" && ($CIRRUS_BRANCH == $CIRRUS_DEFAULT_BRANCH || $CIRRUS_BRANCH =~ "branch-.*")
ec2_instance:
<<: *VM_TEMPLATE
login_script:
- docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
- docker login "${DOCKER_REPOX_BUILDS_REGISTRY}" -u "${ARTIFACTORY_DEPLOY_USERNAME}" --password-stdin <<<"${ARTIFACTORY_DEPLOY_PASSWORD}"
setup_script:
- apt-get remove -y unattended-upgrades
- apt-get update && apt-get install -y --no-install-recommends openjdk-17-jre
- curl -sSL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o wss-unified-agent.jar
- echo "docker.includes=.*${STAGING_IMAGE_NAME}.*" >> .cirrus/wss-unified-agent.config
- echo "docker.includes=.*${DOCKER_IMAGE}.*" >> .cirrus/wss-unified-agent.config
scan_script:
- echo "Scan the ${STAGING_IMAGE_NAME}:scanner-${CI_BUILD_NUMBER} image"
- docker pull "${STAGING_IMAGE_NAME}:scanner-${CI_BUILD_NUMBER}"
- java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY
- echo "Scan the ${STAGING_IMAGE_TAG} image"
- docker pull "${STAGING_IMAGE_TAG}"
- java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY -project ${DOCKER_IMAGE}:${CIRRUS_BRANCH}
depends_on: build

public_scan_task:
# Scan the latest image published on Docker Hub
latest_mend_task:
only_if: $CIRRUS_CRON == 'nightly-mend-scan'
env:
PUBLIC_IMAGE_NAME: sonarsource/sonar-scanner-cli
Expand All @@ -65,25 +69,25 @@ public_scan_task:
- apt-get remove -y unattended-upgrades
- apt-get update && apt-get install -y --no-install-recommends openjdk-17-jre
- curl -sSL https://unified-agent.s3.amazonaws.com/wss-unified-agent.jar -o wss-unified-agent.jar
- echo "docker.includes=.*${TAG}.*" >> .cirrus/wss-unified-agent.config
- echo "docker.includes=.*${PUBLIC_IMAGE_NAME}.*" >> .cirrus/wss-unified-agent.config
scan_script:
- echo "Scan the ${PUBLIC_IMAGE_NAME}:${TAG} image"
- docker pull "${PUBLIC_IMAGE_NAME}:${TAG}"
- java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY
- java -jar wss-unified-agent.jar -c .cirrus/wss-unified-agent.config -apiKey $MEND_API_KEY -project ${PUBLIC_IMAGE_NAME}:${TAG}

test_docker_builder:
<<: *ONLY_SONARSOURCE_QA
submodules_script:
- git submodule init
- git submodule update
login_script:
- docker login --username $DOCKER_USERNAME --password $DOCKER_PASSWORD
- docker login "${DOCKER_REPOX_BUILDS_REGISTRY}" -u "${ARTIFACTORY_DEPLOY_USERNAME}" --password-stdin <<<"${ARTIFACTORY_DEPLOY_PASSWORD}"
test_script:
- apt-get update && apt-get install -qy bats
- echo "Checking out the sonar-scanning-examples repository"
- git clone https://github.com/SonarSource/sonar-scanning-examples.git target_repository
- echo "Test the ${STAGING_IMAGE_NAME}:scanner-${CI_BUILD_NUMBER} image"
- TEST_IMAGE="${STAGING_IMAGE_NAME}:scanner-${CI_BUILD_NUMBER}" bats --tap test
- echo "Test the ${STAGING_IMAGE_TAG} image"
- TEST_IMAGE="${STAGING_IMAGE_TAG}" bats --tap test
depends_on: build

sonar_scan_task:
Expand Down
1 change: 0 additions & 1 deletion .cirrus/wss-unified-agent.config
Original file line number Diff line number Diff line change
@@ -1,5 +1,4 @@
excludes=**/opt/sonar-scanner/**/*
docker.projectNameFormat=repositoryNameAndTag
docker.scanImages=true
wss.url=https://saas-eu.whitesourcesoftware.com/agent
productName=Scanner/CliDocker
47 changes: 30 additions & 17 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ jobs:
development/kv/data/sign passphrase | gpg_passphrase;
development/kv/data/docker/sonardockerrw access_token_rwd | docker_access_token;
development/kv/data/docker/sonardockerrw username | docker_username;
development/artifactory/token/{REPO_OWNER_NAME_DASH}-docker-release username | repox_username;
development/artifactory/token/{REPO_OWNER_NAME_DASH}-docker-release access_token | repox_access_token;
development/kv/data/slack webhook | slack_webhook;
- name: Get the version
Expand Down Expand Up @@ -48,38 +49,50 @@ jobs:
path: target_repository
- name: Pull staged image
run: |
docker login --username ${{ fromJSON(steps.secrets.outputs.vault).docker_username }} --password-stdin <<< "${{ fromJSON(steps.secrets.outputs.vault).docker_access_token }}"
docker pull "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.buildnumber }}"
docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.buildnumber }}" "sonarsource/sonar-scanner-cli:latest"
docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.buildnumber }}" "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:latest"
docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.buildnumber }}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}"
docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.buildnumber }}" "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}"
docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.buildnumber }}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}"
docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.buildnumber }}" "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}"
docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.buildnumber }}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}"
docker tag "sonarsource/sonarqube:scanner-${{ steps.get_version.outputs.buildnumber }}" "repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}"
docker login repox-sonarsource-docker-builds.jfrog.io --username ${{ fromJSON(steps.secrets.outputs.vault).repox_username }} --password-stdin <<< "${{ fromJSON(steps.secrets.outputs.vault).repox_access_token }}"
docker pull "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.buildnumber }}"
- name: Generate CycloneDX SBOM
uses: SonarSource/gh-action_sbom@v1
with:
image: "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}"
image: "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.buildnumber }}"
filename: "sonar-scanner-cli-docker-${{ steps.get_version.outputs.full_image_tag }}-bom.json"
upload-artifact: true
upload-release-assets: true
env:
GPG_PRIVATE_KEY_PASSPHRASE: ${{ fromJSON(steps.secrets.outputs.vault).gpg_passphrase }}
GPG_PRIVATE_KEY_BASE64: ${{ fromJSON(steps.secrets.outputs.vault).gpg_key }}
- name: Push image to Docker Hub and Repox releases
- name: Promote the staged build
env:
ARTIFACTORY_URL: https://repox.jfrog.io/repox
run: |
source_repo_key=sonarsource-docker-builds
target_repo_key=sonarsource-docker-releases
docker_image=sonarsource/sonar-scanner-cli
buildnumber=${{ steps.get_version.outputs.buildnumber }}
full_image_tag=${{ github.event.release.tag_name }}
DATA_JSON="{ \"targetRepo\": \"${target_repo_key}\", \"dockerRepository\": \"${docker_image}\", \"tag\": \"${buildnumber}\", \"targetTag\": \"${full_image_tag}\", \"copy\": true }"
HTTP_CODE=$(curl -s -o /dev/null -w %{http_code} -H "Content-Type: application/json" -H "Authorization: Bearer ${{ fromJSON(steps.secrets.outputs.vault).repox_access_token }}" -X POST "$ARTIFACTORY_URL/api/docker/$source_repo_key/v2/promote" --data "$DATA_JSON")
if [ "$HTTP_CODE" != "200" ]; then
echo "Cannot promote ${docker_image}#${full_image_tag}: ($HTTP_CODE)"
exit 1
else
echo "${docker_image}#${full_image_tag} promoted to ${target_repo_key}"
fi
- name: Push image to Docker Hub
run: |
buildnumber=${{ steps.get_version.outputs.buildnumber }}
docker tag "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${buildnumber}" "sonarsource/sonar-scanner-cli:latest"
docker tag "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${buildnumber}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}"
docker tag "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${buildnumber}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}"
docker tag "repox-sonarsource-docker-builds.jfrog.io/sonarsource/sonar-scanner-cli:${buildnumber}" "sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}"
docker login --username ${{ fromJSON(steps.secrets.outputs.vault).docker_username }} --password-stdin <<< "${{ fromJSON(steps.secrets.outputs.vault).docker_access_token }}"
docker push sonarsource/sonar-scanner-cli:latest
docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}
docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}
docker push sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}
docker login repox-sonarsource-docker-releases.jfrog.io --username vault-SonarSource-sonar-scanner-cli-docker-docker-release --password-stdin <<< "${{ fromJSON(steps.secrets.outputs.vault).repox_access_token }}"
docker push repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:latest
docker push repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_version }}
docker push repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.major_minor }}
docker push repox-sonarsource-docker-releases.jfrog.io/sonarsource/sonar-scanner-cli:${{ steps.get_version.outputs.full_image_tag }}
- name: Notify success on Slack
uses: Ilshidur/action-slack@2.1.0
env:
Expand Down

0 comments on commit 7a16088

Please sign in to comment.