X-Git-Url: https://gerrit.linuxfoundation.org/infra/gitweb?a=blobdiff_plain;f=jjb%2Flf-docker-jobs.yaml;h=fa19f96e30bd35c773ce3d6c263a2f4c410e7701;hb=d1e8579fac0f3a0aeba74f70b27a06ab3fdad54f;hp=6fbf09bf210d914332854b78710227f053fc0689;hpb=f88c7c24b2b1a6f04f85afa8c0a91d8321aef8ea;p=releng%2Fglobal-jjb.git diff --git a/jjb/lf-docker-jobs.yaml b/jjb/lf-docker-jobs.yaml index 6fbf09bf..fa19f96e 100644 --- a/jjb/lf-docker-jobs.yaml +++ b/jjb/lf-docker-jobs.yaml @@ -13,11 +13,10 @@ CONTAINER_TAG_METHOD={container-tag-method} CONTAINER_TAG_YAML_DIR={container-tag-yaml-dir} DOCKER_ROOT={docker-root} - - shell: !include-raw-escape: - - ../shell/docker-get-container-tag.sh + - shell: !include-raw-escape: "{docker-get-container-tag-script}" - inject: # Import the container tag set by this build step - properties-file: 'env_docker_inject.txt' + properties-file: "env_docker_inject.txt" - builder: name: lf-docker-build @@ -37,7 +36,7 @@ builders: - inject: properties-content: | - CONTAINER_PUSH_REGISTRY={container-push-registry} + CONTAINER_PUSH_REGISTRY={container-push-registry} - shell: !include-raw-escape: - ../shell/docker-push.sh @@ -45,11 +44,11 @@ # COMMON FUNCTIONS # #################### -- lf_docker_common: &lf_docker_common +- _lf_docker_common: &lf_docker_common name: lf-docker-common project-type: freestyle - node: '{build-node}' + node: "{build-node}" ###################### # Default parameters # @@ -61,55 +60,56 @@ submodule-disable: false submodule-recursive: true submodule-timeout: 10 - pre_docker_build_script: '# pre docker build script goes here' - post_docker_build_script: '# post docker build script goes here' - disable-job: 'false' - docker-root: '$WORKSPACE' - docker-build-args: '' - git-url: '$GIT_URL/$PROJECT' - container-tag-method: 'latest' + pre_docker_build_script: "# pre docker build script goes here" + post_docker_build_script: "# post docker build script goes here" + disable-job: "false" + docker-get-container-tag-script: "../shell/docker-get-container-tag.sh" + docker-root: "$WORKSPACE" + docker-build-args: "" + git-url: "$GIT_URL/$PROJECT" + container-tag-method: "latest" # TODO: how to interpolate value of {docker-root} parameter? - container-tag-yaml-dir: '' + container-tag-yaml-dir: "" ##################### # Job Configuration # ##################### - disabled: '{disable-job}' + disabled: "{disable-job}" properties: - lf-infra-properties: - build-days-to-keep: '{build-days-to-keep}' + build-days-to-keep: "{build-days-to-keep}" parameters: - lf-infra-parameters: - branch: '{branch}' - project: '{project}' - refspec: 'refs/heads/{branch}' - stream: '{stream}' + branch: "{branch}" + project: "{project}" + refspec: "refs/heads/{branch}" + stream: "{stream}" wrappers: - lf-infra-wrappers: - build-timeout: '{build-timeout}' - jenkins-ssh-credential: '{jenkins-ssh-credential}' + build-timeout: "{build-timeout}" + jenkins-ssh-credential: "{jenkins-ssh-credential}" publishers: - lf-infra-publish -- docker_verify_common: &docker_verify_common +- _docker_verify_common: &docker_verify_common name: docker-verify-common concurrent: true scm: - lf-infra-gerrit-scm: - jenkins-ssh-credential: '{jenkins-ssh-credential}' - git-url: '{git-url}' - refspec: '$GERRIT_REFSPEC' - branch: '$GERRIT_BRANCH' - submodule-disable: '{submodule-disable}' - submodule-recursive: '{submodule-recursive}' - submodule-timeout: '{submodule-timeout}' + jenkins-ssh-credential: "{jenkins-ssh-credential}" + git-url: "{git-url}" + refspec: "$GERRIT_REFSPEC" + branch: "$GERRIT_BRANCH" + submodule-disable: "{submodule-disable}" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" choosing-strategy: gerrit gerrit_verify_triggers: @@ -119,83 +119,85 @@ exclude-no-code-change: false - draft-published-event - comment-added-contains-event: - comment-contains-value: '^Patch Set[ ]+[0-9]+:([ ]+|[\n]+)(recheck|reverify)$' + comment-contains-value: '^Patch Set\s+\d+:\s+(recheck|reverify)\s*$' gerrit_trigger_file_paths: - compare-type: REG_EXP - pattern: '.*' + pattern: ".*" # github_included_regions MUST match gerrit_trigger_file_paths github_included_regions: - - '.*' + - ".*" builders: - lf-infra-pre-build - lf-infra-docker-login: - global-settings-file: 'global-settings' - settings-file: '{mvn-settings}' - - shell: '{pre_docker_build_script}' + global-settings-file: "global-settings" + settings-file: "{mvn-settings}" + - shell: "{pre_docker_build_script}" - lf-docker-get-container-tag: - container-tag-method: '{container-tag-method}' - container-tag-yaml-dir: '{container-tag-yaml-dir}' - docker-root: '{docker-root}' + container-tag-method: "{container-tag-method}" + container-tag-yaml-dir: "{container-tag-yaml-dir}" + docker-root: "{docker-root}" + docker-get-container-tag-script: "{docker-get-container-tag-script}" - lf-docker-build: - docker-build-args: '{docker-build-args}' - docker-name: '{docker-name}' - docker-root: '{docker-root}' - container-public-registry: '{container-public-registry}' - container-push-registry: '{container-push-registry}' - - shell: '{post_docker_build_script}' + docker-build-args: "{docker-build-args}" + docker-name: "{docker-name}" + docker-root: "{docker-root}" + container-public-registry: "{container-public-registry}" + container-push-registry: "{container-push-registry}" + - shell: "{post_docker_build_script}" - lf-provide-maven-settings-cleanup -- docker_merge_common: &docker_merge_common +- _docker_merge_common: &docker_merge_common name: docker-merge-common - cron: '' + cron: "@weekly" # check dependencies regularly scm: - lf-infra-gerrit-scm: - jenkins-ssh-credential: '{jenkins-ssh-credential}' - git-url: '{git-url}' - refspec: '$GERRIT_REFSPEC' - branch: '$GERRIT_BRANCH' - submodule-disable: '{submodule-disable}' - submodule-recursive: '{submodule-recursive}' - submodule-timeout: '{submodule-timeout}' - choosing-strategy: gerrit + jenkins-ssh-credential: "{jenkins-ssh-credential}" + git-url: "{git-url}" + refspec: "$GERRIT_REFSPEC" + branch: "$GERRIT_BRANCH" + submodule-disable: "{submodule-disable}" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + choosing-strategy: default gerrit_merge_triggers: - change-merged-event - comment-added-contains-event: - comment-contains-value: remerge$ + comment-contains-value: '^Patch Set\s+\d+:\s+remerge\s*$' gerrit_trigger_file_paths: - compare-type: REG_EXP - pattern: '.*' + pattern: ".*" # github_included_regions MUST match gerrit_trigger_file_paths github_included_regions: - - '.*' + - ".*" builders: - lf-infra-pre-build - lf-infra-docker-login: - global-settings-file: 'global-settings' - settings-file: '{mvn-settings}' - - shell: '{pre_docker_build_script}' + global-settings-file: "global-settings" + settings-file: "{mvn-settings}" + - shell: "{pre_docker_build_script}" - lf-docker-get-container-tag: - container-tag-method: '{container-tag-method}' - container-tag-yaml-dir: '{container-tag-yaml-dir}' - docker-root: '{docker-root}' + container-tag-method: "{container-tag-method}" + container-tag-yaml-dir: "{container-tag-yaml-dir}" + docker-root: "{docker-root}" + docker-get-container-tag-script: "{docker-get-container-tag-script}" - lf-docker-build: - docker-build-args: '{docker-build-args}' - docker-name: '{docker-name}' - docker-root: '{docker-root}' - container-public-registry: '{container-public-registry}' - container-push-registry: '{container-push-registry}' - - shell: '{post_docker_build_script}' + docker-build-args: "{docker-build-args}" + docker-name: "{docker-name}" + docker-root: "{docker-root}" + container-public-registry: "{container-public-registry}" + container-push-registry: "{container-push-registry}" + - shell: "{post_docker_build_script}" # Provided all steps have already passed, push the docker image - lf-docker-push: - container-push-registry: '{container-push-registry}' + container-push-registry: "{container-push-registry}" - lf-provide-maven-settings-cleanup ################# @@ -203,7 +205,7 @@ ################# - job-template: - name: '{project-name}-docker-verify-{stream}' + name: "{project-name}-docker-verify-{stream}" id: gerrit-docker-verify # Job template for Docker verify jobs # @@ -216,18 +218,18 @@ triggers: - gerrit: - server-name: '{gerrit-server-name}' - trigger-on: '{obj:gerrit_verify_triggers}' + server-name: "{gerrit-server-name}" + trigger-on: "{obj:gerrit_verify_triggers}" projects: - project-compare-type: ANT - project-pattern: '{project}' + project-pattern: "{project}" branches: - branch-compare-type: ANT - branch-pattern: '**/{branch}' - file-paths: '{obj:gerrit_trigger_file_paths}' + branch-pattern: "**/{branch}" + file-paths: "{obj:gerrit_trigger_file_paths}" - job-template: - name: '{project-name}-docker-verify-{stream}' + name: "{project-name}-docker-verify-{stream}" id: github-docker-verify # Job template for Docker verify jobs # @@ -240,38 +242,38 @@ properties: - lf-infra-properties: - build-days-to-keep: '{build-days-to-keep}' + build-days-to-keep: "{build-days-to-keep}" - github: - url: '{github-url}/{github-org}/{project}' + url: "{github-url}/{github-org}/{project}" scm: - lf-infra-github-scm: - url: '{git-clone-url}{github-org}/{project}' - refspec: '+refs/pull/*:refs/remotes/origin/pr/*' - branch: '$sha1' - submodule-recursive: '{submodule-recursive}' - submodule-timeout: '{submodule-timeout}' - submodule-disable: '{submodule-disable}' + url: "{git-clone-url}{github-org}/{project}" + refspec: "+refs/pull/*:refs/remotes/origin/pr/*" + branch: "$sha1" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" choosing-strategy: default - jenkins-ssh-credential: '{jenkins-ssh-credential}' + jenkins-ssh-credential: "{jenkins-ssh-credential}" triggers: - github-pull-request: - trigger-phrase: '^(recheck|reverify)$' + trigger-phrase: "^(recheck|reverify)$" only-trigger-phrase: false - status-context: 'Docker Verify' + status-context: "Docker Verify" permit-all: true github-hooks: true white-list-target-branches: - - '{branch}' - included-regions: '{obj:github_included_regions}' + - "{branch}" + included-regions: "{obj:github_included_regions}" ################ # Docker Merge # ################ - job-template: - name: '{project-name}-docker-merge-{stream}' + name: "{project-name}-docker-merge-{stream}" id: gerrit-docker-merge # Job template for Docker merge jobs # @@ -283,20 +285,20 @@ <<: *docker_merge_common triggers: - - timed: '{obj:cron}' + - timed: "{obj:cron}" - gerrit: - server-name: '{gerrit-server-name}' - trigger-on: '{obj:gerrit_merge_triggers}' + server-name: "{gerrit-server-name}" + trigger-on: "{obj:gerrit_merge_triggers}" projects: - project-compare-type: ANT - project-pattern: '{project}' + project-pattern: "{project}" branches: - branch-compare-type: ANT - branch-pattern: '**/{branch}' - file-paths: '{obj:gerrit_trigger_file_paths}' + branch-pattern: "**/{branch}" + file-paths: "{obj:gerrit_trigger_file_paths}" - job-template: - name: '{project-name}-docker-merge-{stream}' + name: "{project-name}-docker-merge-{stream}" id: github-docker-merge # Job template for Docker merge jobs # @@ -309,36 +311,195 @@ properties: - lf-infra-properties: - build-days-to-keep: '{build-days-to-keep}' + build-days-to-keep: "{build-days-to-keep}" - github: - url: '{github-url}/{github-org}/{project}' + url: "{github-url}/{github-org}/{project}" scm: - lf-infra-github-scm: - url: '{git-clone-url}{github-org}/{project}' - refspec: '' - branch: 'refs/heads/{branch}' - submodule-recursive: '{submodule-recursive}' - submodule-timeout: '{submodule-timeout}' - submodule-disable: '{submodule-disable}' + url: "{git-clone-url}{github-org}/{project}" + refspec: "" + branch: "refs/heads/{branch}" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" choosing-strategy: default - jenkins-ssh-credential: '{jenkins-ssh-credential}' + jenkins-ssh-credential: "{jenkins-ssh-credential}" triggers: - - timed: '{obj:cron}' + - timed: "{obj:cron}" - github - pollscm: - cron: '' + cron: "" + - github-pull-request: + trigger-phrase: "^remerge$" + only-trigger-phrase: true + status-context: "Docker Merge" + permit-all: true + github-hooks: true + org-list: + - "{github-org}" + white-list: "{obj:github_pr_allowlist}" + admin-list: "{obj:github_pr_admin_list}" + white-list-target-branches: + - "{branch}" + included-regions: "{obj:github_included_regions}" + +################## +# Docker Snyk CLI # +################## + +- _lf_docker_snyk_cli: &lf_docker_snyk_cli + name: lf-docker-snyk_cli + + ###################### + # Default parameters # + ###################### + + branch: master + build-days-to-keep: 30 # 30 days for troubleshooting purposes + build-timeout: 60 + container-tag-method: "latest" + container-tag-yaml-dir: "" + disable-job: false + docker-get-container-tag-script: "../shell/docker-get-container-tag.sh" + docker-root: "$WORKSPACE" + docker-build-args: "" + git-url: "$GIT_URL/$PROJECT" + github-url: "https://github.com" + pre_docker_build_script: "# pre docker build script goes here" + post_docker_build_script: "# post docker build script goes here" + snyk-cli-options: "" + snyk-token-credential-id: snyk-token + snyk-org-credential-id: snyk-org + stream: master + submodule-recursive: true + submodule-timeout: 10 + submodule-disable: false + + gerrit_snyk_triggers: + - comment-added-contains-event: + comment-contains-value: '^Patch Set\s+\d+:\s+run-snyk\s*$' + + parameters: + - lf-infra-parameters: + project: "{project}" + branch: "{branch}" + stream: "{stream}" + - string: + name: SNYK_CLI_OPTIONS + default: "{snyk-cli-options}" + description: Additional Snyk CLI commands and options + + wrappers: + - credentials-binding: + - text: + credential-id: "{snyk-token-credential-id}" + variable: SNYK_TOKEN + - text: + credential-id: "{snyk-org-credential-id}" + variable: SNYK_ORG + + ##################### + # Job Configuration # + ##################### + + disabled: "{disable-job}" + + builders: + - lf-infra-pre-build + - lf-infra-docker-login: + global-settings-file: "global-settings" + settings-file: "{mvn-settings}" + - shell: "{pre_docker_build_script}" + - lf-docker-get-container-tag: + container-tag-method: "{container-tag-method}" + container-tag-yaml-dir: "{container-tag-yaml-dir}" + docker-root: "{docker-root}" + docker-get-container-tag-script: "{docker-get-container-tag-script}" + - lf-docker-build: + docker-build-args: "{docker-build-args}" + docker-name: "{docker-name}" + docker-root: "{docker-root}" + container-public-registry: "{container-public-registry}" + container-push-registry: "{container-push-registry}" + - shell: "{post_docker_build_script}" + - lf-infra-snyk-cli-scanner + - lf-provide-maven-settings-cleanup + - shell: 'find . -regex ".*karaf/target" | xargs rm -rf' + +- job-template: + name: "{project-name}-docker-snyk-cli-{stream}" + id: gerrit-docker-snyk-cli + <<: *lf_docker_common + # yamllint disable-line rule:key-duplicates + <<: *lf_docker_snyk_cli + + scm: + - lf-infra-gerrit-scm: + jenkins-ssh-credential: "{jenkins-ssh-credential}" + git-url: "{git-url}" + refspec: "$GERRIT_REFSPEC" + branch: "$GERRIT_BRANCH" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" + - gerrit: + server-name: "{gerrit-server-name}" + trigger-on: "{obj:gerrit_snyk_triggers}" + projects: + - project-compare-type: ANT + project-pattern: "{project}" + branches: + - branch-compare-type: ANT + branch-pattern: "**/{branch}" + skip-vote: + successful: true + failed: true + unstable: true + notbuilt: true + +- job-template: + name: "{project-name}-docker-snyk-cli-{stream}" + id: github-docker-snyk-cli + <<: *lf_docker_common + # yamllint disable-line rule:key-duplicates + <<: *lf_docker_snyk_cli + + properties: + - lf-infra-properties: + build-days-to-keep: "{build-days-to-keep}" + - github: + url: "{github-url}/{github-org}/{project}" + + scm: + - lf-infra-github-scm: + url: "{git-clone-url}{github-org}/{project}" + refspec: "" + branch: "refs/heads/{branch}" + submodule-recursive: "{submodule-recursive}" + submodule-timeout: "{submodule-timeout}" + submodule-disable: "{submodule-disable}" + choosing-strategy: default + jenkins-ssh-credential: "{jenkins-ssh-credential}" + + triggers: + # Build weekly on Saturdays + - timed: "H H * * 6" - github-pull-request: - trigger-phrase: '^remerge$' + trigger-phrase: "^run-snyk$" only-trigger-phrase: true - status-context: 'Docker Merge' + status-context: "SNYK scan" permit-all: true github-hooks: true org-list: - - '{github-org}' - white-list: '{obj:github_pr_whitelist}' - admin-list: '{obj:github_pr_admin_list}' + - "{github-org}" + white-list: "{obj:github_pr_allowlist}" + admin-list: "{obj:github_pr_admin_list}" white-list-target-branches: - - '{branch}' - included-regions: '{obj:github_included_regions}' + - "{branch}"