-
Pierre Smeyers authoredPierre Smeyers authored
gitlab-ci-maven-jib.yml 9.34 KiB
# =====================================================================================================================
# === JIB template variant
# =====================================================================================================================
variables:
MAVEN_SBOM_IMAGE: "registry.hub.docker.com/anchore/syft:debug"
MAVEN_SBOM_OPTS: "--catalogers rpm-db-cataloger,alpmdb-cataloger,apkdb-cataloger,dpkgdb-cataloger,portage-cataloger"
MAVEN_TRIVY_SECURITY_LEVEL_THRESHOLD: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL"
MAVEN_TRIVY_IMAGE: "registry.hub.docker.com/aquasec/trivy:latest"
MAVEN_TRIVY_ARGS: "--ignore-unfixed --vuln-type os"
MAVEN_JIB_SNAPSHOT_IMAGE: "$CI_REGISTRY_IMAGE/snapshot:$CI_COMMIT_REF_SLUG"
MAVEN_JIB_RELEASE_IMAGE: "$CI_REGISTRY_IMAGE:$CI_COMMIT_REF_NAME"
MAVEN_JIB_BUILD_ARGS: "-Djib.to.image=$MAVEN_JIB_SNAPSHOT_IMAGE"
MAVEN_JIB_PROD_PUBLISH_STRATEGY: "manual"
MAVEN_SKOPEO_IMAGE: "quay.io/skopeo/stable:latest"
.mvn-jib-scripts: &mvn-jib-scripts |
# BEGSCRIPT
set -e
function configure_registries_auth() {
maven_jib_snapshot_authn_token=$(echo -n "${MAVEN_JIB_REGISTRY_SNAPSHOT_USER:-${MAVEN_JIB_REGISTRY_USER:-$CI_REGISTRY_USER}}:${MAVEN_JIB_REGISTRY_SNAPSHOT_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
maven_jib_snapshot_registry_host=$(echo "$MAVEN_JIB_SNAPSHOT_IMAGE" | cut -d/ -f1)
maven_jib_release_authn_token=$(echo -n "${MAVEN_JIB_REGISTRY_RELEASE_USER:-${MAVEN_JIB_REGISTRY_USER:-$CI_REGISTRY_USER}}:${MAVEN_JIB_REGISTRY_RELEASE_PASSWORD:-${MAVEN_JIB_REGISTRY_PASSWORD:-$CI_REGISTRY_PASSWORD}}" | base64 | tr -d '\n')
maven_jib_release_registry_host=$(echo "$MAVEN_JIB_RELEASE_IMAGE" | cut -d/ -f1)
maven_jib_snapshot_config_json=$(echo -n "{\"auths\":{\"$maven_jib_snapshot_registry_host\":{\"auth\":\"$maven_jib_snapshot_authn_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
maven_jib_release_config_json=$(echo -n "{\"auths\":{\"$maven_jib_release_registry_host\":{\"auth\":\"$maven_jib_release_authn_token\"},\"HttpHeaders\":{\"User-Agent\":\"$USER_AGENT\"}}}")
BUILDTOOL_HOME=${BUILDTOOL_HOME:-$HOME}
# Create Docker auth config (supported by Jib)
mkdir -p "$BUILDTOOL_HOME/.docker"
echo "${maven_jib_snapshot_config_json}" > $BUILDTOOL_HOME/.docker/config.json
echo "${maven_jib_release_config_json}" > $BUILDTOOL_HOME/.docker/release-config.json
log_info "Registry authentication configured for \\e[33;1m${maven_jib_snapshot_registry_host}\\e[0m"
}
configure_registries_auth
# ENDSCRIPT
mvn-build:
extends: .mvn-base
script:
# initialize Docker auth config
- !reference [.mvn-jib-scripts]
# build and push snapshot container
- >-
mvn ${TRACE+-X} $MAVEN_CLI_OPTS $mvn_settings_opt $java_proxy_args verify
com.google.cloud.tools:jib-maven-plugin:build
$MAVEN_JIB_BUILD_ARGS
- output_coverage
# create dotenv file
- jib_digest=$(cat target/jib-image.digest | cut -f2 -d':' )
- jib_repository=${MAVEN_JIB_SNAPSHOT_IMAGE%:*}
- jib_tag=${MAVEN_JIB_SNAPSHOT_IMAGE##*:}
- |
{
echo "jib_image=$MAVEN_JIB_SNAPSHOT_IMAGE"
echo "jib_image_digest=$jib_repository@$jib_digest"
echo "jib_repository=$jib_repository"
echo "jib_tag=$jib_tag"
echo "jib_digest=$jib_digest"
} > jib.env
artifacts:
reports:
dotenv:
- jib.env