From 8be346259b7065dacc0bda51b7298bb556b153b1 Mon Sep 17 00:00:00 2001 From: Elia el Lazkani Date: Tue, 4 Jul 2023 18:35:12 +0200 Subject: [PATCH] chore(): Revising pipeline for promotion --- .drone.yml | 10 ++++++++++ scripts/get-scan-report.sh | 17 +++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100755 scripts/get-scan-report.sh diff --git a/.drone.yml b/.drone.yml index 7a30b09..d3253de 100644 --- a/.drone.yml +++ b/.drone.yml @@ -36,6 +36,10 @@ steps: - "${DRONE_COMMIT_SHA:0:8}" depends_on: - test-build-container + when: + event: + exclude: + - promote trigger: exclude: @@ -55,10 +59,15 @@ steps: REGISTRY_PASSWORD: from_secret: registry_password commands: + - trivy image --image-src remote scm.project42.io/elia/tricks:"${DRONE_COMMIT_SHA:0:8}" - trivy image --format json --output result.json --image-src remote scm.project42.io/elia/tricks:"${DRONE_COMMIT_SHA:0:8}" - export TIMESTAMP=$(date "+%F %T %Z") - echo $TIMESTAMP - oras attach --username "$REGISTRY_USERNAME" --password "$REGISTRY_PASSWORD" -a "org.opencontainers.trivy.created=$TIMESTAMP" -a "org.opencontainers.trivy.status=Passed" -a "org.opencontainers.trivy.tag=${DRONE_COMMIT_SHA:0:8}" --artifact-type application/json "scm.project42.io/elia/tricks:${DRONE_COMMIT_SHA:0:8}" result.json + when: + event: + exclude: + - promote depends_on: - build @@ -81,6 +90,7 @@ steps: REGISTRY_PASSWORD: from_secret: registry_password commands: + - scripts/get-scan-report.sh "scm.project42.io/elia/tricks:${DRONE_COMMIT_SHA:0:8}" - oras tag --username "$REGISTRY_USERNAME" --password "$REGISTRY_PASSWORD" "scm.project42.io/elia/tricks:${DRONE_COMMIT_SHA:0:8}" latest when: event: diff --git a/scripts/get-scan-report.sh b/scripts/get-scan-report.sh new file mode 100755 index 0000000..e0636b8 --- /dev/null +++ b/scripts/get-scan-report.sh @@ -0,0 +1,17 @@ +#!/bin/sh + +set -e + +image=$@ + +image_information=$(oras discover --artifact-type application/json "$image") +#printf "$image_information\n" +printf "Found image $image...\n" + +report_digest=$(echo "$image_information" | tail -n1 | awk -F ' ' '{print $2}') +#printf "$report_digest\n" +printf "Found digests for scan report...\n" + +image_base=$(echo "$image" | awk -F ':' '{print $1}') +printf "Pulling $image_base:@$report_digest...\n" +oras pull "$image_base:@$report_digest"