talk-recording/.woodpecker/build.yml

variables:
  - &file Containerfile
  - &repo dev.shielddagger.com/opensource/talk-recording

when:
  - event: [push, pull_request, cron]

steps:
  - name: dryrun
    image: woodpeckerci/plugin-docker-buildx:5
    backend_options:
      kubernetes:
        securityContext:
          privileged: true
    settings:
      dockerfile: *file
      platforms: linux/arm64,linux/amd64
      cache_from: type=registry,ref=dev.shielddagger.com/opensource/talk-recording
      cache_to: type=inline
      dry_run: true
      repo: *repo
      tags: latest
      registry: dev.shielddagger.com
      username:
        from_secret: registry_username
      password:
        from_secret: registry_password
    when:
      - event: pull_request
  - name: publish
    image: woodpeckerci/plugin-docker-buildx:5
    backend_options:
      kubernetes:
        securityContext:
          privileged: true
    settings:
      dockerfile: *file
      platforms: linux/arm64,linux/amd64
      cache_from: type=registry,ref=dev.shielddagger.com/opensource/talk-recording
      cache_to: type=inline
      repo: *repo
      auto_tag: true
      tags: ${CI_COMMIT_SHA:0:8}
      registry: dev.shielddagger.com
      username:
        from_secret: registry_username
      password:
        from_secret: registry_password
    when:
      - event: push
        branch: main
  - name: gather-digests
    image: quay.io/skopeo/stable:latest
    environment:
      DOCKER_USER:
        from_secret: registry_username
      DOCKER_PASS:
        from_secret: registry_password
      DOCKER_REPO: *repo
    when:
      - event: [push, cron]
        branch: main
        cron: "security-scan"
    commands:
      - dnf install -y jq
      - skopeo login dev.shielddagger.com --username $DOCKER_USER --password $DOCKER_PASS
      - skopeo inspect --raw docker://$DOCKER_REPO:latest | jq -r .'manifests[] | select(.platform.architecture=="arm64").digest' > digest-arm64
      - skopeo inspect --raw docker://$DOCKER_REPO:latest | jq -r .'manifests[] | select(.platform.architecture=="amd64").digest' > digest-amd64
  - name: image-scan
    image: aquasec/trivy
    environment:
      TRIVY_USER:
        from_secret: registry_username
      TRIVY_PASSWORD:
        from_secret: registry_password
      TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
      TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
      TRIVY_CHECKS_BUNDLE_REPOSITORY: public.ecr.aws/aquasecurity/trivy-checks
      DOCKER_REPO: *repo
    commands:
      - export ARM64_DIGEST=$(cat digest-arm64)
      - trivy image --platform linux/arm64 --debug ${DOCKER_REPO}@$ARM64_DIGEST --exit-code 1 --username $TRIVY_USER --severity HIGH,CRITICAL
    when:
      - event: [push, cron]
        branch: main
        cron: "security-scan"
  - name: notify
    image: dev.shielddagger.com/opensource/discord-notifier
    failure: ignore
    settings:
      webhook_url:
        from_secret: discord_webhook
      woodpecker_url: https://ci.shielddagger.com/api
      woodpecker_token:
        from_secret: woodpecker_token
      icon_url: https://discord.com/api/webhooks/1231848304694919270/1ApQzOPMfNosxhQ62HbYScBT5s94m0bIUn1IFGQlT6d8Ru2ImcHHjjkFA_SaonBNU3yz
    when:
      - status: [success, failure]