forked from promregator/promregator
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathJenkinsfile
286 lines (230 loc) · 8.04 KB
/
Jenkinsfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
#!groovy
import groovy.xml.XmlUtil
def executeShell(command) {
def result = sh returnStdout: true, script: command
return result.trim()
}
def getVersion() {
// for idea, see also https://stackoverflow.com/questions/3545292/how-to-get-maven-project-version-to-the-bash-command-line
def mvnOutput = executeShell """
printf 'VERSION=\${project.version}\n0\n' | mvn org.apache.maven.plugins:maven-help-plugin:2.1.1:evaluate | egrep '^VERSION'
"""
return mvnOutput.substring(8) // trim prefix "VERSION="
}
def runWithGPG(Closure job) {
withCredentials([file(credentialsId: 'PROMREGATOR_GPG_KEY', variable: 'GPGKEYFILE')]) {
try {
sh """
export GPG_TTY=/dev/null # see also https://wiki.archlinux.org/index.php/GnuPG#Invalid_IPC_response_and_Inappropriate_ioctl_for_device
gpg --import "${GPGKEYFILE}"
echo "C66B4B348F6D4071047318C52483051C0D49EDA0:6:" | gpg --import-ownertrust
"""
job()
} finally {
// ensure that the valuable signing key is deleted again
sh """
export GPG_TTY=/dev/null # see also https://wiki.archlinux.org/index.php/GnuPG#Invalid_IPC_response_and_Inappropriate_ioctl_for_device
gpg --batch --yes --delete-secret-keys C66B4B348F6D4071047318C52483051C0D49EDA0
gpg --batch --yes --delete-keys C66B4B348F6D4071047318C52483051C0D49EDA0
"""
}
}
}
timestamps {
node("slave") {
def checkoutBranchName = env.BRANCH_NAME // see also https://stackoverflow.com/a/36332154
dir("build") {
checkout scm
sh """
echo Building with Java version
javac -version
java -version
javadoc --version # Warning! Yes, at javadoc it's a double-hyphen!
"""
def currentVersion = getVersion()
println "Current version is ${currentVersion}"
stage("Build") {
try {
boolean withSigning = !currentVersion.endsWith("-SNAPSHOT")
if (checkoutBranchName.equals("master")) {
withCredentials([string(credentialsId: 'promregator_sonarcloud', variable: 'sonarlogin')]) {
sh """#!/bin/bash -xe
export CF_PASSWORD=dummypassword
mvn -U -B -PwithTests -Prelease '-Dsonar.login=${sonarlogin}' \
clean verify sonar:sonar
"""
}
} else {
sh """#!/bin/bash -xe
export CF_PASSWORD=dummypassword
mvn -U -B -PwithTests -Prelease clean verify
"""
}
} finally {
junit 'target/surefire-reports/*.xml'
}
}
stage("Post-process Jacoco") {
step([
$class: 'JacocoPublisher'
])
}
stage("Static Code Checks") {
recordIssues aggregatingResults: true,
enabledForFailure: true,
healthy: 10,
unhealthy: 20,
ignoreQualityGate: true,
sourceCodeEncoding: 'UTF-8',
tools: [
java(reportEncoding: 'UTF-8'),
pmdParser(pattern: 'target/pmd.xml', reportEncoding: 'UTF-8'),
findBugs(pattern: 'target/findbugsXml.xml', reportEncoding: 'UTF-8', useRankAsPriority: true),
cpd(pattern: 'target/cpd.xml', reportEncoding: 'UTF-8'),
javaDoc(reportEncoding: 'UTF-8'),
mavenConsole(reportEncoding: 'UTF-8')
]
}
stage("SecDependency Scan") {
sh """
mvn -B -DsuppressionFiles=./secscan/owasp-suppression.xml org.owasp:dependency-check-maven:5.2.4:check
"""
archiveArtifacts "target/dependency-check-report.html"
}
stage("Tests for Docker Image") {
sh """
chmod +x docker/data/promregator.sh
chmod +x test/docker/startscript/*.sh
cd test/docker/startscript
./runtests.sh
"""
}
stage("Official Build / OSSRH") {
if (!currentVersion.endsWith("-SNAPSHOT")) {
// Problem: org.apache.maven.plugins:maven-gpg-plugin:sign org.sonatype.plugins:nexus-staging-maven-plugin:deploy
// must be run within the same "package" call. Otherwise they don't do their job.
// This means that we have to run a new build process. This build process will create
// other CRC values than before. Unfortunately, we can't prevent this.
// Yet, at the same time, we want to make sure that we will use the very same version
// for building the docker image than for the version that we ship as jar (via github release page).
withCredentials([usernamePassword(credentialsId: 'JIRA_SONARTYPE', passwordVariable: 'JIRA_PASSWORD', usernameVariable: 'JIRA_USERNAME')]) {
jiraUsername = XmlUtil.escapeXml("${JIRA_USERNAME}")
jiraPassword = XmlUtil.escapeXml("${JIRA_PASSWORD}")
// see also https://central.sonatype.org/pages/apache-maven.html
String settingsXML = """<settings>
<servers>
<server>
<id>ossrh</id>
<username>${jiraUsername}</username>
<password>${jiraPassword}</password>
</server>
</servers>
<profiles>
<profile>
<id>withDeploy</id>
<activation>
<activeByDefault>false</activeByDefault>
</activation>
<properties>
<gpg.executable>gpg</gpg.executable>
<gpg.passphrase></gpg.passphrase>
</properties>
</profile>
</profiles>
</settings>"""
writeFile file : "settings.xml", text: settingsXML
}
try {
runWithGPG() {
sh """
mvn --settings ./settings.xml -U -B -DskipTests -Prelease -PwithDeploy package org.apache.maven.plugins:maven-gpg-plugin:sign org.sonatype.plugins:nexus-staging-maven-plugin:deploy
"""
}
} finally {
sh """
rm -f ./settings.xml
"""
}
}
}
def imageName = "promregator/promregator:${currentVersion}"
stage("Create Docker Container") {
dir("docker") {
sh """
ln ../target/promregator-${currentVersion}.jar data/promregator.jar
# Necessary Preperation
chmod 0750 data
chmod 0640 data/*
chmod 0770 data/promregator.sh
docker build --pull --compress -t ${imageName} .
docker history ${imageName}
"""
if (!currentVersion.endsWith("-SNAPSHOT")) {
withCredentials([usernamePassword(
credentialsId: 'hub.github.com',
passwordVariable: 'DOCKER_PASSWORD',
usernameVariable: 'DOCKER_USER'
)]) {
sh """
echo "$DOCKER_PASSWORD" | docker login -u promregator --password-stdin
"""
sh """
docker push ${imageName}
"""
}
}
}
}
stage("Generate hashsum file") {
// determine jar file hash values
sh """
cd target
cat >../promregator-${currentVersion}.hashsums <<EOT
commit(promregator.git)=`git rev-parse HEAD`
`openssl dgst -sha256 -hex promregator-${currentVersion}.jar`
`openssl dgst -md5 -hex promregator-${currentVersion}.jar`
EOT
"""
def dockerImageIdentifier = null
// determine docker image version
dockerImageIdentifier = executeShell """
docker inspect --format='{{.RepoDigests}}' ${imageName}
"""
if (!dockerImageIdentifier.equals("[]")) {
// the docker image has a sha256 (note: SNAPSHOT versions do not have one!)
dockerImageIdentifier = executeShell """
docker inspect --format='{{index .RepoDigests 0}}' ${imageName}
"""
def dockerImageIdentifierCanonical = executeShell """
docker inspect --format='{{.Id}}' ${imageName}
"""
sh """
cat >>promregator-${currentVersion}.hashsums <<EOT
Docker Image Repo Digest: ${dockerImageIdentifier}
Docker Image Id: ${dockerImageIdentifierCanonical}
EOT
"""
}
}
stage("Hashsumming/Archiving") {
// show the current state
sh "ls -al"
if (!currentVersion.endsWith("-SNAPSHOT")) {
// signing only happens, if deployment is in place
archiveArtifacts "target/promregator-${currentVersion}*.asc"
}
runWithGPG() {
sh """
gpg --clearsign --personal-digest-preferences SHA512,SHA384,SHA256,SHA224,SHA1 promregator-${currentVersion}.hashsums
"""
}
sh """
mv promregator-${currentVersion}.hashsums.asc promregator-${currentVersion}.hashsums
cat promregator-${currentVersion}.hashsums
"""
archiveArtifacts "promregator-${currentVersion}.hashsums"
archiveArtifacts 'target/promregator*.jar'
}
}
}
}