diff --git a/.ci-orchestrator/sample-liberty-build.yml b/.ci-orchestrator/sample-liberty-build.yml index 431c9fbf..18d946ac 100644 --- a/.ci-orchestrator/sample-liberty-build.yml +++ b/.ci-orchestrator/sample-liberty-build.yml @@ -9,7 +9,7 @@ triggers: - name: BRANCH defaultValue: "main" - name: command - defaultValue: "make build-app-pipeline IMAGE=${IMAGE}" + defaultValue: "scripts/build-app.sh --image ${IMAGE}" - name: IMAGE defaultValue: "stg.icr.io/cp/olc-sample/open-liberty/samples/getting-started:latest" diff --git a/.gitignore b/.gitignore index 2e4c951e..9efcccde 100644 --- a/.gitignore +++ b/.gitignore @@ -17,3 +17,5 @@ MANIFEST.MF # Zip files *.zip + +.secrets.baseline \ No newline at end of file diff --git a/.one-pipeline.yaml b/.one-pipeline.yaml deleted file mode 100644 index e50c5073..00000000 --- a/.one-pipeline.yaml +++ /dev/null @@ -1,291 +0,0 @@ -version: '1' - -setup: - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - - SKIP_SETUP=$(get_env SKIP_SETUP) - if [[ "$SKIP_SETUP" != 1 ]]; then - GHE_TOKEN=$(cat "$WORKSPACE/git-token") - GHE_TOKEN=$(get_env git-token) - GH_TOKEN=$(get_env git-token-GH) - OWNER=$(jq -r '.services[] | select(.toolchain_binding.name=="app-repo") | .parameters.owner_id' /toolchain/toolchain.json) - REPO=$(jq -r '.services[] | select(.toolchain_binding.name=="app-repo") | .parameters.repo_name' /toolchain/toolchain.json) - REPO=${REPO%.git} - REPO=sample-getting-started - BRANCH=$(get_env branch) - # The 'owner' is really the org, not the user with admin access to repo - OWNER=OpenLiberty - echo "Owner: $OWNER" - echo "REPO: $REPO" - echo "BRANCH: $BRANCH" - - curl -u :$GH_TOKEN https://api.github.com/repos/$OWNER/$REPO/branches/$BRANCH/protection -H "Accept: application/vnd.github.v3+json" -X PUT -d '{"required_pull_request_reviews":{"dismiss_stale_reviews":true,"required_approving_review_count":1},"enforce_admins":null,"restrictions":null,"required_status_checks":null}' - - // Update repo with Whitesource enabled - WHITESOURCE_GHE_REPO=$(get_env WHITESOURCE_GHE_REPO) - WHITESOURCE_GHE_DOMAIN=$(get_env WHITESOURCE_GHE_DOMAIN) - echo "git push --prune https://$GHE_TOKEN@$WHITESOURCE_GHE_DOMAIN/$WHITESOURCE_GHE_REPO +refs/remotes/origin/$BRANCH:refs/heads/$BRANCH +refs/tags/*:refs/tags/*" - git push --prune https://$GHE_TOKEN@$WHITESOURCE_GHE_DOMAIN/$WHITESOURCE_GHE_REPO +refs/remotes/origin/$BRANCH:refs/heads/$BRANCH +refs/tags/*:refs/tags/* - fi - -test: - abort_on_failure: true - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - SKIP_UNIT_TESTS=$(get_env SKIP_UNIT_TESTS) - if [[ "$SKIP_UNIT_TESTS" != 1 ]]; then - cd ../"$(load_repo app-repo path)" - mvn clean package liberty:create liberty:install-feature liberty:test-start liberty:deploy failsafe:integration-test failsafe:verify liberty:test-stop - fi - -static-scan: - abort_on_failure: false - dind: true - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - SKIP_STATIC_SCAN=$(get_env SKIP_STATIC_SCAN) - if [[ "$SKIP_STATIC_SCAN" != 1 ]]; then - read -r SONAR_HOST_URL <<< "$(get_env sonarqube | jq -r '.parameters.dashboard_url' | sed 's:/*$::')" - read -r SONAR_USER <<< "$(get_env sonarqube | jq -r '.parameters.user_login')" - SONARQUBE_INSTANCE_ID=$(get_env sonarqube | jq -r '.instance_id') - read -r SONAR_PASS <<< "$(jq -r --arg sonar_instance "$SONARQUBE_INSTANCE_ID" '[.services[] | select(."service_id"=="sonarqube")][] | select(."instance_id"==$sonar_instance) | .parameters.user_password' /toolchain/toolchain.json)" - touch "$WORKSPACE"/liberty-getting-started/sonar-project.properties - cat << EOF > "$WORKSPACE"/liberty-getting-started/sonar-project.properties - sonar.projectKey=liberty-getting-started - sonar.host.url=$SONAR_HOST_URL - sonar.sources=. - sonar.login=$SONAR_USER - sonar.password=$SONAR_PASS - sonar.c.file.suffixes=- - sonar.cpp.file.suffixes=- - sonar.objc.file.suffixes=- - EOF - chmod -x "$WORKSPACE"/liberty-getting-started/sonar-project.properties - #echo "$SONAR_PASS" >> /tmp/sonarqube-token - "${ONE_PIPELINE_PATH}"/internal/sonarqube/sonarqube_run - fi - -containerize: - abort_on_failure: true - dind: true - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - - if [[ "$PIPELINE_DEBUG" == 1 ]]; then - trap env EXIT - env - set -x - fi - - yum -y -q update - - # Check skopeo version - echo "skopeo version" - skopeo --version || exit 1 - - # Build images - export PIPELINE_USERNAME=$(get_env ibmcloud-api-user) - export PIPELINE_PASSWORD=$(get_env ibmcloud-api-key-staging) - export CONTAINER_REGISTRY=$(get_env CONTAINER_REGISTRY "stg.icr.io") - REGISTRY_REPO=$(get_env REGISTRY_REPO) - IMAGE_TAG=$(get_env IMAGE_TAG) - IMAGE=$CONTAINER_REGISTRY/$REGISTRY_REPO:$IMAGE_TAG - BRANCH=$(get_env branch) - - W3_USERNAME=$(get_env w3_username) - W3_PASSWORD=$(get_env w3_password) - - export arch=$(get_env architecture) - - # build P and Z - if [[ "$arch" == "ZXP" ]]; then - echo " Sending request to build P and Z" - ./scripts/pipeline/request-ciorchestrator.sh --command "make build-app-pipeline IMAGE=${IMAGE}" --user "$W3_USERNAME" --password "$W3_PASSWORD" --branch "$BRANCH" --repository "sample-getting-started" --org "OpenLiberty" --trigger "sample-liberty" --configFile ".ci-orchestrator/sample-liberty-build.yml" - pipelineid=$(cat ciorchestrator-submit.id) - fi - - # Build X - make build-app-pipeline IMAGE=${IMAGE} - - #wait on build for P and Z - if [[ "$arch" == "ZXP" ]]; then - # wait for build ppc64le and s390x images - echo " waiting on request to build P and Z" - ./scripts/pipeline/await-ciorchestrator.sh --user "$W3_USERNAME" --password "$W3_PASSWORD" --pipelineId "$pipelineid" - fi - - # Build manifest - make build-manifest-pipeline IMAGE=${IMAGE} - - # Save artifacts - echo "**** Saving Artifacts ****" - if [[ "$arch" == "ZXP" ]]; then - declare -a tags=("${IMAGE_TAG}" "${IMAGE_TAG}-amd64" "${IMAGE_TAG}-ppc64le" "${IMAGE_TAG}-s390x") - else - declare -a tags=("${IMAGE_TAG}" "${IMAGE_TAG}-amd64") - fi - - for i in "${tags[@]}" - do - IMAGE=$CONTAINER_REGISTRY/$REGISTRY_REPO:$i - DIGEST="$(skopeo inspect docker://$IMAGE | grep Digest | grep -o 'sha[^\"]*')" - { ARCH="$(echo $i | grep -o '\(amd64\|s390x\|ppc64le\)$')" && TYPE="image"; } || { TYPE="manifest"; } - if [[ "$TYPE" == "manifest" ]]; then - echo "Saving artifact $i type=$TYPE name=$IMAGE digest=$DIGEST" - save_artifact $i type=$TYPE name="$IMAGE" "digest=$DIGEST" - else - echo "Saving artifact $i type=$TYPE name=$IMAGE digest=$DIGEST arch=$ARCH" - save_artifact $i type=$TYPE name="$IMAGE" "digest=$DIGEST" "arch=$ARCH" - fi - done - -sign-artifact: - abort_on_failure: false - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - echo "Skipping step because it doesn't make sense to sign an image at this step in the flow" - -deploy: - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - - if [[ "$PIPELINE_DEBUG" == 1 ]]; then - trap env EXIT - env - set -x - fi - - echo "Skipping Deploy" - -dynamic-scan: - abort_on_failure: false - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - - echo "Skipping dynamic-scan" - -acceptance-test: - abort_on_failure: true - dind: true - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - - if [[ "$PIPELINE_DEBUG" == 1 ]]; then - trap env EXIT - env - set -x - fi - - export PIPELINE_USERNAME=$(get_env ibmcloud-api-user) - export PIPELINE_PASSWORD=$(get_env ibmcloud-api-key-staging) - export CONTAINER_REGISTRY=$(get_env CONTAINER_REGISTRY "stg.icr.io") - REGISTRY_REPO=$(get_env REGISTRY_REPO) - IMAGE_TAG=$(get_env IMAGE_TAG) - IMAGE=$CONTAINER_REGISTRY/$REGISTRY_REPO:$IMAGE_TAG - BRANCH=$(get_env branch) - - W3_USERNAME=$(get_env w3_username) - W3_PASSWORD=$(get_env w3_password) - - export arch=$(get_env architecture) - - # check P and Z - if [[ "$arch" == "ZXP" ]]; then - echo " Sending request to build P and Z" - ./scripts/pipeline/request-ciorchestrator.sh --command "make check-build IMAGE=${IMAGE}" --user "$W3_USERNAME" --password "$W3_PASSWORD" --branch "$BRANCH" --repository "sample-getting-started" --org "OpenLiberty" --trigger "sample-liberty" --configFile ".ci-orchestrator/sample-liberty-build.yml" - pipelineid=$(cat ciorchestrator-submit.id) - fi - - # Check X - make check-build IMAGE=${IMAGE} - - #wait on build for P and Z - if [[ "$arch" == "ZXP" ]]; then - # wait for build ppc64le and s390x images - echo " waiting on request to build P and Z" - ./scripts/pipeline/await-ciorchestrator.sh --user "$W3_USERNAME" --password "$W3_PASSWORD" --pipelineId "$pipelineid" - fi - - -scan-artifact: - abort_on_failure: true - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - - echo $STAGE - - # ========== Security Scanner ========== - ./scripts/pipeline/ci_to_secure_pipeline_scan.sh - -release: - abort_on_failure: false - dind: true - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - - if [[ "$PIPELINE_DEBUG" == 1 ]]; then - trap env EXIT - env - set -x - fi - - PUBLISH_IMAGES=$(get_env PUBLISH_IMAGES) - if [[ "$PUBLISH_IMAGES" == 1 ]]; then - skopeo --version - - IMAGE_TAG=$(get_env IMAGE_TAG) - - export PIPELINE_USERNAME=$(get_env ibmcloud-api-user) - PIPELINE_STAGING_PASSWORD=$(get_env ibmcloud-api-key-staging) - CONTAINER_REGISTRY=$(get_env CONTAINER_REGISTRY "stg.icr.io") - REGISTRY_REPO=$(get_env REGISTRY_REPO) - STAGING_IMAGE=$CONTAINER_REGISTRY/$REGISTRY_REPO:$IMAGE_TAG - - PIPELINE_PROD_PASSWORD=$(get_env ibmcloud-api-key) - PROD_CONTAINER_REGISTRY=$(get_env PROD_CONTAINER_REGISTRY) - PROD_REGISTRY_REPO=$(get_env PROD_REGISTRY_REPO) - PROD_IMAGE=$PROD_CONTAINER_REGISTRY/$PROD_REGISTRY_REPO:$IMAGE_TAG - - # Copy image digests and manifest list to prod - echo $PIPELINE_STAGING_PASSWORD | docker login $CONTAINER_REGISTRY -u "$PIPELINE_USERNAME" --password-stdin - echo $PIPELINE_PROD_PASSWORD | docker login $PROD_CONTAINER_REGISTRY -u "$PIPELINE_USERNAME" --password-stdin - - echo "Copying staged image $STAGING_IMAGE to prod at $PROD_IMAGE as user $PIPELINE_USERNAME" - skopeo copy --src-creds $PIPELINE_USERNAME:$PIPELINE_STAGING_PASSWORD --dest-creds $PIPELINE_USERNAME:$PIPELINE_PROD_PASSWORD --all docker://$STAGING_IMAGE docker://$PROD_IMAGE - - echo "Manifest list of $PROD_IMAGE" - docker manifest inspect "$PROD_IMAGE" - digest="$(skopeo inspect docker://$PROD_IMAGE | grep Digest | grep -o 'sha[^\"]*')" - echo "$digest" - - export CONTAINER_REGISTRY=$PROD_CONTAINER_REGISTRY - export PIPELINE_PASSWORD=$PIPELINE_PROD_PASSWORD - - # Check X image from prod registry - make check-build IMAGE=${PROD_IMAGE} - fi - -owasp-zap-api: - dind: true - abort_on_failure: false - image: icr.io/continuous-delivery/pipeline/pipeline-base-ubi:3.12 - script: | - #!/usr/bin/env bash - if [[ "$PIPELINE_DEBUG" == 1 ]]; then - trap env EXIT - env - set -x - fi - - echo "Skipping OWASP ZAP API" diff --git a/.secrets.baseline b/.secrets.baseline deleted file mode 100644 index 1d6cc615..00000000 --- a/.secrets.baseline +++ /dev/null @@ -1,96 +0,0 @@ -{ - "exclude": { - "files": "^.secrets.baseline$", - "lines": null - }, - "generated_at": "2023-08-25T19:53:53Z", - "plugins_used": [ - { - "name": "AWSKeyDetector" - }, - { - "name": "ArtifactoryDetector" - }, - { - "name": "AzureStorageKeyDetector" - }, - { - "base64_limit": 4.5, - "name": "Base64HighEntropyString" - }, - { - "name": "BasicAuthDetector" - }, - { - "name": "BoxDetector" - }, - { - "name": "CloudantDetector" - }, - { - "ghe_instance": "github.ibm.com", - "name": "GheDetector" - }, - { - "name": "GitHubTokenDetector" - }, - { - "hex_limit": 3, - "name": "HexHighEntropyString" - }, - { - "name": "IbmCloudIamDetector" - }, - { - "name": "IbmCosHmacDetector" - }, - { - "name": "JwtTokenDetector" - }, - { - "keyword_exclude": null, - "name": "KeywordDetector" - }, - { - "name": "MailchimpDetector" - }, - { - "name": "NpmDetector" - }, - { - "name": "PrivateKeyDetector" - }, - { - "name": "SlackDetector" - }, - { - "name": "SoftlayerDetector" - }, - { - "name": "SquareOAuthDetector" - }, - { - "name": "StripeDetector" - }, - { - "name": "TwilioKeyDetector" - } - ], - "results": { - "mvnw.cmd": [ - { - "hashed_secret": "4e455935905a45080257f4d3c67115e4131b05af", - "is_secret": false, - "is_verified": false, - "line_number": 147, - "type": "Secret Keyword", - "verified_result": null - } - ] - }, - "version": "0.13.1+ibm.61.dss", - "word_list": { - "file": null, - "hash": null - } -} diff --git a/Makefile b/Makefile deleted file mode 100644 index 9b3ee08f..00000000 --- a/Makefile +++ /dev/null @@ -1,17 +0,0 @@ -# Default values if not set -CONTAINER_REGISTRY ?= icr.io -REGISTRY_REPO ?= appcafe/open-liberty/samples/getting-started -IMAGE_TAG ?= latest -IMAGE ?= ${CONTAINER_REGISTRY}/${REGISTRY_REPO}:${IMAGE_TAG} - -docker-login: - echo ${PIPELINE_PASSWORD} | docker login ${CONTAINER_REGISTRY} -u "${PIPELINE_USERNAME}" --password-stdin - -build-app-pipeline: docker-login - ./scripts/build-app.sh --image "${IMAGE}" - -build-manifest-pipeline: - ./scripts/build-manifest.sh --image "${IMAGE}" - -check-build: docker-login - ./scripts/pipeline/check-build.sh --image "${IMAGE}" diff --git a/ebcDockerBuilderLGS.jenkinsfile b/ebcDockerBuilderLGS.jenkinsfile index 367a266a..c7675073 100644 --- a/ebcDockerBuilderLGS.jenkinsfile +++ b/ebcDockerBuilderLGS.jenkinsfile @@ -6,7 +6,7 @@ properties([ string(name: 'ebcPlan', defaultValue: 'svl-dockerJenkins-ubuntu20_ppcle.yml', description: 'EBC plan to use when provisioning a Jenkins node'), string(name: 'ebcBranch', defaultValue: "${env.ecosystem_branch}", description: 'Git branch used for ebc code'), string(name: 'scriptOrg', defaultValue: "OpenLiberty", description: 'Git org containing docker build scripts'), - string(name: 'command', defaultValue: "make build-app-pipeline IMAGE=stg.icr.io/cp/olc-sample/open-liberty/samples/getting-started", description: 'Build command to execute on target arch machine, e.g. make build-pipeline-releases'), + string(name: 'command', defaultValue: "scripts/build-app.sh --image stg.icr.io/cp/olc-sample/open-liberty/samples/getting-started", description: 'Build command to execute on target arch machine'), string(name: 'BRANCH', defaultValue: "main", description: 'release branch to use'), string(name: 'CONTAINER_REGISTRY', defaultValue: "stg.icr.io", description: 'staging registry to push images to') ]) diff --git a/scripts/build-app.sh b/scripts/build-app.sh index 978fdeac..0126515e 100755 --- a/scripts/build-app.sh +++ b/scripts/build-app.sh @@ -10,10 +10,20 @@ set -Eeo pipefail readonly usage="Usage: $0 --image " +DEFAULT_IMAGE="icr.io/appcafe/open-liberty/samples/getting-started:latest" + main() { parse_args "$@" check_args + echo "IMAGE: $IMAGE" + + CONTAINER_REGISTRY=$(echo "$IMAGE" | cut -d '/' -f 1) + echo "CONTAINER_REGISTRY: $CONTAINER_REGISTRY" + + # Docker login + echo ${PIPELINE_PASSWORD} | docker login ${CONTAINER_REGISTRY} -u "${PIPELINE_USERNAME}" --password-stdin + # Define current arch variable case "$(uname -p)" in "ppc64le") @@ -50,9 +60,9 @@ main() { check_args() { if [[ -z "${IMAGE}" ]]; then - echo "****** Missing target image for app build, see usage" - echo "${usage}" - exit 1 + echo "****** Missing target image for app build" + echo "Setting the target image to default: ${DEFAULT_IMAGE}" + IMAGE="${DEFAULT_IMAGE}" fi } diff --git a/scripts/pipeline/check-build.sh b/scripts/check-build.sh similarity index 74% rename from scripts/pipeline/check-build.sh rename to scripts/check-build.sh index 921eb726..7f46fffe 100755 --- a/scripts/pipeline/check-build.sh +++ b/scripts/check-build.sh @@ -10,10 +10,20 @@ set -Eeo pipefail readonly usage="Usage: $0 --image " +DEFAULT_IMAGE="icr.io/appcafe/open-liberty/samples/getting-started:latest" + main() { parse_args "$@" check_args + echo "IMAGE: $IMAGE" + + CONTAINER_REGISTRY=$(echo "$IMAGE" | cut -d '/' -f 1) + echo "CONTAINER_REGISTRY: $CONTAINER_REGISTRY" + + # Docker login + echo ${PIPELINE_PASSWORD} | docker login ${CONTAINER_REGISTRY} -u "${PIPELINE_USERNAME}" --password-stdin + docker pull $IMAGE docker images @@ -39,7 +49,7 @@ main() { # Test the endpoints for 200 response code curl -f -s -I "0.0.0.0:9080" &>/dev/null && echo "OK: Landing page did return 200" || { echo 'FAIL: Sample App landing page did not return 200' ; exit 1; } - curl -f -s "0.0.0.0:9080" | grep -q 'Open Liberty - Getting Started Sample' && echo "OK: Sample App landing page contained 'Open Liberty - Getting Started Sample'" || { echo 'FAIL: Did not find "Open Liberty - Getting Started Sample" in response' ; exit 1; } + curl -f -s "0.0.0.0:9080" | grep 'Open Liberty - Getting Started Sample' && echo "OK: Sample App landing page contained 'Open Liberty - Getting Started Sample'" || { echo 'FAIL: Did not find "Open Liberty - Getting Started Sample" in response' ; exit 1; } curl -f -s -I "0.0.0.0:9080/system/properties" &>/dev/null && echo "OK: /system/properties did return 200" || { echo 'FAIL: /system/properties did not return 200' ; exit 1; } curl -f -s -I "0.0.0.0:9080/system/config" &>/dev/null && echo "OK: /system/config did return 200" || { echo 'FAIL: /system/config did not return 200' ; exit 1; } curl -f -s -I "0.0.0.0:9080/system/runtime" &>/dev/null && echo "OK: /system/runtime did return 200" || { echo 'FAIL: /system/runtime did not return 200' ; exit 1; } @@ -49,9 +59,9 @@ main() { check_args() { if [[ -z "${IMAGE}" ]]; then - echo "****** Missing target image for app image check, see usage" - echo "${usage}" - exit 1 + echo "****** Missing target image for app build" + echo "Setting the target image to default: ${DEFAULT_IMAGE}" + IMAGE="${DEFAULT_IMAGE}" fi } diff --git a/scripts/pipeline/await-ciorchestrator.sh b/scripts/pipeline/await-ciorchestrator.sh deleted file mode 100755 index 0957e3a1..00000000 --- a/scripts/pipeline/await-ciorchestrator.sh +++ /dev/null @@ -1,107 +0,0 @@ -#!/bin/bash - -function main() { - parse_arguments "$@" - await_ciorchestrator -} - -function print_usage() { - script_name=`basename ${0}` - echo "Usage: ${script_name} [OPTIONS]" - echo "" - echo "Await Completion of CI Orchestrator job" - echo "" - echo "Options:" - echo " -u, --user string IntranetId to use to authenticate to CI Orchestrator" - echo " --password string Intranet Password to use to authenticate to CI Orchestrator" - echo " --pipelineId string pipelineId of the request that should be awaited" - echo " -h, --help Print usage information" - echo "" -} - - -function parse_arguments() { - if [[ "$#" == 0 ]]; then - print_usage - exit 1 - fi - - # process options - while [[ "$1" != "" ]]; do - case "$1" in - -u | --user) - shift - USER=$1 - ;; - --password) - shift - PASSWORD=$1 - ;; - --pipelineId) - shift - pipelineId=$1 - ;; - -h | --help) - print_usage - exit 1 - ;; - esac - shift - done -} - -function await_ciorchestrator() { - echo "Checking Pipeline Request in CI Orchestrator as ${USER}, pipelineId: ${pipelineId}" - - cat >ciorchestrator-query.json </dev/null - rc=$? - if [ $rc -eq 0 ]; then - echo "CIOrchestrator Pipeline finished" - cat ciorchestrator-query-output.csv | grep -E "OK" >/dev/null - ok=$? - echo "Exiting $ok" - exit $ok - else - sleep 1m - fi - done -} - -function check_request(){ - curl -s -X POST \ - --insecure \ - -H "Content-Type: application/json" \ - -d @ciorchestrator-query.json \ - -u "${USER}:${PASSWORD}" \ - -o ciorchestrator-query-output.csv \ - https://libh-proxy1.fyre.ibm.com/ci-pipeline-work-views-stateStore/query - - cat ciorchestrator-query-output.csv - -} - - -# --- Run --- - -main $* \ No newline at end of file diff --git a/scripts/pipeline/ci_to_secure_pipeline_scan.sh b/scripts/pipeline/ci_to_secure_pipeline_scan.sh deleted file mode 100755 index 0ff6237f..00000000 --- a/scripts/pipeline/ci_to_secure_pipeline_scan.sh +++ /dev/null @@ -1,83 +0,0 @@ -#!/usr/bin/env bash - -echo "Connecting to the Security Scan Toolchain" - -# IMAGES_TO_SCAN is delimited by "\n" -IMAGES_TO_SCAN="" -if which list_artifacts >/dev/null; then - for ARTIFACT_IMAGE in $(list_artifacts); do - IMAGE_NAME="$(load_artifact "$ARTIFACT_IMAGE" "name" 2>/dev/null)" - IMAGE_TYPE="$(load_artifact "$ARTIFACT_IMAGE" "type" 2>/dev/null)" - - if [[ -z "${IMAGE_NAME}" || "$(echo "$IMAGE_TYPE" | tr '[:upper:]' '[:lower:]')" != "image" ]]; then - continue - else - IMAGES_TO_SCAN+="$IMAGE_NAME" - IMAGES_TO_SCAN+=$"\n" - fi - done -fi - -echo -e "IMAGES_TO_SCAN:\n$IMAGES_TO_SCAN" - -# This must be an IBM Cloud API key that has permission to run the toolchain -IBMCLOUD_API_KEY="$(get_env ibmcloud-api-key)" # pragma: allowlist secret - -# The IBM Cloud region that is hosting the security scanning pipeline -SECSCAN_TOOLCHAIN_REGION=$(get_env sescan-toolchain-region) -if [[ -z "${SECSCAN_TOOLCHAIN_REGION}" ]]; then - SECSCAN_TOOLCHAIN_REGION="us-south" -fi - -# Ensure ibmcloud is updated before logging in -ibmcloud --version -ibmcloud update -f -ibmcloud login --apikey "$IBMCLOUD_API_KEY" -r "$SECSCAN_TOOLCHAIN_REGION" -a "https://cloud.ibm.com" - -SCANNING_PIPELINE_ID=$(get_env security-scanning-pipeline-id) - -TRIGGER_NAME=$(get_env security-scanning-pipeline-trigger) -if [[ -z "${TRIGGER_NAME}" ]]; then - TRIGGER_NAME="Security Scan Manual Trigger Multiscan" -fi - -#AGGREGATE_IMAGE_SCAN_ISSUES=(get_env aggregate-image-scan-issues) -#if [[ -z "${AGGREGATE_IMAGE_SCAN_ISSUES}" ]]; then -AGGREGATE_IMAGE_SCAN_ISSUES="squad" -#fi - -EVIDENCE_REPO=$(get_env evidence-repo) -INCIDENT_REPO=$(get_env incident-repo) -if [[ -z $EVIDENCE_REPO || -z $INCIDENT_REPO ]]; then - TRIGGER_PROPERTIES_JSON="{\"images-to-scan\": \"$(echo ${IMAGES_TO_SCAN})\"}" -else - TRIGGER_PROPERTIES_JSON="{ - \"aggregate-image-scan-issues\": \"$(echo ${AGGREGATE_IMAGE_SCAN_ISSUES})\", - \"images-to-scan\": \"$(echo ${IMAGES_TO_SCAN})\", - \"evidence-repo\": \"${EVIDENCE_REPO}\", - \"incident-repo\": \"${INCIDENT_REPO}\" - }" -fi - -echo "RUN_DATA=(ibmcloud dev tekton-trigger "$SCANNING_PIPELINE_ID" --trigger-name "$TRIGGER_NAME" --trigger-properties "$TRIGGER_PROPERTIES_JSON" --output json)" -RUN_DATA=$(ibmcloud dev tekton-trigger "$SCANNING_PIPELINE_ID" --trigger-name "$TRIGGER_NAME" --trigger-properties "$TRIGGER_PROPERTIES_JSON" --output json) - -RUN_ID=$(echo $RUN_DATA | jq -r '.id') -echo "Security Scanning Pipeline Run ID=$RUN_ID" - -MAX_TRIES=600 -COMPLETE=0 -for (( TRIES=0; TRIES<=$MAX_TRIES; TRIES++ )) -do - RESULT=$(ibmcloud dev tekton-pipelinerun $SCANNING_PIPELINE_ID --run-id ${RUN_ID} --output json | jq -r '.status.state') - if [[ $RESULT != "passed" && $RESULT != "failed" && $RESULT != "cancelled" && $RESULT != "succeeded" ]];then - sleep 10 - else - COMPLETE=1 - break - fi -done -echo "Security Scanning Pipeline returned $RESULT" -echo "Security Scanning Pipeline URL: https://cloud.ibm.com/devops/pipelines/tekton/${SCANNING_PIPELINE_ID}/runs/${RUN_ID}/build-scan-artifact/run-stage?env_id=ibm:yp:us-south" - -# TODO: Add code to fail the pipeline run if the Security Scanning Pipeline returns "failed" diff --git a/scripts/pipeline/request-ciorchestrator.sh b/scripts/pipeline/request-ciorchestrator.sh deleted file mode 100755 index 2b69288a..00000000 --- a/scripts/pipeline/request-ciorchestrator.sh +++ /dev/null @@ -1,145 +0,0 @@ -#!/bin/bash - -GH_API_ROOT="https://api.github.com" -GH_BRANCH="main" -GH_REPOSITORY="sample-getting-started" -GH_ORG="OpenLiberty" -CI_TRIGGER="lgsdocker" -CI_CONFIG_FILE=".ci-orchestrator/sample-liberty-build.yml" -pipelineName="Liberty Getting Started Build" -command="make build-app-pipeline" - - -function main() { - parse_arguments "$@" - request_ciorchestrator -} - -function print_usage() { - script_name=`basename ${0}` - echo "Usage: ${script_name} [OPTIONS]" - echo "" - echo "Kick off of CI Orchestrator job" - echo "" - echo "Options:" - echo " -u, --user string IntranetId to use to authenticate to CI Orchestrator" - echo " --password string Intranet Password to use to authenticate to CI Orchestrator" - echo " -b, --branch string Github Repository branch" - echo " -r, --repository string GitHub Repository to use" - echo " --org string Github Organisation containing repository" - echo " --trigger string Name of trigger within CI Orchestrator config file" - echo " --configFile string Location of CI Orchestrator config file" - echo " --command string Command to execute on remote machine" - echo " -h, --help Print usage information" - echo "" -} - - -function parse_arguments() { - if [[ "$#" == 0 ]]; then - print_usage - exit 1 - fi - - # process options - while [[ "$1" != "" ]]; do - case "$1" in - -u | --user) - shift - USER=$1 - ;; - --password) - shift - PASSWORD=$1 - ;; - -b | --branch) - shift - GH_BRANCH=$1 - ;; - -r | --repository) - shift - GH_REPOSITORY=$1 - ;; - --org) - shift - GH_ORG=$1 - ;; - --trigger) - shift - CI_TRIGGER=$1 - ;; - --configFile) - shift - CI_CONFIG_FILE=$1 - ;; - --command) - shift - COMMAND=$1 - ;; - -h | --help) - print_usage - exit 1 - ;; - esac - shift - done -} - - -function request_ciorchestrator() { - pipelineId=OnePipeline_${PIPELINE_RUN_ID}_${RANDOM} - cat >ciorchestrator-submit.json <ciorchestrator-submit.id - # add retry logic for Fyre networking issues - echo "Sending Pipeline Request to CI Orchestrator pipelineId: ${pipelineId} as ${USER}" - echo "command to run: $COMMAND" - count=0 - tryAgain=true - while $tryAgain; do - curl --fail --insecure -v -X POST \ - -H "Content-Type: application/json" \ - -d @ciorchestrator-submit.json \ - -u "${USER}:${PASSWORD}" \ - https://libh-proxy1.fyre.ibm.com/eventPublish/rawCIData/${pipelineId} - rc=$? - if [[ $rc -eq 0 ]]; then - echo "Successfully sent CI orchestrator Request" - tryAgain=false - elif [[ $count -gt 600 ]]; then - #Bail after 10 mins - echo "Problem sending CI orchestrator Request after 10 mins of trying, giving up. Curl returned $rc" - exit 1; - else - sleep 10 - count=$((count+10)) - fi - done -} - - -# --- Run --- - -main "$@" \ No newline at end of file