automated terminal push
This commit is contained in:
lenape
45
Jenkinsfile
vendored
45
Jenkinsfile
vendored
@@ -1,27 +1,24 @@
|
||||
pipeline {
|
||||
agent any
|
||||
|
||||
environment {
|
||||
// Non‑secret config injected from Jenkins Credentials (Secret Text)
|
||||
// Non-secret config injected from Jenkins Credentials (Secret Text)
|
||||
AWS_REGION = credentials('AWS_REGION')
|
||||
AWS_ACCOUNT_ID = credentials('AWS_ACCOUNT_ID')
|
||||
CODEART_DOMAIN = credentials('CODEART_DOMAIN')
|
||||
CODEART_REPO = credentials('CODEART_REPO')
|
||||
}
|
||||
|
||||
stages {
|
||||
stage('Checkout') {
|
||||
steps {
|
||||
checkout scm
|
||||
}
|
||||
}
|
||||
|
||||
stage('Authenticate & Configure') {
|
||||
steps {
|
||||
// Use AWS Credentials Plugin to pick up your IAM user keys
|
||||
withAWS(credentials: 'jenkins-codeartifact', region: "${AWS_REGION}") {
|
||||
script {
|
||||
// Fetch a short‑lived CodeArtifact token
|
||||
// Fetch a short-lived CodeArtifact token
|
||||
env.CODEART_TOKEN = sh(
|
||||
script: """
|
||||
aws codeartifact get-authorization-token \\
|
||||
@@ -36,37 +33,41 @@ pipeline {
|
||||
pip config set global.index-url \
|
||||
"https://aws:${CODEART_TOKEN}@${CODEART_DOMAIN}-${AWS_ACCOUNT_ID}.d.codeartifact.${AWS_REGION}.amazonaws.com/pypi/${CODEART_REPO}/simple/"
|
||||
cat > ~/.pypirc <<EOF
|
||||
[distutils]
|
||||
index-servers = codeartifact
|
||||
|
||||
[codeartifact]
|
||||
repository = https://${CODEART_DOMAIN}-${AWS_ACCOUNT_ID}.d.codeartifact.${AWS_REGION}.amazonaws.com/pypi/${CODEART_REPO}/
|
||||
username = aws
|
||||
password = ${CODEART_TOKEN}
|
||||
[distutils]
|
||||
index-servers = codeartifact
|
||||
[codeartifact]
|
||||
repository = https://${CODEART_DOMAIN}-${AWS_ACCOUNT_ID}.d.codeartifact.${AWS_REGION}.amazonaws.com/pypi/${CODEART_REPO}/
|
||||
username = aws
|
||||
password = ${CODEART_TOKEN}
|
||||
EOF
|
||||
'''
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
stage('Build & Publish') {
|
||||
stage('Build') {
|
||||
steps {
|
||||
sh '''
|
||||
python3 -m pip install --upgrade setuptools wheel twine
|
||||
python3 setup.py sdist bdist_wheel
|
||||
'''
|
||||
}
|
||||
}
|
||||
stage('Trivy Security Scan') {
|
||||
steps {
|
||||
// Runs Trivy as a Docker container against your workspace
|
||||
// This will fail the build if HIGH or CRITICAL vulnerabilities are found
|
||||
sh 'docker run --rm -v ${WORKSPACE}:/project aquasec/trivy:latest fs --severity HIGH,CRITICAL --exit-code 1 /project'
|
||||
}
|
||||
}
|
||||
stage('Publish') {
|
||||
steps {
|
||||
// Only publish if security scan passes
|
||||
sh '''
|
||||
twine upload --repository codeartifact dist/*
|
||||
'''
|
||||
}
|
||||
}
|
||||
|
||||
stage('Trivy Scan') {
|
||||
steps {
|
||||
// Runs Trivy as a Docker container against your workspace
|
||||
sh 'docker run --rm -v ${WORKSPACE}:/project aquasec/trivy:latest fs --severity HIGH,CRITICAL --exit-code 1 /project'
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
post {
|
||||
success {
|
||||
echo '✅ Build succeeded and package published to CodeArtifact.'
|
||||
|
||||
Reference in New Issue
Block a user