pipeline {
  agent any

  environment {
    // Non‑secret config injected from Jenkins Credentials (Secret Text)
    AWS_REGION     = credentials('AWS_REGION')
    AWS_ACCOUNT_ID = credentials('AWS_ACCOUNT_ID')
    CODEART_DOMAIN = credentials('CODEART_DOMAIN')
    CODEART_REPO   = credentials('CODEART_REPO')
  }

  stages {
    stage('Checkout') {
      steps {
        checkout scm
      }
    }

    stage('Authenticate & Configure') {
      steps {
        // Use AWS Credentials Plugin to pick up your IAM user keys
        withAWS(credentials: 'jenkins-codeartifact', region: "${AWS_REGION}") {
          script {
            // Fetch a short‑lived CodeArtifact token
            env.CODEART_TOKEN = sh(
              script: """
                aws codeartifact get-authorization-token \\
                  --domain ${CODEART_DOMAIN} \\
                  --domain-owner ${AWS_ACCOUNT_ID} \\
                  --query authorizationToken --output text
              """, returnStdout: true
            ).trim()
          }
          // Point pip and twine at your CodeArtifact repo
          sh '''
            pip config set global.index-url \
"https://aws:${CODEART_TOKEN}@${CODEART_DOMAIN}-${AWS_ACCOUNT_ID}.d.codeartifact.${AWS_REGION}.amazonaws.com/pypi/${CODEART_REPO}/simple/"
            cat > ~/.pypirc <<EOF
            [distutils]
            index-servers = codeartifact

            [codeartifact]
            repository = https://${CODEART_DOMAIN}-${AWS_ACCOUNT_ID}.d.codeartifact.${AWS_REGION}.amazonaws.com/pypi/${CODEART_REPO}/
            username = aws
            password = ${CODEART_TOKEN}
EOF
          '''
        }
      }
    }

    stage('Build & Publish') {
      steps {
        sh '''
          python3 -m pip install --upgrade setuptools wheel twine
          python3 setup.py sdist bdist_wheel
          twine upload --repository codeartifact dist/*
        '''
      }
    }

    stage('Trivy Scan') {
      steps {
        // Runs Trivy as a Docker container against your workspace
        sh 'docker run --rm -v ${WORKSPACE}:/project aquasec/trivy:latest fs --severity HIGH,CRITICAL --exit-code 1 /project'
      }
    }
  }

  post {
    success {
      echo '✅ Build succeeded and package published to CodeArtifact.'
    }
    failure {
      echo '❌ Build failed — check the console output for errors.'
    }
  }
}