pipeline {
  agent any
  environment {
    // Non-secret config injected from Jenkins Credentials (Secret Text)
    AWS_REGION     = credentials('AWS_REGION')
    AWS_ACCOUNT_ID = credentials('AWS_ACCOUNT_ID')
    CODEART_DOMAIN = credentials('CODEART_DOMAIN')
    CODEART_REPO   = credentials('CODEART_REPO')
  }
  stages {
    stage('Checkout') {
      steps {
        checkout scm
      }
    }
    stage('Authenticate & Configure') {
      steps {
        // Use AWS credentials directly with withCredentials
        withCredentials([
          [$class: 'AmazonWebServicesCredentialsBinding', 
           credentialsId: 'jenkins-codeartifact', 
           accessKeyVariable: 'AWS_ACCESS_KEY_ID', 
           secretKeyVariable: 'AWS_SECRET_ACCESS_KEY']
        ]) {
          script {
            // Fetch a short-lived CodeArtifact token
            env.CODEART_TOKEN = sh(
              script: """
                aws codeartifact get-authorization-token \\
                  --region ${AWS_REGION} \\
                  --domain ${CODEART_DOMAIN} \\
                  --domain-owner ${AWS_ACCOUNT_ID} \\
                  --query authorizationToken --output text
              """, returnStdout: true
            ).trim()
          }
          // Point pip and twine at your CodeArtifact repo
          sh '''
            pip config set global.index-url \
"https://aws:${CODEART_TOKEN}@${CODEART_DOMAIN}-${AWS_ACCOUNT_ID}.d.codeartifact.${AWS_REGION}.amazonaws.com/pypi/${CODEART_REPO}/simple/"
            cat > ~/.pypirc <<EOF
[distutils]
index-servers = codeartifact
[codeartifact]
repository = https://${CODEART_DOMAIN}-${AWS_ACCOUNT_ID}.d.codeartifact.${AWS_REGION}.amazonaws.com/pypi/${CODEART_REPO}/
username = aws
password = ${CODEART_TOKEN}
EOF
          '''
        }
      }
    }
    stage('Build') {
      steps {
        sh '''
          python3 -m pip install --upgrade setuptools wheel twine
          python3 setup.py sdist bdist_wheel
        '''
      }
    }
    stage('Trivy Security Scan') {
      steps {
        // Runs Trivy as a Docker container against your workspace
        // This will fail the build if HIGH or CRITICAL vulnerabilities are found
        sh 'docker run --rm -v ${WORKSPACE}:/project aquasec/trivy:latest fs --severity HIGH,CRITICAL --exit-code 1 /project'
      }
    }
    stage('Publish') {
      steps {
        // Only publish if security scan passes
        sh '''
          twine upload --repository codeartifact dist/*
        '''
      }
    }
  }
  post {
    success {
      echo '✅ Build succeeded and package published to CodeArtifact.'
    }
    failure {
      echo '❌ Build failed — check the console output for errors.'
    }
  }
}