Jenkinsfile-Release

/*
 * Copyright (c) 2016-present Sonatype, Inc. All rights reserved.
 * Includes the third-party code listed at http://links.sonatype.com/products/nexus/attributions.
 * "Sonatype" is a trademark of Sonatype, Inc.
 */
@Library(['private-pipeline-library', 'jenkins-shared']) _
import com.sonatype.jenkins.pipeline.GitHub
import com.sonatype.jenkins.pipeline.OsTools
import com.sonatype.jenkins.shared.Expectation

String OPENJDK17 = 'OpenJDK 17'
List<String> javaVersions = [OPENJDK17]
properties([
  parameters([
    string(defaultValue: '', description: 'New Nexus Repository Manager Version', name: 'nexus_repository_manager_version'),
    string(defaultValue: '', description: 'New Nexus Repository Manager Version Sha256', name: 'nexus_repository_manager_version_sha'),
    booleanParam(defaultValue: false, description: 'Skip Pushing of Docker Image and Tags', name: 'skip_push'),
    booleanParam(defaultValue: false, description: 'Only update the latest tag', name: 'update_latest_only')
  ])
])

node('ubuntu-zion') {
  def commitId, commitDate, version, imageId, alpineImageId, branch
  def organization = 'sonatype',
      gitHubRepository = 'docker-nexus3',
      credentialsId = 'jenkins-github',
      imageName = 'sonatype/nexus3',
      archiveName = 'docker-nexus3',
      dockerHubRepository = 'nexus3'
  GitHub gitHub

  def JAVA_17 = 'java17'
  dockerFileLocations = [
    "${pwd()}/Dockerfile.java17",
    "${pwd()}/Dockerfile.rh.ubi.java17",
    "${pwd()}/Dockerfile.alpine.java17"
  ]
  try {
    stage('Preparation') {
      deleteDir()
      OsTools.runSafe(this, "docker system prune -a -f")
      def checkoutDetails = checkout scm

      branch = checkoutDetails.GIT_BRANCH == 'origin/main' ? 'main' : checkoutDetails.GIT_BRANCH
      commitId = checkoutDetails.GIT_COMMIT
      commitDate = OsTools.runSafe(this, "git show -s --format=%cd --date=format:%Y%m%d-%H%M%S ${commitId}")

      OsTools.runSafe(this, 'git config --global user.email sonatype-ci@sonatype.com')
      OsTools.runSafe(this, 'git config --global user.name Sonatype CI')

      version = readVersion()

      def apiToken
      withCredentials([[$class: 'UsernamePasswordMultiBinding',
                        credentialsId: credentialsId,
                        usernameVariable: 'GITHUB_API_USERNAME',
                        passwordVariable: 'GITHUB_API_PASSWORD']]) {
        apiToken = env.GITHUB_API_PASSWORD
      }
      gitHub = new GitHub(this, "${organization}/${gitHubRepository}", apiToken)

      if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha) {
        stage('Update Repository Manager Version') {
          OsTools.runSafe(this, "git checkout ${branch}")
          dockerFileLocations.each { updateRepositoryManagerVersion(it) }
          version = getShortVersion(params.nexus_repository_manager_version)
        }
      }
    }

    stage('Build Images') {
      gitHub.statusUpdate commitId, 'pending', 'build', 'Build is running'
      def dockerfilePath = 'Dockerfile.java17'
      def baseImage = extractBaseImage(dockerfilePath)
      def baseImageRefFactory = load 'scripts/BaseImageReference.groovy'
      def baseImageReference = baseImageRefFactory.build(this, baseImage as String)
      def baseImageReferenceStr = baseImageReference.getReference()
      def hash = OsTools.runSafe(this, "docker build --quiet --label base-image-ref='${baseImageReferenceStr}' --no-cache --tag ${imageName} . -f ${dockerfilePath}")
      imageId = hash.split(':')[1]

      // Build Alpine Image
      def alpineDockerfilePath = 'Dockerfile.alpine.java17'
      def alpineHash = OsTools.runSafe(this, "docker build --quiet --no-cache --tag ${imageName}-alpine . -f ${alpineDockerfilePath}")
      alpineImageId = alpineHash.split(':')[1]

      if (currentBuild.result == 'FAILURE') {
        gitHub.statusUpdate commitId, 'failure', 'build', 'Build failed'
        return
      } else {
        gitHub.statusUpdate commitId, 'success', 'build', 'Build succeeded'
      }
    }

    stage('Evaluate Policies') {
      def imagesToScan = [
          [name: 'docker-nexus3', image: imageName],
          [name: 'docker-nexus3-alpine', image: "${imageName}-alpine"]
      ]

      imagesToScan.each { imageConfig ->
        runEvaluation({ stage ->
          def iqApplicationName = imageConfig.name
          def imageToScan = imageConfig.image

          nexusPolicyEvaluation(
            iqStage: stage,
            iqApplication: iqApplicationName,
            iqScanPatterns: [[scanPattern: "container:${imageToScan}"]],
            failBuildOnNetworkError: true,
          )
        }, 'release')
      }
    }
    if (currentBuild.result == 'FAILURE') {
          return
    }

    if (params.nexus_repository_manager_version && params.nexus_repository_manager_version_sha) {
      stage('Commit Automated Code Update') {
        withCredentials([[$class: 'UsernamePasswordMultiBinding', credentialsId: 'jenkins-github',
                        usernameVariable: 'GITHUB_API_USERNAME', passwordVariable: 'GITHUB_API_PASSWORD']]) {
          def commitMessage = "Update Repository Manager to ${params.nexus_repository_manager_version}."

          if (!params.update_latest_only) {
            OsTools.runSafe(this, """
              git add .
              git commit -m '${commitMessage}'
              git push https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git ${branch}
            """)
          }
        }
      }
    }
    stage('Archive') {
      dir('build/target') {
        OsTools.runSafe(this, "docker save ${imageName} | gzip > ${archiveName}.tar.gz")
        archiveArtifacts artifacts: "${archiveName}.tar.gz", onlyIfSuccessful: true
      }
    }
    if (branch == 'main' && !params.skip_push && !params.update_latest_only) {
      stage('Push image') {
        def dockerhubApiToken

        withCredentials([[$class: 'UsernamePasswordMultiBinding',
                          credentialsId: 'docker-hub-credentials',
                          usernameVariable: 'DOCKERHUB_API_USERNAME',
                          passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {

          // Push UBI image
          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}")
          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-ubi")
          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:${version}-java17-ubi")
          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest")

          // Push Alpine Image
          OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-alpine")
          OsTools.runSafe(this, "docker tag ${alpineImageId} ${organization}/${dockerHubRepository}:${version}-java17-alpine")

          OsTools.runSafe(this, """
            docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
          """)

          OsTools.runSafe(this, "docker push --all-tags ${organization}/${dockerHubRepository}")

          response = OsTools.runSafe(this, """
            curl -X POST https://hub.docker.com/v2/users/login/ \
              -H 'cache-control: no-cache' -H 'content-type: application/json' \
              -d '{ "username": "${env.DOCKERHUB_API_USERNAME}", "password": "${env.DOCKERHUB_API_PASSWORD}" }'
          """)
          token = readJSON text: response
          dockerhubApiToken = token.token

          def readme = readFile file: 'README.md', encoding: 'UTF-8'
          readme = readme.replaceAll("(?s)<!--.*?-->", "")
          readme = readme.replace("\"", "\\\"")
          readme = readme.replace("\n", "\\n")
          response = httpRequest customHeaders: [[name: 'authorization', value: "JWT ${dockerhubApiToken}"]],
              acceptType: 'APPLICATION_JSON', contentType: 'APPLICATION_JSON', httpMode: 'PATCH',
              requestBody: "{ \"full_description\": \"${readme}\" }",
              url: "https://hub.docker.com/v2/repositories/${organization}/${dockerHubRepository}/"

          // push to internal repos
          withSonatypeDockerRegistry() {
            sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}"
            sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-ubi"
            sh "docker tag ${imageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-ubi"
            sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-alpine"
            sh "docker tag ${alpineImageId} docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-alpine"

            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}"
            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-ubi"
            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-ubi"
            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-alpine"
            sh "docker push docker-all.repo.sonatype.com/sonatype-internal/${dockerHubRepository}:${version}-java17-alpine"
          }
        }
      }
      stage('Push tags') {
        withCredentials([[$class: 'UsernamePasswordMultiBinding',
                          credentialsId: credentialsId,
                          usernameVariable: 'GITHUB_API_USERNAME',
                          passwordVariable: 'GITHUB_API_PASSWORD']]) {
          OsTools.runSafe(this, "git tag ${version}")
          OsTools.runSafe(this, """
            git push \
            https://${env.GITHUB_API_USERNAME}:${env.GITHUB_API_PASSWORD}@github.com/${organization}/${gitHubRepository}.git \
              ${version}
          """)
        }
        OsTools.runSafe(this, "git tag -d ${version}")
      }
    }
    else if(params.update_latest_only) {
      stage('Push tags') {
        withCredentials([[$class: 'UsernamePasswordMultiBinding',
                          credentialsId: 'docker-hub-credentials',
                          usernameVariable: 'DOCKERHUB_API_USERNAME',
                          passwordVariable: 'DOCKERHUB_API_PASSWORD']]) {
          OsTools.runSafe(this, "docker tag ${imageId} ${organization}/${dockerHubRepository}:latest")
          OsTools.runSafe(this, """
            docker login --username ${env.DOCKERHUB_API_USERNAME} --password ${env.DOCKERHUB_API_PASSWORD}
          """)
          OsTools.runSafe(this, "docker push --all-tags ${organization}/${dockerHubRepository}")
        }
      }
    }
  } finally {
    OsTools.runSafe(this, "docker logout")
    OsTools.runSafe(this, "docker system prune -a -f")
    OsTools.runSafe(this, 'git clean -f && git reset --hard origin/main')
  }
}

def readVersion() {
  def content = readFile 'Dockerfile.java17'
  for (line in content.split('\n')) {
    if (line.startsWith('ARG NEXUS_VERSION=')) {
      return getShortVersion(line.substring(18))
    }
  }
  error 'Could not determine version.'
}

def getShortVersion(version) {
  return version.split('-')[0]
}

def updateRepositoryManagerVersion(dockerFileLocation) {
  def dockerFile = readFile(file: dockerFileLocation)

  def metaVersionRegex = /(version=")(\d\.\d{1,3}\.\d\-\d{2})(" \\)/
  def metaShortVersionRegex = /(release=")(\d\.\d{1,3}\.\d)(" \\)/

  def versionRegex = /(ARG NEXUS_VERSION=)(\d\.\d{1,3}\.\d\-\d{2})/
  def shaRegex = /(ARG NEXUS_DOWNLOAD_SHA256_HASH=)([A-Fa-f0-9]{64})/

  dockerFile = dockerFile.replaceAll(metaVersionRegex, "\$1${params.nexus_repository_manager_version}\$3")
  dockerFile = dockerFile.replaceAll(metaShortVersionRegex,
    "\$1${params.nexus_repository_manager_version.substring(0, params.nexus_repository_manager_version.indexOf('-'))}\$3")
  dockerFile = dockerFile.replaceAll(versionRegex, "\$1${params.nexus_repository_manager_version}")
  dockerFile = dockerFile.replaceAll(shaRegex, "\$1${params.nexus_repository_manager_version_sha}")

  writeFile(file: dockerFileLocation, text: dockerFile)
}

def extractBaseImage (dockerFileLocation) {
  def dockerFile = readFile(file: dockerFileLocation)
  def baseImageRegex = "FROM\\s+([^\\s]+)"
  def usedImages = dockerFile =~ baseImageRegex

  return usedImages[0][1]
}