---
kind: pipeline
type: docker
name: default
image_pull_secrets:
  - dockerconfigjson
volumes:
  - name: dockersock
    host:
      path: /var/run/docker.sock

steps:
  - name: lint yaml
    image: registry.fedy95.com/baseimage-yamllint:latest
    commands:
      - yamllint -c /yamllint/relaxed.yaml .
    when:
      event: pull_request


  - name: build image
    image: docker:dind
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    environment:
      REGISTRY: registry.fedy95.com
    commands:
      - docker build -t "$REGISTRY"/baseimage-plantuml:$DRONE_COMMIT_SHA image -f image/Dockerfile
    when:
      event: pull_request

  - name: trivy security scan
    image: aquasec/trivy
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    environment:
      REGISTRY: registry.fedy95.com
    commands:
      - "trivy \
         --exit-code 1 \
         --format json \
         --no-progress \
         $REGISTRY/baseimage-plantuml:$DRONE_COMMIT_SHA"
    when:
      event: pull_request

  - name: grype security scan
    image: docker:dind
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    environment:
      REGISTRY: registry.fedy95.com
    commands:
      - apk add --no-cache curl
      - "curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | \
        sh -s -- -b /usr/local/bin"
      - "grype $REGISTRY/baseimage-plantuml:$DRONE_COMMIT_SHA \
         --scope all-layers \
         --fail-on=critical \
         --verbose"
    when:
      event: pull_request

  - name: cleanup
    image: docker:dind
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    commands:
      - docker rmi registry.fedy95.com/baseimage-plantuml:$DRONE_COMMIT_SHA
    when:
      event: pull_request
      status: [ success, failure ]

  - name: release
    image: docker:dind
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    settings:
      repo: baseimage/plantuml
      tags:
        - ${DRONE_TAG}
    environment:
      REGISTRY: registry.fedy95.com
      REGISTRY_USERNAME:
        from_secret: REGISTRY_USERNAME
      REGISTRY_PASSWORD:
        from_secret: REGISTRY_PASSWORD
    commands:
      - docker build -t "$REGISTRY"/baseimage-plantuml:"$DRONE_TAG" image -f image/Dockerfile
      - docker build -t "$REGISTRY"/baseimage-plantuml:latest image -f image/Dockerfile
      - docker login "$REGISTRY" -u"$REGISTRY_USERNAME" -p"$REGISTRY_PASSWORD"
      - docker push "$REGISTRY"/baseimage-plantuml:"$DRONE_TAG"
      - docker push "$REGISTRY"/baseimage-plantuml:latest
      - docker logout "$REGISTRY"
    when:
      event: tag
...