---
kind: pipeline
type: docker
name: default
image_pull_secrets:
  - dockerconfigjson
volumes:
  - name: dockersock
    host:
      path: /var/run/docker.sock

steps:
  - name: lint yaml
    image: registry.fedy95.com/baseimage-yamllint:latest
    commands:
      - yamllint -c /yamllint/relaxed.yaml .
    when:
      event: pull_request

  - name: build image
    image: docker:dind
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    environment:
      REGISTRY: registry.fedy95.com
    commands:
      - docker build -t "$REGISTRY"/baseimage-yamllint:$DRONE_COMMIT_SHA image -f image/Dockerfile
    when:
      event: pull_request

#  - name: trivy security check
#    image: aquasec/trivy
#    volumes:
#      - name: dockersock
#        path: /var/run/docker.sock
#    environment:
#      REGISTRY: registry.fedy95.com
#    commands:
#      - "trivy \
#         --exit-code 1 \
#         --format json \
#         --no-progress \
#         $REGISTRY/baseimage-yamllint:$DRONE_COMMIT_SHA"
#    when:
#      event: pull_request

  - name: grype security check
    image: docker:dind
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    environment:
      REGISTRY: registry.fedy95.com
    commands:
      - apk add curl
      - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
      - "grype $REGISTRY/baseimage-yamllint:$DRONE_COMMIT_SHA --scope all-layers --fail-on=critical"
    when:
      event: pull_request

  - name: grype security check
    image: anchore/grype
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    environment:
      REGISTRY: registry.fedy95.com
    commands:
      - apk add curl
#      - curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
      - "grype $REGISTRY/baseimage-yamllint:$DRONE_COMMIT_SHA --scope all-layers --fail-on=critical"
    when:
      event: pull_request

  - name: cleanup
    image: docker:dind
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    commands:
      - docker rmi registry.fedy95.com/baseimage-yamllint:$DRONE_COMMIT_SHA
    when:
      event: pull_request


  - name: release
    image: docker:dind
    volumes:
      - name: dockersock
        path: /var/run/docker.sock
    settings:
      repo: baseimage/yamllint
      tags:
        - ${DRONE_TAG}
    environment:
      REGISTRY: registry.fedy95.com
      REGISTRY_USERNAME:
        from_secret: REGISTRY_USERNAME
      REGISTRY_PASSWORD:
        from_secret: REGISTRY_PASSWORD
    commands:
      - docker build -t "$REGISTRY"/baseimage-yamllint:"$DRONE_TAG" image -f image/Dockerfile
      - docker build -t "$REGISTRY"/baseimage-yamllint:latest image -f image/Dockerfile
      - docker login "$REGISTRY" -u"$REGISTRY_USERNAME" -p"$REGISTRY_PASSWORD"
      - docker push "$REGISTRY"/baseimage-yamllint:"$DRONE_TAG"
      - docker push "$REGISTRY"/baseimage-yamllint:latest
      - docker logout "$REGISTRY"
    when:
      event: tag
...