autojanet/.woodpecker.yaml

---
# AutoJanet CI Pipeline
# Builds and pushes two images to Harbor:
#   - registry.ctz.fyi/library/autojanet-agent:latest (+ git SHA tag)
#   - registry.ctz.fyi/library/autojanet-dispatcher:latest (+ git SHA tag)
# Triggered on push to mainline or semver tags.

when:
  - event: push
    branch: mainline
  - event: tag
    ref: refs/tags/v*

steps:
  # ── Agent image ─────────────────────────────────────────────────────────────
  - name: build-agent
    image: woodpeckerci/plugin-docker-buildx
    settings:
      registry: registry.ctz.fyi
      repo: registry.ctz.fyi/library/autojanet-agent
      dockerfile: container/Dockerfile
      context: .
      username:
        from_secret: RS_HARBOR_USER
      password:
        from_secret: RS_HARBOR_PASS
      tags:
        - latest
        - "${CI_COMMIT_SHA:0:12}"
      platforms: linux/amd64
    when:
      - event: push
        branch: mainline
      - event: tag

  # ── Dispatcher image ─────────────────────────────────────────────────────────
  - name: build-dispatcher
    image: woodpeckerci/plugin-docker-buildx
    settings:
      registry: registry.ctz.fyi
      repo: registry.ctz.fyi/library/autojanet-dispatcher
      dockerfile: container/Dockerfile.dispatcher
      context: .
      username:
        from_secret: RS_HARBOR_USER
      password:
        from_secret: RS_HARBOR_PASS
      tags:
        - latest
        - "${CI_COMMIT_SHA:0:12}"
      platforms: linux/amd64
    when:
      - event: push
        branch: mainline
      - event: tag

  # ── Intake image ─────────────────────────────────────────────────────────────
  - name: build-intake
    image: woodpeckerci/plugin-docker-buildx
    settings:
      registry: registry.ctz.fyi
      repo: registry.ctz.fyi/library/autojanet-intake
      dockerfile: intake/Dockerfile
      context: intake/
      username:
        from_secret: RS_HARBOR_USER
      password:
        from_secret: RS_HARBOR_PASS
      tags:
        - latest
        - "${CI_COMMIT_SHA:0:12}"
      platforms: linux/amd64
    when:
      - event: push
        branch: mainline
      - event: tag

  # ── Trivy scan agent image ───────────────────────────────────────────────────
  - name: trivy-agent
    image: aquasec/trivy:latest
    commands:
      - trivy image --exit-code 1 --severity HIGH,CRITICAL
          --ignore-unfixed
          registry.ctz.fyi/library/autojanet-agent:${CI_COMMIT_SHA:0:12}
    environment:
      TRIVY_USERNAME:
        from_secret: RS_HARBOR_USER
      TRIVY_PASSWORD:
        from_secret: RS_HARBOR_PASS
    when:
      - event: push
        branch: mainline
      - event: tag
    failure: ignore   # warn only — don't block on upstream CVEs in base image