azure-pipeline.yaml

name: $(Build.SourceBranch)-$(date:yyyyMMdd)$(rev:.r)
# Pipeline triggers on any branch and tag
trigger:
  branches:
    include:
    - '*'
  tags:
    include:
    - '*'
# Pipeline will be run on this base image
pool:
  vmImage: 'ubuntu-latest'

# Variables global to this pipeline
# https://docs.microsoft.com/en-us/azure/devops/pipelines/process/variables
variables:
  # Variables defined in Pipelines->Library->Variable Groups in your project in
  # Azure Pipelines
  - group: Hemmeligheter
  # Variables defined here
  - name: fullSha
    value: '$(Build.SourceVersion)'
  - name: imageName
    value: 'eu.gcr.io/prod-bip/ssb/stratus/jira-metrics-python'
  - name: repoName
    value: 'prod-bip/ssb/stratus/jira-metrics-python'

# Job which builds Docker image, pushes this to GCR and checks for any image vulnerabilities
jobs:
  - job: buildTestDockerBuildDockerPush
    displayName: 'Test/build Dockerimage'
    # Job condition: Run these jobs on any branch, but not on tags
    condition: not(startsWith(variables['Build.SourceBranch'], 'refs/tags/'))
    # Steps in this Job
    steps:
      # Test Python code
      - task: UsePythonVersion@0
        inputs:
          versionSpec: '3.8'
      - script: |
          pip install -r requirements.txt
          pip install pytest
          pytest -v
      # Build Docker image
      - task: Docker@2
        displayName: 'Docker build'
        inputs:
          repository: $(imageName)
          command: 'build'
          Dockerfile: 'Dockerfile'
          tags: |
            $(Build.SourceBranchName)-imagescan-$(fullSha)

      # Authenticate Docker to GCR using predefined service connection
      - task: Docker@2
        displayName: 'Login to GCR'
        inputs:
          command: login
          containerRegistry: gcrServiceConnection

      # Push Docker Image to GCR
      - task: Docker@2
        displayName: 'Push image'
        inputs:
          ContainerRegistry: |
            gcrServiceConnection
          repository: $(repoName)
          command: 'push'
          tags: |
            $(Build.SourceBranchName)-imagescan-$(fullSha)

      # Download file with json-key to GCR as a later task needs to
      # authenticate in a different way than using service connection
      # File is stored in Pipelines->Library->Secure Files
      - task: DownloadSecureFile@1
        name: gcrJsonKey
        displayName: 'Download gcr creds' 
        inputs:
          secureFile: 'gcr-key.json'

      # Set env variable pointing to the file downloaded in previous task
      # as a library in next task needs this env variable
      - script: |
          echo "Setting env variable GOOGLE_APPLICATION_CREDENTIALS"
          echo "##vso[task.setvariable variable=GOOGLE_APPLICATION_CREDENTIALS]$(gcrJsonKey.secureFilePath)"
        displayName: 'Setting GOOGLE_APPLICATION_CREDENTIALS env variable'

      # Wait for scan on image in GCR to complete and check for any vulnerabilities
      # with effective severity HIGH or CRITICAL
      - task: gcr-vulneralbility-check@0
        displayName: 'Image vulnerability check'
        inputs:
          projectId: 'prod-bip'
          imageHost: 'https://eu.gcr.io/'
          image: $(reponame)
          imageTag: '$(Build.SourceBranchName)-imagescan-$(fullSha)'