cc-utils:
  inherit:
    gh_pages_repo: &gh_pages_repo
      repos:
      - name: 'gh_pages'
        path: 'gardener/cc-utils'
        branch: 'gh-pages'
        source_labels:
          - name: 'cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1'
            value:
              policy: 'skip'
              comment: 'used for publishing documentation on github.com - not part of payload'

  background_image: https://media.tenor.com/kqo6_Um4FS4AAAAi/easter-easter-bunny.gif
  template: 'default'
  base_definition:
    repo:
      disable_ci_skip: True
    traits:
      version:
        read_callback: .ci/read-version
        write_callback: .ci/write-version
        preprocess: inject-commit-hash-nodash
      component_descriptor:
        ocm_repository: europe-docker.pkg.dev/gardener-project/snapshots
        component_labels:
        - name: 'cloud.gardener.cnudie/responsibles'
          value:
          - type: 'githubTeam'
            teamname: 'gardener/ci-maintainers'
            github_hostname: 'github.com'
  jobs:
    head-update:
      steps:
        test: ~
        lint: ~
        build_python_packages:
          output_dir: 'pypi'
        purge_old_packages_from_pypi:
          execute:
            - 'purge-old-versions-from-pypi.py'
            - '--keep'
            - '300'
            - '--cfg-name'
            - 'gardener'
            - '--package'
            - 'gardener-cicd-libs'
            - '--package'
            - 'gardener-cicd-whd'
            - '--package'
            - 'gardener-cicd-cli'
      traits:
        notifications:
          default:
            on_error:
              triggering_policy: 'only_first'
        publish:
          platforms:
            - 'linux/x86_64'
            - 'linux/arm64'
          oci-builder: 'docker-buildx'
          dockerimages:
            job-image:
              image: 'europe-docker.pkg.dev/gardener-project/snapshots/cicd/job-image'
              dockerfile: 'Dockerfile'
              tag_as_latest: False
              inputs:
                steps:
                  build_python_packages: ~

    pull-request:
      steps:
        test: ~
        lint: ~
      traits:
        options:
          public_build_logs: True
        pull-request:
          policies:
            require-label: 'reviewed/ok-to-test' # default
            build-forks: true # default

    release_job_image:
      <<: *gh_pages_repo
      repo:
        source_labels:
          - name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1
            value:
              policy: skip
              comment: |
                we use bandit for sast scanning (part of release-pipeline)
                see attached buildlog
      steps:
        test: ~
        lint: ~
        build_python_packages:
          output_dir: 'pypi'
        generate_documentation:
          publish_to: ['gh_pages']
      traits:
        component_descriptor:
          ocm_repository: europe-docker.pkg.dev/gardener-project/releases
          retention_policy:
            name: cleanup-releases
            dry_run: False
            rules:
              - name: releases
                match: releases
                restrict: 'none'
                keep: 300
        version:
          preprocess: 'finalize'
          inject_effective_version: True
        publish:
          platforms:
            - 'linux/x86_64'
            - 'linux/arm64'
          oci-builder: 'docker-buildx'
          dockerimages:
            job-image:
              image: 'europe-docker.pkg.dev/gardener-project/releases/cicd/job-image'
              dockerfile: 'Dockerfile'
              tag_as_latest: True
              inputs:
                steps:
                  build_python_packages: ~
              resource_labels:
                - name: 'cloud.gardener.cnudie/dso/scanning-hints/package-versions'
                  value:
                  - name: 'containerd'
                    version: 'v1.6.15' # found via DOCKER_VERSION -> github.com/moby/moby
                - name: 'gardener.cloud/cve-categorisation'
                  value:
                    network_exposure: 'protected'
                    authentication_enforced: true
                    user_interaction: 'gardener-operator'
                    confidentiality_requirement: 'high'
                    integrity_requirement: 'high'
                    availability_requirement: 'low'
        release:
          nextversion: 'bump_minor'
          release_callback: '.ci/bump_job_image_version.py'
          release_commit_publishing_policy: tag_and_merge_back
          release_notes_policy: disabled
          release_on_github: False
          assets:
            - type: build-step-log
              step_name: lint
              purposes:
                - lint
                - sast
                - pybandit
              comment: |
                we use bandit (linter) for SAST scans
                see: https://bandit.readthedocs.io/en/latest/
            - type: build-step-file
              mode: tar
              step_name: build_python_packages
              step_output_dir: pypi
              path: 'dist/gardener_cicd_libs-*'
              prefix: dist/
              name: gardener-cicd-libs
              purposes: &purposes
                - python
                - setuptools
                - pip
                - distribution-package
            - type: build-step-file
              mode: tar
              step_name: build_python_packages
              step_output_dir: pypi
              path: 'dist/gardener_oci-*'
              prefix: dist/
              name: gardener-oci
              purposes: *purposes
            - type: build-step-file
              mode: tar
              step_name: build_python_packages
              step_output_dir: pypi
              path: 'dist/gardener_cicd_whd-*'
              prefix: dist/
              name: gardener-cicd-whd
              purposes: *purposes
            - type: build-step-file
              mode: tar
              step_name: build_python_packages
              step_output_dir: pypi
              path: 'dist/gardener_cicd_cli-*'
              prefix: dist/
              name: gardener-cicd-cli
              purposes: *purposes
