Makefile.ibm

SHELL := /bin/bash
MAKEFLAGS += --warn-undefined-variables

# Docker related param
DEBUG_IMAGE_TAG := $(TRAVIS_BRANCH)-$(TRAVIS_BUILD_NUMBER)-id-$(TRAVIS_BUILD_ID)-time-$(shell date +%s)

DOCKER_DOMAIN := git-defenders
DOCKERHUB_DOMAIN := ibmcom

DOCKER_REGISTRY_ICR := us.icr.io
DOCKER_USER_ICR := iamapikey
DOCKER_PASS_ICR := $(IBM_CLOUD_API_KEY)

DOCKER_REGISTRY_ART := txo-toolbox-team-docker-local.artifactory.swg-devops.com
DOCKER_USER_ART := dssadmin@us.ibm.com
DOCKER_PASS_ART := $(ART_API_KEY)

DOCKER_REGISTRY_DOCKERHUB := registry.hub.docker.com
DOCKER_USER_DOCKERHUB := $(DOCKER_HUB_USERNAME)
DOCKER_PASS_DOCKERHUB := $(DOCKER_HUB_API_KEY)

DOCKER_IMAGES := detect-secrets detect-secrets-hook detect-secrets-redhat-ubi detect-secrets-redhat-ubi-custom
DOCKER_REGISTRIES := $(DOCKER_REGISTRY_ART) $(DOCKER_REGISTRY_DOCKERHUB)

IMAGE_NAME :=
IMAGE_TAG :=
IMAGE_TAGS := latest
DOCKER_REGISTRY :=
DOCKER_DOMAIN_LOCAL := $(DOCKER_DOMAIN)

# COS related param
COS_REGION := us-south
COS_BUCKET := detect-secrets-client-version
COS_FILE := version

# sync related param
# Do not know branch, then figure it out using git
TRAVIS_BRANCH ?= $(shell git rev-parse --abbrev-ref HEAD)

# Test related param
# Extra pytest options such as "-k keyword" to restrict the number of test cases to run
EXTRA_PYTEST_OPTIONS :=

# Trivy related
TRIVY ?= /tmp/trivy
TRIVY_VERSION := $(shell curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/')
TRIVY_OS := $(shell uname | sed 's/Darwin/macOS/' )
TRIVY_ARCH := $(shell uname -m | cut -d_ -f2 )

TRAVIS_COMMIT ?= head

setup-trivy:
	curl -sSfL https://github.com/aquasecurity/trivy/releases/download/v$(TRIVY_VERSION)/trivy_$(TRIVY_VERSION)_$(TRIVY_OS)-$(TRIVY_ARCH)bit.tar.gz -o /tmp/trivy.tar.gz
	tar zxvf /tmp/trivy.tar.gz -C $(dir $(TRIVY)) trivy

docker-quality-image-%:
	docker tag $(DOCKER_DOMAIN_LOCAL)/$* $(DOCKER_DOMAIN_LOCAL)/$*:trivy
	$(TRIVY) image --exit-code 1 --ignore-unfixed $(DOCKER_DOMAIN_LOCAL)/$*:trivy

docker-quality-images: $(patsubst %,docker-quality-image-%,$(DOCKER_IMAGES))

docker-test-images:
	docker run -it $(DOCKER_DOMAIN_LOCAL)/detect-secrets --version
	docker run -it $(DOCKER_DOMAIN_LOCAL)/detect-secrets-hook --version

docker-build-images:
	for dockerfile in Dockerfiles/*/*.Dockerfile; do                                   \
		image_name=$$(echo -e $$(basename $${dockerfile}) | cut -d\. -f2);           \
		docker build -f "$${dockerfile}" -t $(DOCKER_DOMAIN_LOCAL)/$${image_name} .; \
	done

docker-login:
	@echo $(DOCKER_PASS_DOCKERHUB) | docker login -u $(DOCKER_USER_DOCKERHUB) --password-stdin;
	@echo $(DOCKER_PASS_ART) | docker login -u $(DOCKER_USER_ART) --password-stdin $(DOCKER_REGISTRY_ART);

docker-publish-images: docker-login
	for image_name in $(DOCKER_IMAGES) ; do                                               \
		for registry in $(DOCKER_REGISTRIES) ; do                                         \
			for tag in $(IMAGE_TAGS) ; do                                                 \
				$(MAKE) docker-publish-image                                              \
				IMAGE_NAME=$${image_name} DOCKER_REGISTRY=$${registry} IMAGE_TAG=$${tag}; \
			done                                                                          \
		done                                                                              \
	done

docker-publish-image:
	if [ "$(DOCKER_REGISTRY)" = "$(DOCKER_REGISTRY_DOCKERHUB)" ]; then                                                  \
		docker tag $(DOCKER_DOMAIN_LOCAL)/$(IMAGE_NAME) $(DOCKERHUB_DOMAIN)/$(IMAGE_NAME):$(IMAGE_TAG);                 \
		docker push $(DOCKERHUB_DOMAIN)/$(IMAGE_NAME):$(IMAGE_TAG);                                                     \
	else                                                                                                                \
		docker tag $(DOCKER_DOMAIN_LOCAL)/$(IMAGE_NAME) $(DOCKER_REGISTRY)/$(DOCKER_DOMAIN)/$(IMAGE_NAME):$(IMAGE_TAG); \
		docker push $(DOCKER_REGISTRY)/$(DOCKER_DOMAIN)/$(IMAGE_NAME):$(IMAGE_TAG);                                     \
	fi

publish-cos:
	pip install requests packaging;                                                                                 \
	should_update=$$(python scripts/version_greater_than_in_cos.py "$(TRAVIS_TAG)");                                \
	if [ "$${should_update}" == "yes" ]; then                                                                       \
		curl -sL https://ibm.biz/idt-installer | bash;                                                              \
		ibmcloud login --apikey $(IBM_CLOUD_API_KEY) -a https://cloud.ibm.com -r $(COS_REGION);                     \
		echo $(TRAVIS_TAG) > version.txt;                                                                                \
		ibmcloud cos put-object --bucket $(COS_BUCKET) --key $(COS_FILE) --body version.txt --region $(COS_REGION); \
	fi

release:
	git fetch origin --tag

	# Once a new tag is generated, it will trigger Travis to publish new image
	TAG_VERSION=$$(git describe --tags --abbrev=0); \
	NEW_VERSION=$$(grep VERSION detect_secrets/__init__.py | cut -d\' -f2 ); \
	if [ $$TAG_VERSION != $$NEW_VERSION ]; then \
		git tag $$NEW_VERSION $(TRAVIS_COMMIT); \
		git push origin --tags; \
	fi

deploy:
	# TRAVIS_TAG needs to be replaced with . to avoid docker tag warning
	if [ -n "$(TRAVIS_TAG)" ]; then \
		$(MAKE) docker-publish-images push-tag publish-cos IMAGE_TAGS="$(subst +,.,$(TRAVIS_TAG))"; \
	fi

	if [ "$(TRAVIS_BRANCH)" == "master" ]; then \
		$(MAKE) docker-publish-images sync-branches IMAGE_TAGS="latest $(DEBUG_IMAGE_TAG)"; \
		$(MAKE) release; \
	fi

	if [ "$(TRAVIS_BRANCH)" == "dss" ]; then \
		$(MAKE) docker-publish-images IMAGE_TAGS="dss-latest $(DEBUG_IMAGE_TAG)"; \
	fi

push-tag:
	git remote add github https://github.ibm.com/Whitewater/whitewater-detect-secrets.git
	git fetch github
	git push github $(TRAVIS_TAG)

sync-branches:
	# sync to dss
	git fetch origin --tag
	git push origin $(TRAVIS_BRANCH):dss -f --tags

	# sync to Whitewater/whitewater-detect-secrets
	git remote add github https://github.ibm.com/Whitewater/whitewater-detect-secrets.git
	git fetch github
	git push github $(TRAVIS_BRANCH):master -f --tags

fix-dns:
	# add public DNS name for public.dhe.ibm.com. The 9.x one is not serving traffic now
	# public.dhe.ibm.com access is required for ibm-db pip package
	echo "$$(dig @8.8.8.8 public.dhe.ibm.com +short | tail -n1) public.dhe.ibm.com" | sudo tee -a /etc/hosts

test-local:
	coverage run -m pytest tests $(EXTRA_PYTEST_OPTIONS)
	coverage report --show-missing --include=tests/* --fail-under 100
	coverage report --show-missing --include=detect_secrets/* --fail-under 98


.PHONY: docker-test-images docker-build-images docker-login docker-publish-images docker-publish-image publish-cos deploy push-tag sync-branches fix-dns test-local setup-trivy docker-quality-images release