steps:
  build:
    image: plugins/kaniko
    settings:
      repo: ${FORGE_NAME}/${CI_REPO}
      registry:
        from_secret: container_registry
      tags: latest,${CI_COMMIT_SHA},${CI_COMMIT_TAG}
      username:
        from_secret: container_registry_username
      password:
        from_secret: container_registry_password
      dockerfile: Dockerfile
    when:
      - event: [push, tag]

  scan_image:
    image: aquasec/trivy
    commands:
      - trivy image $FORGE_NAME/$CI_REPO:$CI_COMMIT_SHA --quiet --exit-code 1
    when:
      - event: [push, tag]

  generate_sbom:
    image: quay.io/wollud1969/woodpecker-helper:0.5.1
    environment:
      TRIVY_TOKEN:
        from_secret: trivy_token
      TRIVY_URL:
        from_secret: trivy_url
      DTRACK_API_KEY:
        from_secret: dtrack_api_key
      DTRACK_API_URL:
        from_secret: dtrack_api_url
    commands:
      - HOME=/home/`id -nu`
      - TAG="${CI_COMMIT_TAG:-$CI_COMMIT_SHA}"
      - |
        trivy image \
              --server $TRIVY_URL \
              --token $TRIVY_TOKEN \
              --format cyclonedx \
              --scanners license \
              --output /tmp/sbom.xml \
              $FORGE_NAME/$CI_REPO:$CI_COMMIT_SHA
      - cat /tmp/sbom.xml
      - |
        curl -X "POST" \
             -H "Content-Type: multipart/form-data" \
             -H "X-Api-Key: $DTRACK_API_KEY" \
             -F "autoCreate=true" \
             -F "projectName=$CI_REPO" \
             -F "projectVersion=$TAG" \
             -F "bom=@/tmp/sbom.xml"\
             "$DTRACK_API_URL/api/v1/bom"
    when:
      - event: [push, tag]

  build:
    image: plugins/kaniko
    settings:
      repo: quay.io/wollud1969/exim-docker
      registry: quay.io
      tags: 
        - latest
        - ${CI_COMMIT_TAG}
      username:
        from_secret: quay_username
      password:
        from_secret: quay_password
      dockerfile: Dockerfile
    when:
      - event: [tag]