# SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and Gardener contributors
#
# SPDX-License-Identifier: Apache-2.0

diki:
  base_definition:
    repo:
      source_labels:
      - name: cloud.gardener.cnudie/dso/scanning-hints/source_analysis/v1
        value:
          policy: skip
          comment: |
            We use gosec for sast scanning, see attached log.
    traits:
      version:
        preprocess: 'inject-commit-hash'
      component_descriptor:
        ocm_repository: europe-docker.pkg.dev/gardener-project/snapshots
      publish:
        oci-builder: docker-buildx
        platforms:
        - linux/amd64
        - linux/arm64
        dockerimages:
          # diki is the image used to run diki with
          diki:
            image: 'europe-docker.pkg.dev/gardener-project/snapshots/gardener/diki'
            dockerfile: 'Dockerfile'
            target: diki
            resource_labels:
            - name: "gardener.cloud/cve-categorisation"
              value:
                network_exposure: 'protected'
                authentication_enforced: false
                user_interaction: 'end-user'
                confidentiality_requirement: 'high'
                integrity_requirement: 'high'
                availability_requirement: 'none'
          # diki-ops is used for the privileged pods created by diki on the evaluated clusters.
          # It is a minimized image that is primarily used to run the following commands: `chroot` and `nerdctl`
          diki-ops:
            image: 'europe-docker.pkg.dev/gardener-project/snapshots/gardener/diki-ops'
            dockerfile: 'Dockerfile'
            target: diki-ops
            resource_labels:
            - name: "gardener.cloud/cve-categorisation"
              value:
                network_exposure: 'private'
                authentication_enforced: false
                user_interaction: 'end-user'
                confidentiality_requirement: 'high'
                integrity_requirement: 'high'
                availability_requirement: 'none'
  jobs:
    head-update:
      traits:
        component_descriptor:
          ocm_repository_mappings:
            - repository: europe-docker.pkg.dev/gardener-project/releases
        draft_release: ~
        options:
          public_build_logs: true
    pull-request:
      traits:
        pull-request: ~
        options:
          public_build_logs: true
    release:
      traits:
        version:
          preprocess: 'finalize'
        component_descriptor:
          ocm_repository: europe-docker.pkg.dev/gardener-project/releases
        release:
          nextversion: 'bump_minor'
          next_version_callback: '.ci/prepare_release'
          release_callback: '.ci/prepare_release'
          assets:
          - type: build-step-log
            step_name: verify
            purposes:
            - lint
            - sast
            - gosec
            comment: |
              We use gosec (linter) for SAST scans, see: https://github.com/securego/gosec.
              Enabled by https://github.com/gardener/diki/pull/333
        slack:
          default_channel: 'internal_scp_workspace'
          channel_cfgs:
            internal_scp_workspace:
              channel_name: 'C9CEBQPGE' #sap-tech-gardener
              slack_cfg_name: 'scp_workspace'
        publish:
          dockerimages:
            diki:
              image: europe-docker.pkg.dev/gardener-project/releases/gardener/diki
              tag_as_latest: true
            diki-ops:
              image: europe-docker.pkg.dev/gardener-project/releases/gardener/diki-ops
              tag_as_latest: true
