pipeline: add symfony app generic integration pipeline

This reverts commit 61f5eb8d3d.

pipelines/sentry.jenkinsfile

@@ -0,0 +1,76 @@
+pipeline {
+    agent {
+        docker {
+            image "getsentry/sentry-cli"
+            args "--entrypoint="
+        }
+    }
+
+    environment {
+        projectDir = "${env.project_name}_${env.BUILD_ID}" 
+    }
+
+    stages {
+
+        stage("Clone repository") {
+            steps {
+                checkout scm: 
+                    [
+                        $class: 'GitSCM', 
+                        userRemoteConfigs: [[url: env.repository_url, credentialsId: 'jenkins-forge-ssh']], 
+                        branches: [[name: env.ref]],
+                        extensions: [
+                            [$class: 'RelativeTargetDirectory', relativeTargetDir: env.projectDir ],
+                            [$class: 'CloneOption', noTags: false, shallow: false, depth: 0, reference: ''],
+                            [$class: 'WipeWorkspace' ]
+                        ]
+                    ], 
+                    changelog: false, 
+                    poll: false
+            }
+        }
+
+
+        stage('Create sentry release') {
+            steps {
+                dir(env.projectDir) {
+                    withCredentials([
+                        string(credentialsId: 'sentry-url', variable: 'SENTRY_URL'),
+                        string(credentialsId: 'sentry-release-auth-token', variable: 'SENTRY_AUTH_TOKEN')
+                    ]) {
+                        sh '''
+                        SENTRY_CMD="sentry-cli --auth-token \"${SENTRY_AUTH_TOKEN}\" --url \"${SENTRY_URL}\""
+                        PROJECT_VERSION=$(sentry-cli releases propose-version)
+                        
+                        $SENTRY_CMD \
+                            releases \
+                            --org "${sentry_org}" \
+                            new \
+                            -p "${sentry_project}" ${PROJECT_VERSION}
+
+                        ( 
+                            $SENTRY_CMD \
+                                releases \
+                                --org "${sentry_org}" \
+                                set-commits --local \
+                                ${PROJECT_VERSION} || exit 0
+                        )
+
+                         $SENTRY_CMD \
+                            releases \
+                            --org "${sentry_org}" \
+                            finalize \
+                            ${PROJECT_VERSION}
+                        '''
+                    }
+                }
+            }
+        }
+    }
+
+    post {
+        always {
+            cleanWs()
+        }
+    }
+}

resources/com/cadoles/common/add-letsencrypt-ca.sh

@@ -0,0 +1,26 @@
+#!/bin/sh
+
+set -eo pipefail
+
+DESTDIR=/usr/local/share/ca-certificates
+UPDATE_CERTS_CMD=update-ca-certificates
+CERTS="$(cat <<EOF
+https://letsencrypt.org/certs/isrgrootx1.pem
+https://letsencrypt.org/certs/isrg-root-x2.pem
+https://letsencrypt.org/certs/lets-encrypt-r3.pem
+https://letsencrypt.org/certs/lets-encrypt-e1.pem
+https://letsencrypt.org/certs/lets-encrypt-r4.pem
+https://letsencrypt.org/certs/lets-encrypt-e2.pem
+EOF
+)"
+
+cd "$DESTDIR"
+
+for cert in $CERTS; do
+    echo "Downloading '$cert'..."
+    filename=$(basename "$cert")
+    wget --tries=10 --timeout=30 -O "$filename" "$cert"
+    openssl x509 -in "$filename" -inform PEM -out "$filename.crt"
+done
+
+$UPDATE_CERTS_CMD

resources/com/cadoles/lighthouse/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.13 as envtpl
+FROM golang:1.15 as envtpl
 
 ARG HTTP_PROXY=
 ARG HTTPS_PROXY=
@@ -14,7 +14,7 @@ RUN git clone https://github.com/subfuzion/envtpl /src \
     -ldflags "-X main.AppVersionMetadata=$(date -u +%s)" \
     -a -installsuffix cgo -o ./bin/envtpl ./cmd/envtpl/.
 
-FROM alpine:3.10
+FROM alpine:3.13
 
 ARG HTTP_PROXY=
 ARG HTTPS_PROXY=

resources/com/cadoles/lighthouse/run-audit.sh

@@ -10,10 +10,9 @@ rm -f reports/*
 cd reports
 
 lighthouse \
+    "$LIGHTHOUSE_URL" \
     --no-enable-error-reporting \
     --chrome-flags="--headless --disable-dev-shm-usage --no-sandbox --disable-gpu" \
     --config=../config.js \
     --output json --output html \
-    --output-path=lighthouse \
-    -- \
-    "$LIGHTHOUSE_URL"
+    --output-path=lighthouse

resources/com/cadoles/symfony/.php-cs-fixer.dist.php

@@ -0,0 +1,41 @@
+<?php
+
+$finder = PhpCsFixer\Finder::create()
+    ->in(__DIR__.'/src')
+    ->name('*.php')
+;
+
+return (new PhpCsFixer\Config())
+    ->setRules([
+        '@Symfony' => true,
+        'concat_space' => ['spacing' => 'none'],
+        'array_syntax' => ['syntax' => 'short'],
+        'combine_consecutive_issets' => true,
+        'explicit_indirect_variable' => true,
+        'no_useless_return' => true,
+        'ordered_imports' => true,
+        'no_unused_imports' => true,
+        'no_spaces_after_function_name' => true,
+        'no_spaces_inside_parenthesis' => true,
+        'ternary_operator_spaces' => true,
+        'class_definition' => ['single_line' => true],
+        'whitespace_after_comma_in_array' => true,
+        'phpdoc_add_missing_param_annotation' => ['only_untyped' => true],
+        'phpdoc_order' => true,
+        'phpdoc_types_order' => [
+            'null_adjustment' => 'always_last',
+            'sort_algorithm' => 'alpha',
+        ],
+        'phpdoc_no_empty_return' => false,
+        'phpdoc_summary' => false,
+        'general_phpdoc_annotation_remove' => [
+            'annotations' => [
+                'expectedExceptionMessageRegExp',
+                'expectedException',
+                'expectedExceptionMessage',
+                'author',
+            ],
+        ],
+    ])
+    ->setFinder($finder)
+;

resources/com/cadoles/symfony/Dockerfile

@@ -0,0 +1,42 @@
+ARG PHP_SECURITY_CHECKER_VERSION=1.0.0
+ARG JQ_VERSION=1.6
+
+RUN apt update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        wget tar curl ca-certificates \
+        openssl bash git unzip \
+        php-cli php-dom php-mbstring php-ctype php-xml php-iconv
+        
+COPY add-letsencrypt-ca.sh /root/add-letsencrypt-ca.sh
+
+RUN bash /root/add-letsencrypt-ca.sh \
+    && rm -f /root/add-letsencrypt-ca.sh
+
+RUN wget -O /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 \
+    && chmod +x /usr/local/bin/jq
+
+# Install local-php-security-checker
+RUN wget -O /usr/local/bin/local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v${PHP_SECURITY_CHECKER_VERSION}/local-php-security-checker_${PHP_SECURITY_CHECKER_VERSION}_linux_amd64 \
+    && chmod +x /usr/local/bin/local-php-security-checker
+
+# Install junit2md
+RUN junit2md_download_url=$(curl "https://forge.cadoles.com/api/v1/repos/Cadoles/junit2md/releases" -H "accept:application/json" | jq -r 'sort_by(.published_at) | reverse | .[0] | .assets[] | select(.name == "junit2md-linux-amd64.tar.gz") | .browser_download_url') \
+    && wget -O junit2md-linux-amd64.tar.gz "$junit2md_download_url" \
+    && tar -xzf junit2md-linux-amd64.tar.gz \
+    && cp junit2md-linux-amd64/junit2md /usr/local/bin/junit2md
+
+# Install composer
+RUN wget https://raw.githubusercontent.com/composer/getcomposer.org/76a7060ccb93902cd7576b67264ad91c8a2700e2/web/installer -O - -q | php -- --force --install-dir /usr/local/bin --filename composer \
+    && chmod +x /usr/local/bin/composer
+
+# Install php-cs-fixer
+RUN mkdir --parents /tools/php-cs-fixer \
+    && composer require --working-dir=/tools/php-cs-fixer friendsofphp/php-cs-fixer \
+    && ln -s /tools/php-cs-fixer/vendor/bin/php-cs-fixer /usr/local/bin/php-cs-fixer
+
+# Install php-stan 
+RUN mkdir --parents /tools/phpstan \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan \
+    && ln -s /tools/phpstan/vendor/bin/phpstan /usr/local/bin/phpstan \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan-symfony \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan-doctrine    

resources/com/cadoles/symfony/phpstan.neon

@@ -0,0 +1,4 @@
+includes:
+    - /tools/phpstan/vendor/phpstan/phpstan-symfony/extension.neon
+    - /tools/phpstan/vendor/phpstan/phpstan-doctrine/extension.neon
+    - /tools/phpstan/vendor/phpstan/phpstan-doctrine/rules.neon

resources/com/cadoles/tamarin/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.8
+FROM alpine:3.12
 
 ARG HTTP_PROXY=
 ARG HTTPS_PROXY=
@@ -7,7 +7,9 @@ ARG https_proxy=
 
 ARG TAMARIN_VERSION=develop
 
-RUN apk add --no-cache git docker python3 bash
+RUN apk add --no-cache git docker python3 bash openssl curl
+
+RUN curl -k https://forge.cadoles.com/Cadoles/Jenkins/raw/branch/master/resources/com/cadoles/common/add-letsencrypt-ca.sh | bash
 
 RUN git clone http://forge.cadoles.com/Cadoles/Tamarin /tamarin\
   && cd /tamarin\
@@ -23,4 +25,4 @@ VOLUME /dist
 ADD run-tamarin.sh /usr/local/bin/run-tamarin
 RUN chmod +x /usr/local/bin/run-tamarin
 
-CMD /usr/local/bin/run-tamarin
+CMD /usr/local/bin/run-tamarin

resources/com/cadoles/w3af/Dockerfile

@@ -37,55 +37,10 @@ RUN apk --no-cache add \
     python-dev \
     sqlite-dev \
     yaml-dev \
+    sudo \
     nodejs \
     npm
 
-RUN pip install --upgrade pip \
-  && pip install \
-    pyClamd==0.4.0 \
-    GitPython==2.1.3 \
-    chardet==3.0.4 \
-    futures==3.2.0 \
-    pyOpenSSL==18.0.0 \
-    ndg-httpsclient==0.4.0 \
-    pyasn1==0.4.2 \
-    scapy==2.4.0 \
-    msgpack==0.5.6 \
-    Jinja2==2.10 \
-    vulndb==0.1.1 \
-    psutil==5.4.8 \
-    ds-store==1.1.2 \
-    pebble==4.3.8 \
-    acora==2.1 \
-    diff-match-patch==20121119 \
-    lz4==1.1.0 \
-    vulners==1.3.0 \
-    ipaddresses==0.0.2 \
-    PyGithub==1.21.0 \
-    pybloomfiltermmap==0.3.14 \
-    phply==0.9.1 nltk==3.0.1 \
-    tblib==0.2.0 \
-    pdfminer==20140328 \
-    lxml==3.4.4 \
-    guess-language==0.2 \
-    cluster==1.1.1b3 \
-    python-ntlm==1.0.1 \
-    halberd==0.2.4 \
-    darts.util.lru==0.5 \
-    markdown==2.6.1 \
-    termcolor==1.1.0 \
-    mitmproxy==0.13 \
-    ruamel.ordereddict==0.4.8 \
-    Flask==0.10.1 \
-    PyYAML==3.12 \
-    tldextract==1.7.2 \
-    esmre==0.3.1 \
-    bravado-core==5.12.1 \
-    subprocess32==3.5.4 \
-  && npm install -g retire \
-  && rm -rf /root/.cache/pip \
-  && apk del build-base linux-headers
-
 RUN adduser -D w3af
 
 RUN git clone --depth=1 \
@@ -94,6 +49,9 @@ RUN git clone --depth=1 \
   && rm -rf /home/w3af/w3af/.git \
   && chown -R w3af /home/w3af/w3af
 
+RUN cd /home/w3af/w3af \
+  && ( ./w3af_console || . /tmp/w3af_dependency_install.sh )
+
 COPY run-audit.sh /usr/local/bin/run-audit
 RUN chmod +x /usr/local/bin/run-audit
 

vars/cpkg.groovy

@@ -8,6 +8,7 @@ def call(Map params = [:]) {
     def distVersion = params.distVersion ? params.distVersion : '2.7.0'
     def distBranchName = params.distBranchName ? params.distBranchName : env.GIT_BRANCH
     def gitCredentials = params.gitCredentials ? params.gitCredentials : null
+    def gitCredentialsType = params.gitCredentialsType ? params.gitCredentialsType : 'http'
     def gitEmail = params.gitEmail ? params.gitEmail : 'jenkins@cadoles.com'
     def gitUsername = params.gitUsername ? params.gitUsername : 'Jenkins'
     def skipCi = params.containsKey('skipCi') ? params.skipCi : false
@@ -89,8 +90,16 @@ def call(Map params = [:]) {
     }
 
     if (gitCredentials != null) {
-        git.withHTTPCredentials(gitCredentials) {
-            proc.call()
+        if (gitCredentialsType == 'http') {
+            git.withHTTPCredentials(gitCredentials) {
+                proc.call()
+            }
+        } else if (gitCredentialsType == 'ssh') {
+            git.withSSHCredentials(gitCredentials) {
+                proc.call()
+            }
+        } else {
+            throw new Exception("Unknown git credentials type '${gitCredentialsType}' ! Expected 'ssh' or 'http' (default).")
         }
     } else {
         proc.call()

vars/debian.groovy

@@ -1,7 +1,7 @@
 def waitForRepoPackage(String packageName, Map params = [:]) {
   def expectedVersion = params.expectedVersion ? params.expectedVersion : null
   def delay = params.delay ? params.delay : 30
-  def waitTimeout = params.timeout ? params.timeout : 1200
+  def waitTimeout = params.timeout ? params.timeout : 2400
   
   def message = "Waiting for package '${packageName}'"
   if (expectedVersion != null) {

vars/git.groovy

@@ -27,4 +27,18 @@ def withHTTPCredentials(String credentialsId, Closure fn) {
             sh(script: "rm -f '${tmpAskPassScript}'")
         }
     }
+}
+
+def withSSHCredentials(String credentialsId, Closure fn) {
+    def randomUUID = UUID.randomUUID().toString()
+    withCredentials([
+        sshUserPrivateKey(
+            credentialsId: credentialsId,
+            keyFileVariable: 'GIT_SSH_IDENTITY_FILE',
+        )
+    ]) {
+        withEnv(['GIT_SSH_VARIANT=ssh', 'GIT_SSH_COMMAND=ssh -i $GIT_SSH_IDENTITY_FILE -o IdentitiesOnly=yes -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null']) {
+            fn.call()
+        }
+    }
 }

vars/gitea.groovy

@@ -0,0 +1,40 @@
+def commentPullRequest(String repo, String issueId, String comment, Integer commentIndex = 0) {
+  comment = comment.replaceAll('"', '\\"')
+  withCredentials([
+    string(credentialsId: 'GITEA_JENKINS_PERSONAL_TOKEN', variable: 'GITEA_TOKEN'),
+  ]) {
+    writeFile(file: ".prComment", text: comment)
+    sh """#!/bin/bash
+    set -xeo pipefail
+
+    # Récupération si il existe du commentaire existant
+    previous_comment_id=\$(curl -v --fail \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      -H "Content-Type: application/json" \
+      https://forge.cadoles.com/api/v1/repos/${repo}/issues/${issueId}/comments \
+      | jq -c '[ .[] | select(.user.login=="jenkins") ] | .[${commentIndex}] | .id' \
+    )
+
+    # Génération du payload pour l'API Gitea
+    echo '{}' | jq -c --rawfile body .prComment '.body = \$body' > payload.json
+
+    if [[ "\$previous_comment_id" == "null" ]]; then
+      # Création du commentaire via l'API Gitea
+      curl -v --fail \
+        -XPOST \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        -d @payload.json \
+        https://forge.cadoles.com/api/v1/repos/${repo}/issues/${issueId}/comments
+    else
+      # Modification du commentaire existant
+      curl -v --fail \
+        -XPATCH \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        -d @payload.json \
+        https://forge.cadoles.com/api/v1/repos/${repo}/issues/comments/\$previous_comment_id
+    fi
+    """
+  }
+}

vars/lolops.groovy

@@ -13,6 +13,15 @@ def getRandomDeliveryAttachment(Integer probability = 25) {
         'https://media.giphy.com/media/QBRlXHKV5mpbLJ4prc/giphy.gif',
         'https://media.giphy.com/media/NOsfNQGivMFry/giphy.gif',
         'https://media.giphy.com/media/M1vu1FJnW6gms/giphy.gif',
+        'https://media.giphy.com/media/555x0gFF89OhVWPkvb/giphy.gif',
+        'https://media.giphy.com/media/9RZu6ahd8LIYHQlGUD/giphy.gif',
+        'https://media.giphy.com/media/9RZu6ahd8LIYHQlGUD/giphy.gif',
+        'https://media.giphy.com/media/W1fFHj6LvyTgfBNdiz/giphy.gif',
+        'https://media.giphy.com/media/1g2JyW7p6mtZc6bOEY/giphy.gif',
+        'https://media.giphy.com/media/ORiFE3ijpNaIWDoOqP/giphy.gif',
+        'https://media.giphy.com/media/r16Zmuvt1hSTK/giphy.gif',
+        'https://media.giphy.com/media/bF8Tvy2Ta0mqxXgaPV/giphy.gif',
+        'https://media.giphy.com/media/C0XT6BmLC3nGg/giphy.gif'
     ]
     Random rnd = new Random()
     if (rnd.nextInt(100) > probability) {

vars/sonarqube.groovy

@@ -0,0 +1,80 @@
+// Pipeline de scan de projet avec SonarQube
+def call() {
+    pipeline {
+        agent {
+            label 'docker'
+        }
+        
+        environment {
+            projectDir = "${env.project_name}_${env.BUILD_ID}" 
+        }
+
+        stages {
+            stage("Package project") {
+                when {
+                    not {
+                        triggeredBy 'TimerTrigger'
+                    }
+                }
+                steps {
+                    script {
+                        stage("Clone repository") {
+                            checkout scm: 
+                                [
+                                    $class: 'GitSCM', 
+                                    userRemoteConfigs: [[url: env.repository_url, credentialsId: 'jenkins-forge-ssh']], 
+                                    branches: [[name: env.ref]],
+                                    extensions: [
+                                        [$class: 'RelativeTargetDirectory', relativeTargetDir: env.projectDir ],
+                                        [$class: 'CloneOption', noTags: false, shallow: false, depth: 0, reference: ''],
+                                        [$class: 'WipeWorkspace' ]
+                                    ]
+                                ], 
+                                changelog: false, 
+                                poll: false
+                        }
+                    
+                        stage("Scan project") {
+                            dir(env.projectDir) {
+                                withCredentials([
+                                    string(credentialsId: 'SONARQUBE_URL', variable: 'SONARQUBE_URL'),
+                                    string(credentialsId: 'SONARQUBE_TOKEN', variable: 'SONARQUBE_TOKEN'),
+                                ]) {
+                                    sh """
+                                    docker run \
+                                        --rm \
+                                        -e SONAR_HOST_URL="${env.SONARQUBE_URL}" \
+                                        -e SONAR_LOGIN="${env.SONARQUBE_TOKEN}" \
+                                        -v "${env.WORKSPACE}/${env.projectDir}/:/usr/src" \
+                                        sonarsource/sonar-scanner-cli \
+                                        -Dsonar.projectKey=${env.sonarqubeProjectKey} \
+                                        -Dsonar.projectVersion=${env.ref}
+                                    """
+                                }
+
+                                // On notifie le canal Rocket.Chat du scan
+                                // rocketSend (
+                                //     avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
+                                //     message: """
+                                //     Le projet ${env.project_name} a été scanné par SonarQube.
+                                    
+                                //     - [Voir les résultats](${env.SONARQUBE_URL}/dashboard?id=${env.sonarqubeProjectKey})
+                                //     - [Visualiser le job](${env.RUN_DISPLAY_URL})
+                                    
+                                //     @${env.sender_login}
+                                //     """.stripIndent(),
+                                //     rawMessage: true,
+                                // )                          
+                            }
+                        }
+                    }
+                }
+                post {
+                    always {
+                        sh "rm -rf '${env.projectDir}'"
+                    }
+                }
+            }
+        }
+    }
+}

vars/symfonyAppPipeline.groovy

@@ -0,0 +1,115 @@
+import org.jenkinsci.plugins.pipeline.modeldefinition.Utils
+
+def call(String baseImage = "ubuntu:22.04") {
+  node {
+    stage("Checkout project") {
+      checkout(scm)
+    }
+
+    stage('Run in Symfony image') {
+      def symfonyImage = buildDockerImage(baseImage)
+      symfonyImage.inside() {
+        def repo = env.JOB_NAME
+        if (env.BRANCH_NAME ==~ /^PR-.*$/) {
+          repo = env.JOB_NAME - "/${env.JOB_BASE_NAME}"
+        }
+
+        stage("Install composer dependencies") {
+          sh '''
+          composer install
+          '''
+        }
+
+        parallel([
+          'php-security-check': {
+            stage("Check PHP security issues") {
+              catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') {
+                def auditReport = sh(script: "local-php-security-checker --format=markdown || true", returnStdout: true)
+                if (auditReport.trim() != "") {
+                  if (env.CHANGE_ID) {
+                    gitea.commentPullRequest(repo, env.CHANGE_ID, auditReport, 0)
+                  } else {
+                    print auditReport
+                  }
+                }
+                if (!auditReport.contains("No packages have known vulnerabilities.")) {
+                  throw new Exception("Dependencies check failed !")
+                }
+              }             
+            }
+          },
+          'php-cs-fixer': {
+            stage("Run PHP-CS-Fixer on modified code") {
+              catchError(buildResult: 'FAILURE', stageResult: 'FAILURE') {
+                if ( !fileExists('.php-cs-fixer.dist.php') ) {
+                  def phpCsFixerConfig = libraryResource 'com/cadoles/symfony/.php-cs-fixer.dist.php'
+                  writeFile file:'.php-cs-fixer.dist.php', text:phpCsFixerConfig
+                }
+
+                sh '''
+                  CHANGED_FILES=$(git diff --name-only --diff-filter=ACMRTUXB "HEAD~..HEAD" | fgrep ".php" | tr "\n" " ")
+                  if ! echo "${CHANGED_FILES}" | grep -qE "^(\\.php-cs-fixer(\\.dist)\\.php?|composer\\.lock)$"; then EXTRA_ARGS=$(printf -- '--path-mode=intersection -- %s' "${CHANGED_FILES}"); else EXTRA_ARGS=''; fi
+                  php-cs-fixer fix -v --dry-run --using-cache=no --format junit > php-cs-fixer.xml ${EXTRA_ARGS}
+                '''
+                def report = sh(script: "junit2md php-cs-fixer.xml", returnStdout: true)
+                if (env.CHANGE_ID) {
+                  gitea.commentPullRequest(repo, env.CHANGE_ID, report, 1)
+                } else {
+                  print report
+                }
+              }
+            }
+          },
+          'phpstan': {
+            stage("Run phpstan") {
+              catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') {
+                if ( !fileExists('phpstan.neon') ) {
+                  def phpStanConfig = libraryResource 'com/cadoles/symfony/phpstan.neon'
+                  writeFile file:'phpstan.neon', text:phpStanConfig
+                }
+                sh '''
+                  phpstan analyze -l 1 --error-format=table src > phpstan.txt || true
+                '''
+                def report = sh(script: "cat phpstan.txt", returnStdout: true)
+                report = "## Rapport PHPStan\n\n```\n" + report
+                report = report + "\n```\n"
+                if (env.CHANGE_ID) {
+                  gitea.commentPullRequest(repo, env.CHANGE_ID, report, 2)
+                } else {
+                  print report
+                }
+              }
+            }
+          }
+        ])
+      }
+    }
+  }
+}
+
+def buildDockerImage(String baseImage) {
+  def imageName = "cadoles-symfony-ci"
+  dir (".${imageName}") {
+    def dockerfile = libraryResource 'com/cadoles/symfony/Dockerfile'
+    writeFile file:'Dockerfile', text: "FROM ${baseImage}\n\n" + dockerfile
+
+    def addLetsEncryptCA = libraryResource 'com/cadoles/common/add-letsencrypt-ca.sh'
+    writeFile file:'add-letsencrypt-ca.sh', text:addLetsEncryptCA
+    
+    def safeJobName = URLDecoder.decode(env.JOB_NAME).toLowerCase().replace('/', '-').replace(' ', '-')
+    def imageTag = "${safeJobName}-${env.BUILD_ID}"
+    return docker.build("${imageName}:${imageTag}", ".")
+  }
+}
+
+def when(boolean condition, body) {
+    def config = [:]
+    body.resolveStrategy = Closure.OWNER_FIRST
+    body.delegate = config
+
+    if (condition) {
+        body()
+    } else {
+        Utils.markStageSkippedForConditional(STAGE_NAME)
+    }
+}

vars/tamarin.groovy

@@ -121,6 +121,9 @@ def buildDockerImage() {
 
         def runTamarinScript = libraryResource 'com/cadoles/tamarin/run-tamarin.sh'
         writeFile file:'run-tamarin.sh', text:runTamarinScript
+
+        def addLetsEncryptCA = libraryResource 'com/cadoles/common/add-letsencrypt-ca.sh'
+        writeFile file:'add-letsencrypt-ca.sh', text:addLetsEncryptCA
         
         def safeJobName = URLDecoder.decode(env.JOB_NAME).toLowerCase().replace('/', '-').replace(' ', '-')
         def imageTag = "${safeJobName}-${env.BUILD_ID}"