Ajout d'une méthode gitea.release()

Voir CNOUS/mse#664

pipelines/mse-rgaa.jenkinsfile

@@ -18,7 +18,7 @@ pipeline {
 
   agent {
     node {
-      label "mse"
+      label "docker"
     }
   }
 
@@ -48,7 +48,7 @@ pipeline {
                 junit "*.xml"
                 
                 rocketSend (
-                    channel: "#cnous-mse-dev",
+                    channel: "#cnous-mse",
                     avatar: 'https://jenkins.cadol.es/static/b5f67753/images/headshot.png',
                     message: """
                     Audit RGAA | ${testStatuses()}
@@ -65,6 +65,14 @@ pipeline {
     }
   }
 
+  post {
+    always {
+      cleanWs()
+    }
+  }
+
+  
+
 }
 
 @NonCPS
@@ -79,4 +87,4 @@ def testStatuses() {
         testStatus = "Passant(s): ${passed}, Échoué(s): ${failed} ${testResultAction.failureDiffString}, Désactivé(s): ${skipped}"
     }
     return testStatus
-}
+}

resources/com/cadoles/gitea/gitea-release.sh

@@ -0,0 +1,153 @@
+#!/bin/bash
+
+set -eo pipefail
+
+GITEA_RELEASE_PROJECT=${GITEA_RELEASE_PROJECT}
+GITEA_RELEASE_ORG=${GITEA_RELEASE_ORG}
+GITEA_RELEASE_BASE_URL=${GITEA_BASE_URL:-https://forge.cadoles.com}
+GITEA_RELEASE_USERNAME=${GITEA_RELEASE_USERNAME}
+GITEA_RELEASE_PASSWORD=${GITEA_RELEASE_PASSWORD}
+GITEA_RELEASE_VERSION=${GITEA_RELEASE_VERSION}
+GITEA_RELEASE_COMMITISH_TARGET=${GITEA_RELEASE_COMMITISH_TARGET}
+GITEA_RELEASE_IS_DRAFT=${GITEA_RELEASE_IS_DRAFT:-false}
+GITEA_RELEASE_IS_PRERELEASE=${GITEA_RELEASE_IS_PRERELEASE:-true}
+GITEA_RELEASE_BODY=${GITEA_RELEASE_BODY}
+GITEA_RELEASE_ATTACHMENTS=${GITEA_RELEASE_ATTACHMENTS}
+
+function check_dependencies {
+    assert_command_available 'curl'
+    assert_command_available 'jq'
+}
+
+function assert_command_available {
+    local command=$1
+    local command_path=$(which $command)
+
+    if [ -z "$command_path" ]; then
+        echo "The '$command' command could not be found. Please install it before using this script." 1>&2
+        exit 1
+    fi
+}
+
+function check_environment {
+    assert_environment GITEA_RELEASE_PROJECT
+    assert_environment GITEA_RELEASE_ORG
+    assert_environment GITEA_RELEASE_BASE_URL
+}
+
+function source_env_file {
+    if [ ! -f '.env' ]; then
+        return 0
+    fi
+    set -o allexport
+    source .env
+    set +o allexport
+}
+
+function assert_environment {
+    local name=$1
+    local value=${!name}
+
+    if [ -z "$value" ]; then
+        echo "The $"$name" environment variable is empty." 1>&2
+        exit 1
+    fi
+}
+
+function ask_credentials {
+    if [ -z "$GITEA_RELEASE_USERNAME" ]; then
+        echo -n "Username: "
+        read GITEA_RELEASE_USERNAME
+        
+    fi
+    if [ -z "$GITEA_RELEASE_PASSWORD" ]; then
+        echo -n "Password: "
+        stty -echo
+        read GITEA_RELEASE_PASSWORD
+        stty echo 
+        echo
+    fi
+}
+
+function retrieve_version {
+    if [ ! -z "$GITEA_RELEASE_VERSION" ]; then
+        return
+    fi
+
+    set +e
+    GITEA_RELEASE_VERSION=$(git describe --abbrev=0 --tags 2>/dev/null)
+    GITEA_RELEASE_VERSION=${GITEA_RELEASE_VERSION}
+    set -e
+}
+
+function retrieve_commitish_target {
+    if [ ! -z "$GITEA_RELEASE_COMMITISH_TARGET" ]; then
+        return
+    fi
+
+    GITEA_RELEASE_COMMITISH_TARGET=$(git log -n 1 --pretty="format:%h")
+}
+
+function create_release {
+    local payload={}
+
+    payload=$(json_set "$payload" body "\"$GITEA_RELEASE_BODY\"")
+    payload=$(json_set "$payload" draft $GITEA_RELEASE_IS_DRAFT)
+    payload=$(json_set "$payload" name "\"$GITEA_RELEASE_VERSION\"")
+    payload=$(json_set "$payload" prerelease $GITEA_RELEASE_IS_PRERELEASE)
+    payload=$(json_set "$payload" tag_name "\"${GITEA_RELEASE_VERSION:-$GITEA_RELEASE_COMMITISH_TARGET}\"")
+    payload=$(json_set "$payload" target_commitish "\"$GITEA_RELEASE_COMMITISH_TARGET\"")
+
+    gitea_api "/repos/$GITEA_RELEASE_ORG/$GITEA_RELEASE_PROJECT/releases" \
+        -H "Content-Type:application/json" \
+        -d "$payload"
+}
+
+function json_set {
+    local data=$1
+    local key=$2
+    local value=$3
+    echo $data | jq -cr --argjson v "$value" --arg k "$key" '.[$k] = $v'
+}
+
+function upload_release_attachments {
+    local release="$1"
+    local release_id=$(echo "$release" | jq -r .id)
+
+    if [ -z "$GITEA_RELEASE_ATTACHMENTS" ]; then
+        set +e
+        GITEA_RELEASE_ATTACHMENTS="$(ls release/*.{tar.gz,zip} 2>/dev/null)"
+        set -e
+    fi
+
+    for file in $GITEA_RELEASE_ATTACHMENTS; do
+        local filename=$(basename "$file")
+        gitea_api "/repos/$GITEA_RELEASE_ORG/$GITEA_RELEASE_PROJECT/releases/$release_id/assets?name=$filename" \
+            -H "Content-Type:multipart/form-data" \
+            -F "attachment=@$file"
+    done
+}
+
+function gitea_api {
+    local path=$1
+    local args=${@:2}
+
+    curl -L \
+        --fail \
+        -u "$GITEA_RELEASE_USERNAME:$GITEA_RELEASE_PASSWORD" \
+        ${args} \
+        "$GITEA_RELEASE_BASE_URL/api/v1$path"
+}
+
+function main {
+    check_dependencies
+    source_env_file
+    check_environment
+    ask_credentials
+    retrieve_commitish_target
+    retrieve_version
+    local release=$(create_release)
+    upload_release_attachments "$release"
+}
+
+main

resources/com/cadoles/pa11y/Dockerfile

@@ -35,7 +35,7 @@ RUN apk add --no-cache \
     chromium \
     bash
 
-RUN PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=1 npm install -g pa11y pa11y-reporter-html@^1.0.0 pa11y-reporter-junit
+RUN PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=1 npm install -g pa11y@^5.0.0 pa11y-reporter-html@^1.0.0 pa11y-reporter-junit
 
 RUN adduser -D pa11y   
 

resources/com/cadoles/pa11y/run-audit.sh

@@ -9,6 +9,7 @@ cd reports
 
 export PUPPETEER_EXECUTABLE_PATH=$(which chromium-browser)
 export PA11Y_REPORTER="${PA11Y_REPORTER:-html}"
+export PA11Y_STANDARD=${PA11Y_STANDARD:-WCAG2AA}
 
 PA11Y_ARGS=""
 

resources/com/cadoles/symfony/.php-cs-fixer.dist.php

@@ -0,0 +1,41 @@
+<?php
+
+$finder = PhpCsFixer\Finder::create()
+    ->in(__DIR__.'/src')
+    ->name('*.php')
+;
+
+return (new PhpCsFixer\Config())
+    ->setRules([
+        '@Symfony' => true,
+        'concat_space' => ['spacing' => 'none'],
+        'array_syntax' => ['syntax' => 'short'],
+        'combine_consecutive_issets' => true,
+        'explicit_indirect_variable' => true,
+        'no_useless_return' => true,
+        'ordered_imports' => true,
+        'no_unused_imports' => true,
+        'no_spaces_after_function_name' => true,
+        'no_spaces_inside_parenthesis' => true,
+        'ternary_operator_spaces' => true,
+        'class_definition' => ['single_line' => true],
+        'whitespace_after_comma_in_array' => true,
+        'phpdoc_add_missing_param_annotation' => ['only_untyped' => true],
+        'phpdoc_order' => true,
+        'phpdoc_types_order' => [
+            'null_adjustment' => 'always_last',
+            'sort_algorithm' => 'alpha',
+        ],
+        'phpdoc_no_empty_return' => false,
+        'phpdoc_summary' => false,
+        'general_phpdoc_annotation_remove' => [
+            'annotations' => [
+                'expectedExceptionMessageRegExp',
+                'expectedException',
+                'expectedExceptionMessage',
+                'author',
+            ],
+        ],
+    ])
+    ->setFinder($finder)
+;

resources/com/cadoles/symfony/Dockerfile

@@ -0,0 +1,42 @@
+ARG PHP_SECURITY_CHECKER_VERSION=1.0.0
+ARG JQ_VERSION=1.6
+
+RUN apt update && \
+    DEBIAN_FRONTEND=noninteractive apt-get install -y \
+        wget tar curl ca-certificates \
+        openssl bash git unzip \
+        php-cli php-dom php-mbstring php-ctype php-xml php-iconv
+        
+COPY add-letsencrypt-ca.sh /root/add-letsencrypt-ca.sh
+
+RUN bash /root/add-letsencrypt-ca.sh \
+    && rm -f /root/add-letsencrypt-ca.sh
+
+RUN wget -O /usr/local/bin/jq https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 \
+    && chmod +x /usr/local/bin/jq
+
+# Install local-php-security-checker
+RUN wget -O /usr/local/bin/local-php-security-checker https://github.com/fabpot/local-php-security-checker/releases/download/v${PHP_SECURITY_CHECKER_VERSION}/local-php-security-checker_${PHP_SECURITY_CHECKER_VERSION}_linux_amd64 \
+    && chmod +x /usr/local/bin/local-php-security-checker
+
+# Install junit2md
+RUN junit2md_download_url=$(curl "https://forge.cadoles.com/api/v1/repos/Cadoles/junit2md/releases" -H "accept:application/json" | jq -r 'sort_by(.published_at) | reverse | .[0] | .assets[] | select(.name == "junit2md-linux-amd64.tar.gz") | .browser_download_url') \
+    && wget -O junit2md-linux-amd64.tar.gz "$junit2md_download_url" \
+    && tar -xzf junit2md-linux-amd64.tar.gz \
+    && cp junit2md-linux-amd64/junit2md /usr/local/bin/junit2md
+
+# Install composer
+RUN wget https://raw.githubusercontent.com/composer/getcomposer.org/76a7060ccb93902cd7576b67264ad91c8a2700e2/web/installer -O - -q | php -- --force --install-dir /usr/local/bin --filename composer \
+    && chmod +x /usr/local/bin/composer
+
+# Install php-cs-fixer
+RUN mkdir --parents /tools/php-cs-fixer \
+    && composer require --working-dir=/tools/php-cs-fixer friendsofphp/php-cs-fixer \
+    && ln -s /tools/php-cs-fixer/vendor/bin/php-cs-fixer /usr/local/bin/php-cs-fixer
+
+# Install php-stan 
+RUN mkdir --parents /tools/phpstan \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan \
+    && ln -s /tools/phpstan/vendor/bin/phpstan /usr/local/bin/phpstan \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan-symfony \
+    && composer require --working-dir=/tools/phpstan phpstan/phpstan-doctrine    

resources/com/cadoles/symfony/phpstan.neon

@@ -0,0 +1,4 @@
+includes:
+    - /tools/phpstan/vendor/phpstan/phpstan-symfony/extension.neon
+    - /tools/phpstan/vendor/phpstan/phpstan-doctrine/extension.neon
+    - /tools/phpstan/vendor/phpstan/phpstan-doctrine/rules.neon

vars/debian.groovy

@@ -2,6 +2,7 @@ def waitForRepoPackage(String packageName, Map params = [:]) {
   def expectedVersion = params.expectedVersion ? params.expectedVersion : null
   def delay = params.delay ? params.delay : 30
   def waitTimeout = params.timeout ? params.timeout : 2400
+  def asPattern = params.containsKey("asPattern") ? params.asPattern : true
   
   def message = "Waiting for package '${packageName}'"
   if (expectedVersion != null) {
@@ -26,9 +27,11 @@ def waitForRepoPackage(String packageName, Map params = [:]) {
         println("Package found !")
         break
       }
-      
+
       def versionFound = packages.find {
-        return it['version'] =~ expectedVersion
+        def matches = asPattern ? it['version'] =~ expectedVersion : it['version'] == expectedVersion
+        println("Comparing expected version '${expectedVersion}' to '${it['version']}': ${matches}")
+        return matches
       }
 
       if (versionFound) {
@@ -76,5 +79,10 @@ def listRepoPackages(Map params = [:]) {
     }
   }
 
+  println "Found packages:"
+  packages.each{
+    println " - Package: ${it.key}, Version: ${it.value['version']}"
+  }
+
   return packages
 }

vars/gitea.groovy

@@ -0,0 +1,98 @@
+def commentPullRequest(String repo, String issueId, String comment, Integer commentIndex = 0) {
+  comment = comment.replaceAll('"', '\\"')
+  withCredentials([
+    string(credentialsId: 'GITEA_JENKINS_PERSONAL_TOKEN', variable: 'GITEA_TOKEN'),
+  ]) {
+    writeFile(file: '.prComment', text: comment)
+    sh """#!/bin/bash
+    set -xeo pipefail
+
+    # Récupération si il existe du commentaire existant
+    previous_comment_id=\$(curl -v --fail \
+      -H "Authorization: token ${GITEA_TOKEN}" \
+      -H "Content-Type: application/json" \
+      https://forge.cadoles.com/api/v1/repos/${repo}/issues/${issueId}/comments \
+      | jq -c '[ .[] | select(.user.login=="jenkins") ] | .[${commentIndex}] | .id' \
+    )
+
+    # Génération du payload pour l'API Gitea
+    echo '{}' | jq -c --rawfile body .prComment '.body = \$body' > payload.json
+
+    if [[ "\$previous_comment_id" == "null" ]]; then
+      # Création du commentaire via l'API Gitea
+      curl -v --fail \
+        -XPOST \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        -d @payload.json \
+        https://forge.cadoles.com/api/v1/repos/${repo}/issues/${issueId}/comments
+    else
+      # Modification du commentaire existant
+      curl -v --fail \
+        -XPATCH \
+        -H "Authorization: token ${GITEA_TOKEN}" \
+        -H "Content-Type: application/json" \
+        -d @payload.json \
+        https://forge.cadoles.com/api/v1/repos/${repo}/issues/comments/\$previous_comment_id
+    fi
+    """
+  }
+}
+
+// Effectue une "release" sur Gitea pour le <ORG>/<PROJET> donné.
+def release(String credentialsId, String org, String project, Map options = [:]) {
+  def isDraft = options.get('isDraft', false)
+  def baseUrl = options.get('baseUrl', 'https://forge.cadoles.com')
+  def defaultVersion = sh(returnStdout: true, script: 'git describe --always').trim()
+  def releaseVersion = options.get('releaseVersion', defaultVersion)
+  def commitishTarget = options.get('commitishTarget', env.GIT_COMMIT)
+
+  def defaultIsPrerelease = true
+  try {
+    sh(script: "git describe --exact-match ${GIT_COMMIT}")
+    defaultIsPrerelease = false
+  } catch (err) {
+    println "Could not find tag associated with commit '${GIT_COMMIT}' ! Using 'prerelease' as default."
+  }
+
+  def isPrerelease = options.get('isPrerelease', defaultIsPrerelease)
+  def body = options.get('body', '')
+  def attachments = options.get('attachments', [])
+
+  def scriptTempDir =  ".gitea-release-script-${System.currentTimeMillis()}"
+  sh("mkdir -p '${scriptTempDir}'")
+
+  def giteaReleaseScript = "${scriptTempDir}/gitea-release.sh"
+
+  def giteaReleaseScriptContent = libraryResource 'com/cadoles/gitea/gitea-release.sh'
+  writeFile file: giteaReleaseScript, text:giteaReleaseScriptContent
+  sh("chmod +x '${giteaReleaseScript}'")
+
+  try {
+    withCredentials([
+      usernamePassword(
+        credentialsId: credentialsId,
+        usernameVariable: 'GITEA_RELEASE_USERNAME',
+        passwordVariable: 'GITEA_RELEASE_PASSWORD'
+      )
+    ]) {
+      sh """
+      export GITEA_RELEASE_PROJECT="${project}"
+      export GITEA_RELEASE_ORG="${org}"
+      export GITEA_RELEASE_BASE_URL="${baseUrl}"
+      export GITEA_RELEASE_VERSION="${releaseVersion}"
+      export GITEA_RELEASE_COMMITISH_TARGET="${commitishTarget}"
+      export GITEA_RELEASE_IS_DRAFT="${isDraft}"
+      export GITEA_RELEASE_IS_PRERELEASE="${isPrerelease}"
+      export GITEA_RELEASE_BODY="${body}"
+      export GITEA_RELEASE_ATTACHMENTS="${attachments.join(' ')}"
+
+      ${giteaReleaseScript}
+      """
+    }
+  } finally {
+    dir(scriptTempDir) {
+      deleteDir()
+    }
+  }
+}

vars/pulp.groovy

@@ -0,0 +1,117 @@
+import groovy.json.JsonOutput
+
+def exportPackages(
+    String credentials,
+    List packages = [],
+    String pulpHost = 'pulp.bbohard.lan'
+) {
+    def exportTasks = []
+    packages.each {
+        def response = httpRequest authentication: credentials, url: "https://${pulpHost}/pulp/api/v3/content/deb/packages/", httpMode: 'POST', ignoreSslErrors: true, multipartName: "file", timeout: 900, responseHandle: 'NONE', uploadFile: "${it}"
+        jsonResponse = readJSON text: response.content
+        println(jsonResponse)
+        exportTasks << jsonResponse['task']
+    }
+    return exportTasks
+}
+
+def getRepositoryHREF(
+    String credentials,
+    String repositoryLevel = 'dev',
+    String pulpHost = 'pulp.bbohard.lan'
+    ) {
+    def repositoriesMapping = ['dev': 'Cadoles4MSE']
+    def response = httpRequest authentication: credentials, url: "https://${pulpHost}/pulp/api/v3/repositories/deb/apt/", httpMode: 'GET', ignoreSslErrors: true
+    def jsonResponse = readJSON text: response.content
+    println(jsonResponse)
+    def repositories = jsonResponse.results
+    def repositoryHREF = repositories.find { it -> it['name'] == repositoriesMapping[repositoryLevel] }
+    return repositoryHREF.pulp_href
+}
+
+def addToRepository(
+    String credentials,
+    List packagesHREF,
+    String repositoryHREF,
+    String pulpHost = 'pulp.bbohard.lan'
+) {
+    def packagesHREFURL = ["add_content_units": packagesHREF.collect { "https://$pulpHost$it" }]
+    def postBody = JsonOutput.toJson(packagesHREFURL)
+    def response = httpRequest authentication: credentials, url: "https://${pulpHost}${repositoryHREF}modify/", httpMode: 'POST', requestBody: postBody, contentType: 'APPLICATION_JSON', ignoreSslErrors: true, validResponseCodes: "100:599"
+    def jsonResponse = readJSON text: response.content
+    return waitForTaskCompletion(credentials, jsonResponse.task)
+}
+
+def publishRepository(
+    String credentials,
+    String repositoryHREF,
+    String pulpHost = 'pulp.bbohard.lan'
+) {
+    def postBody = JsonOutput.toJson(["repository": repositoryHREF, "simple": true])
+    def response = httpRequest authentication: credentials, url: "https://${pulpHost}/pulp/api/v3/publications/deb/apt/", httpMode: 'POST', requestBody: postBody, contentType: 'APPLICATION_JSON', ignoreSslErrors: true
+    def jsonResponse = readJSON text: response.content
+    println(jsonResponse)
+    return waitForTaskCompletion(credentials, jsonResponse.task)
+}
+
+def distributePublication(
+    String credentials,
+    String publicationHREF,
+    String distributionName,
+    String basePath,
+    String pulpHost = 'pulp.bbohard.lan',
+    String contentGuard = null
+) {
+    def response = httpRequest authentication: credentials, url: "https://${pulpHost}/pulp/api/v3/distributions/deb/apt/", httpMode: 'GET', ignoreSslErrors: true
+    def jsonResponse = readJSON text: response.content
+    def httpMode = ''
+    def url = ''
+    def distribution = jsonResponse.results.find { it -> it.name == distributionName}
+    if (distribution) {
+        httpMode = 'PUT'
+        url = distribution.pulp_href
+
+    } else {
+        httpMode = 'POST'
+        url = '/pulp/api/v3/distributions/deb/apt/'
+    }
+    def postBody = JsonOutput.toJson(["publication": publicationHREF, "name": distributionName, "base_path": basePath, "content_guard": contentGuard])
+    response = httpRequest authentication: credentials, url: "https://${pulpHost}${url}", httpMode: httpMode, requestBody: postBody, contentType: 'APPLICATION_JSON', ignoreSslErrors: true, validResponseCodes: "100:599"
+    jsonResponse = readJSON text: response.content
+    if (distribution) {
+        waitForTaskCompletion(credentials, jsonResponse.task)
+        return [url]
+    } else {
+        return waitForTaskCompletion(credentials, jsonResponse.task)
+    }
+}
+
+def waitForTaskCompletion(
+    String credentials,
+    String taskHREF,
+    String pulpHost = 'pulp.bbohard.lan'
+) {
+    def status = ''
+    def created_resources = []
+    while (status != 'completed') {
+        def response = httpRequest authentication: credentials, url: "https://${pulpHost}${taskHREF}", httpMode: 'GET', ignoreSslErrors: true
+        def jsonResponse = readJSON text: response.content
+        status = jsonResponse.state
+        if (status == 'completed') {
+            created_resources = jsonResponse.created_resources
+        }
+        sleep(10)
+    }
+    return created_resources
+}
+
+def getDistributionURL(
+    String credentials,
+    String resourceHREF,
+    String pulpHost = 'pulp.bbohard.lan'
+) {
+    def response = httpRequest authentication: credentials, url: "https://${pulpHost}${resourceHREF}", httpMode: 'GET', ignoreSslErrors: true
+    def jsonResponse = readJSON text: response.content
+    println(jsonResponse)
+    return jsonResponse.base_url
+}

vars/symfonyAppPipeline.groovy

@@ -0,0 +1,115 @@
+import org.jenkinsci.plugins.pipeline.modeldefinition.Utils
+
+def call(String baseImage = "ubuntu:22.04") {
+  node {
+    stage("Checkout project") {
+      checkout(scm)
+    }
+
+    stage('Run in Symfony image') {
+      def symfonyImage = buildDockerImage(baseImage)
+      symfonyImage.inside() {
+        def repo = env.JOB_NAME
+        if (env.BRANCH_NAME ==~ /^PR-.*$/) {
+          repo = env.JOB_NAME - "/${env.JOB_BASE_NAME}"
+        }
+
+        stage("Install composer dependencies") {
+          sh '''
+          composer install
+          '''
+        }
+
+        parallel([
+          'php-security-check': {
+            stage("Check PHP security issues") {
+              catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') {
+                def auditReport = sh(script: "local-php-security-checker --format=markdown || true", returnStdout: true)
+                if (auditReport.trim() != "") {
+                  if (env.CHANGE_ID) {
+                    gitea.commentPullRequest(repo, env.CHANGE_ID, auditReport, 0)
+                  } else {
+                    print auditReport
+                  }
+                }
+                if (!auditReport.contains("No packages have known vulnerabilities.")) {
+                  throw new Exception("Dependencies check failed !")
+                }
+              }             
+            }
+          },
+          'php-cs-fixer': {
+            stage("Run PHP-CS-Fixer on modified code") {
+              catchError(buildResult: 'FAILURE', stageResult: 'FAILURE') {
+                if ( !fileExists('.php-cs-fixer.dist.php') ) {
+                  def phpCsFixerConfig = libraryResource 'com/cadoles/symfony/.php-cs-fixer.dist.php'
+                  writeFile file:'.php-cs-fixer.dist.php', text:phpCsFixerConfig
+                }
+
+                sh '''
+                  CHANGED_FILES=$(git diff --name-only --diff-filter=ACMRTUXB "HEAD~..HEAD" | fgrep ".php" | tr "\n" " ")
+                  if ! echo "${CHANGED_FILES}" | grep -qE "^(\\.php-cs-fixer(\\.dist)\\.php?|composer\\.lock)$"; then EXTRA_ARGS=$(printf -- '--path-mode=intersection -- %s' "${CHANGED_FILES}"); else EXTRA_ARGS=''; fi
+                  php-cs-fixer fix --config=.php-cs-fixer.dist.php -v --dry-run --using-cache=no --format junit  ${EXTRA_ARGS} > php-cs-fixer.xml || true
+                '''
+                def report = sh(script: "junit2md php-cs-fixer.xml", returnStdout: true)
+                if (env.CHANGE_ID) {
+                  gitea.commentPullRequest(repo, env.CHANGE_ID, report, 1)
+                } else {
+                  print report
+                }
+              }
+            }
+          },
+          'phpstan': {
+            stage("Run phpstan") {
+              catchError(buildResult: 'UNSTABLE', stageResult: 'FAILURE') {
+                if ( !fileExists('phpstan.neon') ) {
+                  def phpStanConfig = libraryResource 'com/cadoles/symfony/phpstan.neon'
+                  writeFile file:'phpstan.neon', text:phpStanConfig
+                }
+                sh '''
+                  phpstan analyze -l 1 --error-format=table src > phpstan.txt || true
+                '''
+                def report = sh(script: "cat phpstan.txt", returnStdout: true)
+                report = "## Rapport PHPStan\n\n```\n" + report
+                report = report + "\n```\n"
+                if (env.CHANGE_ID) {
+                  gitea.commentPullRequest(repo, env.CHANGE_ID, report, 2)
+                } else {
+                  print report
+                }
+              }
+            }
+          }
+        ])
+      }
+    }
+  }
+}
+
+def buildDockerImage(String baseImage) {
+  def imageName = "cadoles-symfony-ci"
+  dir (".${imageName}") {
+    def dockerfile = libraryResource 'com/cadoles/symfony/Dockerfile'
+    writeFile file:'Dockerfile', text: "FROM ${baseImage}\n\n" + dockerfile
+
+    def addLetsEncryptCA = libraryResource 'com/cadoles/common/add-letsencrypt-ca.sh'
+    writeFile file:'add-letsencrypt-ca.sh', text:addLetsEncryptCA
+    
+    def safeJobName = URLDecoder.decode(env.JOB_NAME).toLowerCase().replace('/', '-').replace(' ', '-')
+    def imageTag = "${safeJobName}-${env.BUILD_ID}"
+    return docker.build("${imageName}:${imageTag}", ".")
+  }
+}
+
+def when(boolean condition, body) {
+    def config = [:]
+    body.resolveStrategy = Closure.OWNER_FIRST
+    body.delegate = config
+
+    if (condition) {
+        body()
+    } else {
+        Utils.markStageSkippedForConditional(STAGE_NAME)
+    }
+}