ci: add read-only pull secret to security build

Reviewed-on: #382
Co-authored-by: Renovator Bot <renovator@rknet.org>
Co-committed-by: Renovator Bot <renovator@rknet.org>

.woodpecker/build-container.yml

@@ -12,9 +12,12 @@ steps:
       containerfile: Containerfile
       output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
       repo: thegeeklab/${CI_REPO_NAME}
+      registry_config:
+        from_secret: DOCKER_REGISTRY_CONFIG_PULL
 
   - name: security-scan
-    image: ghcr.io/aquasecurity/trivy
+    image: docker.io/aquasec/trivy
+    depends_on: security-build
     commands:
       - trivy -v
       - trivy image --input oci/${CI_REPO_NAME}
@@ -24,10 +27,11 @@ steps:
       TRIVY_NO_PROGRESS: "true"
       TRIVY_SEVERITY: HIGH,CRITICAL
       TRIVY_TIMEOUT: 1m
+      TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
 
   - name: publish-dockerhub
     image: quay.io/thegeeklab/wp-docker-buildx:5
-    group: container
+    depends_on: security-scan
     settings:
       auto_tag: true
       containerfile: Containerfile
@@ -45,7 +49,7 @@ steps:
 
   - name: publish-quay
     image: quay.io/thegeeklab/wp-docker-buildx:5
-    group: container
+    depends_on: security-scan
     settings:
       auto_tag: true
       containerfile: Containerfile

.woodpecker/docs.yml

@@ -8,13 +8,11 @@ when:
 steps:
   - name: markdownlint
     image: quay.io/thegeeklab/markdownlint-cli
-    group: test
     commands:
       - markdownlint 'README.md'
 
   - name: spellcheck
     image: quay.io/thegeeklab/alpine-tools
-    group: test
     commands:
       - spellchecker --files '_docs/**/*.md' 'README.md' -d .dictionary -p spell indefinite-article syntax-urls
     environment:
@@ -22,18 +20,17 @@ steps:
 
   - name: link-validation
     image: docker.io/lycheeverse/lychee
-    group: test
     commands:
       - lychee --no-progress --format detailed README.md
 
   - name: pushrm-dockerhub
     image: docker.io/chko/docker-pushrm:1
-    secrets:
-      - source: docker_password
-        target: DOCKER_PASS
-      - source: docker_username
-        target: DOCKER_USER
+    depends_on: [markdownlint, spellcheck, link-validation]
     environment:
+      DOCKER_PASS:
+        from_secret: docker_password
+      DOCKER_USER:
+        from_secret: docker_username
       PUSHRM_FILE: README.md
       PUSHRM_SHORT: Custom image for lighthouse-ci
       PUSHRM_TARGET: thegeeklab/${CI_REPO_NAME}
@@ -45,10 +42,10 @@ steps:
 
   - name: pushrm-quay
     image: docker.io/chko/docker-pushrm:1
-    secrets:
-      - source: quay_token
-        target: APIKEY__QUAY_IO
+    depends_on: [markdownlint, spellcheck, link-validation]
     environment:
+      APIKEY__QUAY_IO:
+        from_secret: quay_token
       PUSHRM_FILE: README.md
       PUSHRM_TARGET: quay.io/thegeeklab/${CI_REPO_NAME}
     when:

Containerfile

@@ -1,4 +1,4 @@
-FROM docker.io/node:lts-bookworm-slim@sha256:a22f79e64de59efd3533828aecc9817bfdc1cd37dde598aa27d6065e7b1f0abc
+FROM docker.io/node:lts-bookworm-slim@sha256:4b44c32c9f3118d60977d0dde5f758f63c4f9eac8ddee4275277239ec600950f
 
 LABEL maintainer="Robert Kaussow <mail@thegeeklab.de>"
 LABEL org.opencontainers.image.authors="Robert Kaussow <mail@thegeeklab.de>"
@@ -13,7 +13,7 @@ ARG YQ_VERSION
 # renovate: datasource=npm depName=@lhci/cli
 ENV LHCI_VERSION="${BUILD_VERSION:-0.14.0}"
 # renovate: datasource=github-releases depName=mikefarah/yq
-ENV YQ_VERSION="${YQ_VERSION:-v4.44.2}"
+ENV YQ_VERSION="${YQ_VERSION:-v4.44.3}"
 
 ENV LHCI_BASE_DIR=/drone/src \
     FORCE_COLOR=true \