74 lines
1.9 KiB
YAML
74 lines
1.9 KiB
YAML
---
|
|
when:
|
|
- event: [pull_request, tag]
|
|
- event: [push, manual]
|
|
branch:
|
|
- ${CI_REPO_DEFAULT_BRANCH}
|
|
|
|
steps:
|
|
- name: security-build
|
|
image: quay.io/thegeeklab/wp-docker-buildx:5
|
|
settings:
|
|
containerfile: Containerfile.multiarch
|
|
output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
|
|
repo: thegeeklab/${CI_REPO_NAME}
|
|
registry_config:
|
|
from_secret: DOCKER_REGISTRY_CONFIG_PULL
|
|
|
|
- name: security-scan
|
|
image: docker.io/aquasec/trivy
|
|
depends_on: security-build
|
|
commands:
|
|
- trivy -v
|
|
- trivy image --input oci/${CI_REPO_NAME}
|
|
environment:
|
|
TRIVY_EXIT_CODE: "1"
|
|
TRIVY_IGNORE_UNFIXED: "true"
|
|
TRIVY_NO_PROGRESS: "true"
|
|
TRIVY_SEVERITY: HIGH,CRITICAL
|
|
TRIVY_TIMEOUT: 1m
|
|
TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
|
|
|
|
- name: publish-dockerhub
|
|
image: quay.io/thegeeklab/wp-docker-buildx:5
|
|
depends_on: security-scan
|
|
settings:
|
|
auto_tag: true
|
|
containerfile: Containerfile.multiarch
|
|
password:
|
|
from_secret: docker_password
|
|
platforms:
|
|
- linux/amd64
|
|
- linux/arm64
|
|
provenance: false
|
|
repo: thegeeklab/${CI_REPO_NAME}
|
|
username:
|
|
from_secret: docker_username
|
|
when:
|
|
- event: [tag]
|
|
- event: [push, manual]
|
|
branch:
|
|
- ${CI_REPO_DEFAULT_BRANCH}
|
|
|
|
- name: publish-quay
|
|
image: quay.io/thegeeklab/wp-docker-buildx:5
|
|
depends_on: security-scan
|
|
settings:
|
|
auto_tag: true
|
|
containerfile: Containerfile.multiarch
|
|
password:
|
|
from_secret: quay_password
|
|
platforms:
|
|
- linux/amd64
|
|
- linux/arm64
|
|
provenance: false
|
|
registry: quay.io
|
|
repo: quay.io/thegeeklab/${CI_REPO_NAME}
|
|
username:
|
|
from_secret: quay_username
|
|
when:
|
|
- event: [tag]
|
|
- event: [push, manual]
|
|
branch:
|
|
- ${CI_REPO_DEFAULT_BRANCH}
|