mirror of
https://github.com/thegeeklab/ansible-later.git
synced 2024-11-16 01:50:39 +00:00
ci: add trivy and replace deprecated workflow syntax (#895)
This commit is contained in:
parent
d5682968ab
commit
64531c1271
@ -12,22 +12,31 @@ steps:
|
|||||||
- pip install poetry poetry-dynamic-versioning -qq
|
- pip install poetry poetry-dynamic-versioning -qq
|
||||||
- poetry build
|
- poetry build
|
||||||
|
|
||||||
- name: dryrun
|
- name: security-build
|
||||||
image: quay.io/thegeeklab/wp-docker-buildx:5
|
image: quay.io/thegeeklab/wp-docker-buildx:5
|
||||||
|
depends_on: [build]
|
||||||
settings:
|
settings:
|
||||||
containerfile: Containerfile.multiarch
|
containerfile: Containerfile.multiarch
|
||||||
dry_run: true
|
output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
|
||||||
platforms:
|
|
||||||
- linux/amd64
|
|
||||||
- linux/arm64
|
|
||||||
provenance: false
|
|
||||||
repo: ${CI_REPO}
|
repo: ${CI_REPO}
|
||||||
when:
|
|
||||||
- event: [pull_request]
|
- name: security-scan
|
||||||
|
image: docker.io/aquasec/trivy
|
||||||
|
depends_on: [security-build]
|
||||||
|
commands:
|
||||||
|
- trivy -v
|
||||||
|
- trivy image --input oci/${CI_REPO_NAME}
|
||||||
|
environment:
|
||||||
|
TRIVY_EXIT_CODE: "1"
|
||||||
|
TRIVY_IGNORE_UNFIXED: "true"
|
||||||
|
TRIVY_NO_PROGRESS: "true"
|
||||||
|
TRIVY_SEVERITY: HIGH,CRITICAL
|
||||||
|
TRIVY_TIMEOUT: 1m
|
||||||
|
TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
|
||||||
|
|
||||||
- name: publish-dockerhub
|
- name: publish-dockerhub
|
||||||
image: quay.io/thegeeklab/wp-docker-buildx:5
|
image: quay.io/thegeeklab/wp-docker-buildx:5
|
||||||
group: container
|
depends_on: [security-scan]
|
||||||
settings:
|
settings:
|
||||||
auto_tag: true
|
auto_tag: true
|
||||||
containerfile: Containerfile.multiarch
|
containerfile: Containerfile.multiarch
|
||||||
@ -48,7 +57,7 @@ steps:
|
|||||||
|
|
||||||
- name: publish-quay
|
- name: publish-quay
|
||||||
image: quay.io/thegeeklab/wp-docker-buildx:5
|
image: quay.io/thegeeklab/wp-docker-buildx:5
|
||||||
group: container
|
depends_on: security-scan
|
||||||
settings:
|
settings:
|
||||||
auto_tag: true
|
auto_tag: true
|
||||||
containerfile: Containerfile.multiarch
|
containerfile: Containerfile.multiarch
|
||||||
|
@ -40,11 +40,11 @@ steps:
|
|||||||
|
|
||||||
- name: publish-pypi
|
- name: publish-pypi
|
||||||
image: docker.io/library/python:3.12
|
image: docker.io/library/python:3.12
|
||||||
secrets:
|
environment:
|
||||||
- source: pypi_password
|
POETRY_HTTP_BASIC_PYPI_PASSWORD:
|
||||||
target: POETRY_HTTP_BASIC_PYPI_PASSWORD
|
from_secret: pypi_password
|
||||||
- source: pypi_username
|
POETRY_HTTP_BASIC_PYPI_USERNAME:
|
||||||
target: POETRY_HTTP_BASIC_PYPI_USERNAME
|
from_secret: pypi_username
|
||||||
commands:
|
commands:
|
||||||
- pip install poetry poetry-dynamic-versioning -qq
|
- pip install poetry poetry-dynamic-versioning -qq
|
||||||
- poetry publish -n
|
- poetry publish -n
|
||||||
|
@ -13,13 +13,13 @@ steps:
|
|||||||
|
|
||||||
- name: markdownlint
|
- name: markdownlint
|
||||||
image: quay.io/thegeeklab/markdownlint-cli
|
image: quay.io/thegeeklab/markdownlint-cli
|
||||||
group: test
|
depends_on: [assets]
|
||||||
commands:
|
commands:
|
||||||
- markdownlint 'README.md' 'CONTRIBUTING.md'
|
- markdownlint 'README.md' 'CONTRIBUTING.md'
|
||||||
|
|
||||||
- name: spellcheck
|
- name: spellcheck
|
||||||
image: quay.io/thegeeklab/alpine-tools
|
image: quay.io/thegeeklab/alpine-tools
|
||||||
group: test
|
depends_on: [assets]
|
||||||
commands:
|
commands:
|
||||||
- spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
|
- spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
|
||||||
environment:
|
environment:
|
||||||
@ -27,17 +27,19 @@ steps:
|
|||||||
|
|
||||||
- name: link-validation
|
- name: link-validation
|
||||||
image: docker.io/lycheeverse/lychee
|
image: docker.io/lycheeverse/lychee
|
||||||
group: test
|
depends_on: [assets]
|
||||||
commands:
|
commands:
|
||||||
- lychee --no-progress --format detailed docs/content README.md
|
- lychee --no-progress --format detailed docs/content README.md
|
||||||
|
|
||||||
- name: build
|
- name: build
|
||||||
image: quay.io/thegeeklab/hugo:0.133.0
|
image: quay.io/thegeeklab/hugo:0.133.0
|
||||||
|
depends_on: [link-validation]
|
||||||
commands:
|
commands:
|
||||||
- hugo --panicOnWarning -s docs/
|
- hugo --panicOnWarning -s docs/
|
||||||
|
|
||||||
- name: beautify
|
- name: beautify
|
||||||
image: quay.io/thegeeklab/alpine-tools
|
image: quay.io/thegeeklab/alpine-tools
|
||||||
|
depends_on: [build]
|
||||||
commands:
|
commands:
|
||||||
- html-beautify -r -f 'docs/public/**/*.html'
|
- html-beautify -r -f 'docs/public/**/*.html'
|
||||||
environment:
|
environment:
|
||||||
@ -45,6 +47,7 @@ steps:
|
|||||||
|
|
||||||
- name: publish
|
- name: publish
|
||||||
image: quay.io/thegeeklab/wp-s3-action
|
image: quay.io/thegeeklab/wp-s3-action
|
||||||
|
depends_on: [beautify]
|
||||||
settings:
|
settings:
|
||||||
access_key:
|
access_key:
|
||||||
from_secret: s3_access_key
|
from_secret: s3_access_key
|
||||||
@ -66,12 +69,12 @@ steps:
|
|||||||
|
|
||||||
- name: pushrm-dockerhub
|
- name: pushrm-dockerhub
|
||||||
image: docker.io/chko/docker-pushrm:1
|
image: docker.io/chko/docker-pushrm:1
|
||||||
secrets:
|
depends_on: [publish]
|
||||||
- source: docker_password
|
|
||||||
target: DOCKER_PASS
|
|
||||||
- source: docker_username
|
|
||||||
target: DOCKER_USER
|
|
||||||
environment:
|
environment:
|
||||||
|
DOCKER_PASS:
|
||||||
|
from_secret: docker_password
|
||||||
|
DOCKER_USER:
|
||||||
|
from_secret: docker_username
|
||||||
PUSHRM_FILE: README.md
|
PUSHRM_FILE: README.md
|
||||||
PUSHRM_SHORT: Another best practice scanner for Ansible roles and playbooks
|
PUSHRM_SHORT: Another best practice scanner for Ansible roles and playbooks
|
||||||
PUSHRM_TARGET: ${CI_REPO}
|
PUSHRM_TARGET: ${CI_REPO}
|
||||||
@ -83,10 +86,10 @@ steps:
|
|||||||
|
|
||||||
- name: pushrm-quay
|
- name: pushrm-quay
|
||||||
image: docker.io/chko/docker-pushrm:1
|
image: docker.io/chko/docker-pushrm:1
|
||||||
secrets:
|
depends_on: [publish]
|
||||||
- source: quay_token
|
|
||||||
target: APIKEY__QUAY_IO
|
|
||||||
environment:
|
environment:
|
||||||
|
APIKEY__QUAY_IO:
|
||||||
|
from_secret: quay_token
|
||||||
PUSHRM_FILE: README.md
|
PUSHRM_FILE: README.md
|
||||||
PUSHRM_TARGET: quay.io/${CI_REPO}
|
PUSHRM_TARGET: quay.io/${CI_REPO}
|
||||||
when:
|
when:
|
||||||
|
@ -8,6 +8,7 @@ when:
|
|||||||
steps:
|
steps:
|
||||||
- name: check-format
|
- name: check-format
|
||||||
image: docker.io/library/python:3.12
|
image: docker.io/library/python:3.12
|
||||||
|
depends_on: []
|
||||||
commands:
|
commands:
|
||||||
- pip install poetry poetry-dynamic-versioning -qq
|
- pip install poetry poetry-dynamic-versioning -qq
|
||||||
- poetry install
|
- poetry install
|
||||||
@ -17,6 +18,7 @@ steps:
|
|||||||
|
|
||||||
- name: check-coding
|
- name: check-coding
|
||||||
image: docker.io/library/python:3.12
|
image: docker.io/library/python:3.12
|
||||||
|
depends_on: []
|
||||||
commands:
|
commands:
|
||||||
- pip install poetry poetry-dynamic-versioning -qq
|
- pip install poetry poetry-dynamic-versioning -qq
|
||||||
- poetry install -E ansible-core
|
- poetry install -E ansible-core
|
||||||
|
@ -7,7 +7,7 @@ when:
|
|||||||
|
|
||||||
variables:
|
variables:
|
||||||
- &pytest_base
|
- &pytest_base
|
||||||
group: pytest
|
depends_on: []
|
||||||
commands:
|
commands:
|
||||||
- pip install poetry poetry-dynamic-versioning -qq
|
- pip install poetry poetry-dynamic-versioning -qq
|
||||||
- poetry install -E ansible-core
|
- poetry install -E ansible-core
|
||||||
|
Loading…
Reference in New Issue
Block a user