ci: add trivy and replace deprecated workflow syntax (#895)

This commit is contained in:
Robert Kaussow 2024-10-27 21:06:37 +01:00 committed by GitHub
parent d5682968ab
commit 64531c1271
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 41 additions and 27 deletions

View File

@ -12,22 +12,31 @@ steps:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry build - poetry build
- name: dryrun - name: security-build
image: quay.io/thegeeklab/wp-docker-buildx:5 image: quay.io/thegeeklab/wp-docker-buildx:5
depends_on: [build]
settings: settings:
containerfile: Containerfile.multiarch containerfile: Containerfile.multiarch
dry_run: true output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
platforms:
- linux/amd64
- linux/arm64
provenance: false
repo: ${CI_REPO} repo: ${CI_REPO}
when:
- event: [pull_request] - name: security-scan
image: docker.io/aquasec/trivy
depends_on: [security-build]
commands:
- trivy -v
- trivy image --input oci/${CI_REPO_NAME}
environment:
TRIVY_EXIT_CODE: "1"
TRIVY_IGNORE_UNFIXED: "true"
TRIVY_NO_PROGRESS: "true"
TRIVY_SEVERITY: HIGH,CRITICAL
TRIVY_TIMEOUT: 1m
TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
- name: publish-dockerhub - name: publish-dockerhub
image: quay.io/thegeeklab/wp-docker-buildx:5 image: quay.io/thegeeklab/wp-docker-buildx:5
group: container depends_on: [security-scan]
settings: settings:
auto_tag: true auto_tag: true
containerfile: Containerfile.multiarch containerfile: Containerfile.multiarch
@ -48,7 +57,7 @@ steps:
- name: publish-quay - name: publish-quay
image: quay.io/thegeeklab/wp-docker-buildx:5 image: quay.io/thegeeklab/wp-docker-buildx:5
group: container depends_on: security-scan
settings: settings:
auto_tag: true auto_tag: true
containerfile: Containerfile.multiarch containerfile: Containerfile.multiarch

View File

@ -40,11 +40,11 @@ steps:
- name: publish-pypi - name: publish-pypi
image: docker.io/library/python:3.12 image: docker.io/library/python:3.12
secrets: environment:
- source: pypi_password POETRY_HTTP_BASIC_PYPI_PASSWORD:
target: POETRY_HTTP_BASIC_PYPI_PASSWORD from_secret: pypi_password
- source: pypi_username POETRY_HTTP_BASIC_PYPI_USERNAME:
target: POETRY_HTTP_BASIC_PYPI_USERNAME from_secret: pypi_username
commands: commands:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry publish -n - poetry publish -n

View File

@ -13,13 +13,13 @@ steps:
- name: markdownlint - name: markdownlint
image: quay.io/thegeeklab/markdownlint-cli image: quay.io/thegeeklab/markdownlint-cli
group: test depends_on: [assets]
commands: commands:
- markdownlint 'README.md' 'CONTRIBUTING.md' - markdownlint 'README.md' 'CONTRIBUTING.md'
- name: spellcheck - name: spellcheck
image: quay.io/thegeeklab/alpine-tools image: quay.io/thegeeklab/alpine-tools
group: test depends_on: [assets]
commands: commands:
- spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls - spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
environment: environment:
@ -27,17 +27,19 @@ steps:
- name: link-validation - name: link-validation
image: docker.io/lycheeverse/lychee image: docker.io/lycheeverse/lychee
group: test depends_on: [assets]
commands: commands:
- lychee --no-progress --format detailed docs/content README.md - lychee --no-progress --format detailed docs/content README.md
- name: build - name: build
image: quay.io/thegeeklab/hugo:0.133.0 image: quay.io/thegeeklab/hugo:0.133.0
depends_on: [link-validation]
commands: commands:
- hugo --panicOnWarning -s docs/ - hugo --panicOnWarning -s docs/
- name: beautify - name: beautify
image: quay.io/thegeeklab/alpine-tools image: quay.io/thegeeklab/alpine-tools
depends_on: [build]
commands: commands:
- html-beautify -r -f 'docs/public/**/*.html' - html-beautify -r -f 'docs/public/**/*.html'
environment: environment:
@ -45,6 +47,7 @@ steps:
- name: publish - name: publish
image: quay.io/thegeeklab/wp-s3-action image: quay.io/thegeeklab/wp-s3-action
depends_on: [beautify]
settings: settings:
access_key: access_key:
from_secret: s3_access_key from_secret: s3_access_key
@ -66,12 +69,12 @@ steps:
- name: pushrm-dockerhub - name: pushrm-dockerhub
image: docker.io/chko/docker-pushrm:1 image: docker.io/chko/docker-pushrm:1
secrets: depends_on: [publish]
- source: docker_password
target: DOCKER_PASS
- source: docker_username
target: DOCKER_USER
environment: environment:
DOCKER_PASS:
from_secret: docker_password
DOCKER_USER:
from_secret: docker_username
PUSHRM_FILE: README.md PUSHRM_FILE: README.md
PUSHRM_SHORT: Another best practice scanner for Ansible roles and playbooks PUSHRM_SHORT: Another best practice scanner for Ansible roles and playbooks
PUSHRM_TARGET: ${CI_REPO} PUSHRM_TARGET: ${CI_REPO}
@ -83,10 +86,10 @@ steps:
- name: pushrm-quay - name: pushrm-quay
image: docker.io/chko/docker-pushrm:1 image: docker.io/chko/docker-pushrm:1
secrets: depends_on: [publish]
- source: quay_token
target: APIKEY__QUAY_IO
environment: environment:
APIKEY__QUAY_IO:
from_secret: quay_token
PUSHRM_FILE: README.md PUSHRM_FILE: README.md
PUSHRM_TARGET: quay.io/${CI_REPO} PUSHRM_TARGET: quay.io/${CI_REPO}
when: when:

View File

@ -8,6 +8,7 @@ when:
steps: steps:
- name: check-format - name: check-format
image: docker.io/library/python:3.12 image: docker.io/library/python:3.12
depends_on: []
commands: commands:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry install - poetry install
@ -17,6 +18,7 @@ steps:
- name: check-coding - name: check-coding
image: docker.io/library/python:3.12 image: docker.io/library/python:3.12
depends_on: []
commands: commands:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry install -E ansible-core - poetry install -E ansible-core

View File

@ -7,7 +7,7 @@ when:
variables: variables:
- &pytest_base - &pytest_base
group: pytest depends_on: []
commands: commands:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry install -E ansible-core - poetry install -E ansible-core