From eda604dd20506e6855b7b9d55c334f4145677860 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Sun, 27 Oct 2024 20:49:08 +0100 Subject: [PATCH] ci: add trivy and replace deprecated workflow syntax --- .woodpecker/build-container.yml | 29 +++++++++++++++++++---------- .woodpecker/build-package.yml | 10 +++++----- .woodpecker/docs.yml | 25 ++++++++++++++----------- .woodpecker/lint.yml | 2 ++ .woodpecker/test.yml | 2 +- 5 files changed, 41 insertions(+), 27 deletions(-) diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml index 56c208f..82dd379 100644 --- a/.woodpecker/build-container.yml +++ b/.woodpecker/build-container.yml @@ -12,22 +12,31 @@ steps: - pip install poetry poetry-dynamic-versioning -qq - poetry build - - name: dryrun + - name: security-build image: quay.io/thegeeklab/wp-docker-buildx:5 + depends_on: [build] settings: containerfile: Containerfile.multiarch - dry_run: true - platforms: - - linux/amd64 - - linux/arm64 - provenance: false + output: type=oci,dest=oci/${CI_REPO_NAME},tar=false repo: ${CI_REPO} - when: - - event: [pull_request] + + - name: security-scan + image: docker.io/aquasec/trivy + depends_on: [security-build] + commands: + - trivy -v + - trivy image --input oci/${CI_REPO_NAME} + environment: + TRIVY_EXIT_CODE: "1" + TRIVY_IGNORE_UNFIXED: "true" + TRIVY_NO_PROGRESS: "true" + TRIVY_SEVERITY: HIGH,CRITICAL + TRIVY_TIMEOUT: 1m + TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2 - name: publish-dockerhub image: quay.io/thegeeklab/wp-docker-buildx:5 - group: container + depends_on: [security-scan] settings: auto_tag: true containerfile: Containerfile.multiarch @@ -48,7 +57,7 @@ steps: - name: publish-quay image: quay.io/thegeeklab/wp-docker-buildx:5 - group: container + depends_on: security-scan settings: auto_tag: true containerfile: Containerfile.multiarch diff --git a/.woodpecker/build-package.yml b/.woodpecker/build-package.yml index 4b75817..fe8603f 100644 --- a/.woodpecker/build-package.yml +++ b/.woodpecker/build-package.yml @@ -40,11 +40,11 @@ steps: - name: publish-pypi image: docker.io/library/python:3.12 - secrets: - - source: pypi_password - target: POETRY_HTTP_BASIC_PYPI_PASSWORD - - source: pypi_username - target: POETRY_HTTP_BASIC_PYPI_USERNAME + environment: + POETRY_HTTP_BASIC_PYPI_PASSWORD: + from_secret: pypi_password + POETRY_HTTP_BASIC_PYPI_USERNAME: + from_secret: pypi_username commands: - pip install poetry poetry-dynamic-versioning -qq - poetry publish -n diff --git a/.woodpecker/docs.yml b/.woodpecker/docs.yml index d663cff..3c0d007 100644 --- a/.woodpecker/docs.yml +++ b/.woodpecker/docs.yml @@ -13,13 +13,13 @@ steps: - name: markdownlint image: quay.io/thegeeklab/markdownlint-cli - group: test + depends_on: [assets] commands: - markdownlint 'README.md' 'CONTRIBUTING.md' - name: spellcheck image: quay.io/thegeeklab/alpine-tools - group: test + depends_on: [assets] commands: - spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls environment: @@ -27,17 +27,19 @@ steps: - name: link-validation image: docker.io/lycheeverse/lychee - group: test + depends_on: [assets] commands: - lychee --no-progress --format detailed docs/content README.md - name: build image: quay.io/thegeeklab/hugo:0.133.0 + depends_on: [link-validation] commands: - hugo --panicOnWarning -s docs/ - name: beautify image: quay.io/thegeeklab/alpine-tools + depends_on: [build] commands: - html-beautify -r -f 'docs/public/**/*.html' environment: @@ -45,6 +47,7 @@ steps: - name: publish image: quay.io/thegeeklab/wp-s3-action + depends_on: [beautify] settings: access_key: from_secret: s3_access_key @@ -66,12 +69,12 @@ steps: - name: pushrm-dockerhub image: docker.io/chko/docker-pushrm:1 - secrets: - - source: docker_password - target: DOCKER_PASS - - source: docker_username - target: DOCKER_USER + depends_on: [publish] environment: + DOCKER_PASS: + from_secret: docker_password + DOCKER_USER: + from_secret: docker_username PUSHRM_FILE: README.md PUSHRM_SHORT: Another best practice scanner for Ansible roles and playbooks PUSHRM_TARGET: ${CI_REPO} @@ -83,10 +86,10 @@ steps: - name: pushrm-quay image: docker.io/chko/docker-pushrm:1 - secrets: - - source: quay_token - target: APIKEY__QUAY_IO + depends_on: [publish] environment: + APIKEY__QUAY_IO: + from_secret: quay_token PUSHRM_FILE: README.md PUSHRM_TARGET: quay.io/${CI_REPO} when: diff --git a/.woodpecker/lint.yml b/.woodpecker/lint.yml index 2409c53..0081361 100644 --- a/.woodpecker/lint.yml +++ b/.woodpecker/lint.yml @@ -8,6 +8,7 @@ when: steps: - name: check-format image: docker.io/library/python:3.12 + depends_on: [] commands: - pip install poetry poetry-dynamic-versioning -qq - poetry install @@ -17,6 +18,7 @@ steps: - name: check-coding image: docker.io/library/python:3.12 + depends_on: [] commands: - pip install poetry poetry-dynamic-versioning -qq - poetry install -E ansible-core diff --git a/.woodpecker/test.yml b/.woodpecker/test.yml index 415465e..c62350a 100644 --- a/.woodpecker/test.yml +++ b/.woodpecker/test.yml @@ -7,7 +7,7 @@ when: variables: - &pytest_base - group: pytest + depends_on: [] commands: - pip install poetry poetry-dynamic-versioning -qq - poetry install -E ansible-core