ci: add trivy and replace deprecated workflow syntax (#382)

This commit is contained in:
Robert Kaussow 2024-10-27 21:07:19 +01:00 committed by GitHub
parent 4739aeb2af
commit 192633b245
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 35 additions and 27 deletions

View File

@ -12,22 +12,31 @@ steps:
- pip install poetry poetry-dynamic-versioning -qq
- poetry build
- name: dryrun
- name: security-build
image: quay.io/thegeeklab/wp-docker-buildx:5
depends_on: [build]
settings:
containerfile: Containerfile.multiarch
dry_run: true
platforms:
- linux/amd64
- linux/arm64
provenance: false
output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
repo: ${CI_REPO}
when:
- event: [pull_request]
- name: security-scan
image: docker.io/aquasec/trivy
depends_on: [security-build]
commands:
- trivy -v
- trivy image --input oci/${CI_REPO_NAME}
environment:
TRIVY_EXIT_CODE: "1"
TRIVY_IGNORE_UNFIXED: "true"
TRIVY_NO_PROGRESS: "true"
TRIVY_SEVERITY: HIGH,CRITICAL
TRIVY_TIMEOUT: 1m
TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
- name: publish-dockerhub
image: quay.io/thegeeklab/wp-docker-buildx:5
group: container
depends_on: [security-scan]
settings:
auto_tag: true
containerfile: Containerfile.multiarch
@ -48,7 +57,7 @@ steps:
- name: publish-quay
image: quay.io/thegeeklab/wp-docker-buildx:5
group: container
depends_on: security-scan
settings:
auto_tag: true
containerfile: Containerfile.multiarch

View File

@ -40,11 +40,11 @@ steps:
- name: publish-pypi
image: docker.io/library/python:3.12
secrets:
- source: pypi_password
target: POETRY_HTTP_BASIC_PYPI_PASSWORD
- source: pypi_username
target: POETRY_HTTP_BASIC_PYPI_USERNAME
environment:
POETRY_HTTP_BASIC_PYPI_PASSWORD:
from_secret: pypi_password
POETRY_HTTP_BASIC_PYPI_USERNAME:
from_secret: pypi_username
commands:
- pip install poetry poetry-dynamic-versioning -qq
- poetry publish -n

View File

@ -8,13 +8,11 @@ when:
steps:
- name: markdownlint
image: quay.io/thegeeklab/markdownlint-cli
group: test
commands:
- markdownlint 'README.md' 'CONTRIBUTING.md'
- name: spellcheck
image: quay.io/thegeeklab/alpine-tools
group: test
commands:
- spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
environment:
@ -22,18 +20,17 @@ steps:
- name: link-validation
image: docker.io/lycheeverse/lychee
group: test
commands:
- lychee --no-progress --format detailed README.md
- name: pushrm-dockerhub
image: docker.io/chko/docker-pushrm:1
secrets:
- source: docker_password
target: DOCKER_PASS
- source: docker_username
target: DOCKER_USER
depends_on: [markdownlint, spellcheck, link-validation]
environment:
DOCKER_PASS:
from_secret: docker_password
DOCKER_USER:
from_secret: docker_username
PUSHRM_FILE: README.md
PUSHRM_SHORT: Create docker tags from a given version string
PUSHRM_TARGET: ${CI_REPO}
@ -45,10 +42,10 @@ steps:
- name: pushrm-quay
image: docker.io/chko/docker-pushrm:1
secrets:
- source: quay_token
target: APIKEY__QUAY_IO
depends_on: [markdownlint, spellcheck, link-validation]
environment:
APIKEY__QUAY_IO:
from_secret: quay_token
PUSHRM_FILE: README.md
PUSHRM_TARGET: quay.io/${CI_REPO}
when:

View File

@ -8,6 +8,7 @@ when:
steps:
- name: check-format
image: docker.io/library/python:3.12
depends_on: []
commands:
- pip install poetry poetry-dynamic-versioning -qq
- poetry install
@ -17,6 +18,7 @@ steps:
- name: check-coding
image: docker.io/library/python:3.12
depends_on: []
commands:
- pip install poetry poetry-dynamic-versioning -qq
- poetry install

View File

@ -7,7 +7,7 @@ when:
variables:
- &pytest_base
group: pytest
depends_on: []
commands:
- pip install poetry poetry-dynamic-versioning -qq
- poetry install