github/git-batch
0
0
Fork 0
mirror of https://github.com/thegeeklab/git-batch.git synced 2024-11-21 18:40:40 +00:00
Code Issues Projects Releases Wiki Activity

ci: add trivy and replace deprecated workflow syntax (#425)

Browse Source
This commit is contained in:
Robert Kaussow 2024-10-27 21:08:07 +01:00 committed by GitHub
parent aafac6f06a
commit c5ccf31f2c
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 36 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
.woodpecker/build-container.yml
View File

@ -12,22 +12,31 @@ steps:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry build - poetry build
- name: dryrun - name: security-build
image: quay.io/thegeeklab/wp-docker-buildx:5 image: quay.io/thegeeklab/wp-docker-buildx:5
depends_on: [build]
settings: settings:
containerfile: Containerfile.multiarch containerfile: Containerfile.multiarch
dry_run: true output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
platforms:
- linux/amd64
- linux/arm64
provenance: false
repo: ${CI_REPO} repo: ${CI_REPO}
when:
- event: [pull_request] - name: security-scan
image: docker.io/aquasec/trivy
depends_on: [security-build]
commands:
- trivy -v
- trivy image --input oci/${CI_REPO_NAME}
environment:
TRIVY_EXIT_CODE: "1"
TRIVY_IGNORE_UNFIXED: "true"
TRIVY_NO_PROGRESS: "true"
TRIVY_SEVERITY: HIGH,CRITICAL
TRIVY_TIMEOUT: 1m
TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
- name: publish-dockerhub - name: publish-dockerhub
image: quay.io/thegeeklab/wp-docker-buildx:5 image: quay.io/thegeeklab/wp-docker-buildx:5
group: container depends_on: [security-scan]
settings: settings:
auto_tag: true auto_tag: true
containerfile: Containerfile.multiarch containerfile: Containerfile.multiarch
@ -48,7 +57,7 @@ steps:
- name: publish-quay - name: publish-quay
image: quay.io/thegeeklab/wp-docker-buildx:5 image: quay.io/thegeeklab/wp-docker-buildx:5
group: container depends_on: security-scan
settings: settings:
auto_tag: true auto_tag: true
containerfile: Containerfile.multiarch containerfile: Containerfile.multiarch

10
.woodpecker/build-package.yml
View File

@ -40,11 +40,11 @@ steps:
- name: publish-pypi - name: publish-pypi
image: docker.io/library/python:3.12 image: docker.io/library/python:3.12
secrets: environment:
- source: pypi_password POETRY_HTTP_BASIC_PYPI_PASSWORD:
target: POETRY_HTTP_BASIC_PYPI_PASSWORD from_secret: pypi_password
- source: pypi_username POETRY_HTTP_BASIC_PYPI_USERNAME:
target: POETRY_HTTP_BASIC_PYPI_USERNAME from_secret: pypi_username
commands: commands:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry publish -n - poetry publish -n

21
.woodpecker/docs.yml
View File

@ -8,13 +8,11 @@ when:
steps: steps:
- name: markdownlint - name: markdownlint
image: quay.io/thegeeklab/markdownlint-cli image: quay.io/thegeeklab/markdownlint-cli
group: test
commands: commands:
- markdownlint 'README.md' 'CONTRIBUTING.md' - markdownlint 'README.md' 'CONTRIBUTING.md'
- name: spellcheck - name: spellcheck
image: quay.io/thegeeklab/alpine-tools image: quay.io/thegeeklab/alpine-tools
group: test
commands: commands:
- spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls - spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
environment: environment:
@ -22,20 +20,19 @@ steps:
- name: link-validation - name: link-validation
image: docker.io/lycheeverse/lychee image: docker.io/lycheeverse/lychee
group: test
commands: commands:
- lychee --no-progress --format detailed README.md - lychee --no-progress --format detailed README.md
- name: pushrm-dockerhub - name: pushrm-dockerhub
image: docker.io/chko/docker-pushrm:1 image: docker.io/chko/docker-pushrm:1
secrets: depends_on: [markdownlint, spellcheck, link-validation]
- source: docker_password
target: DOCKER_PASS
- source: docker_username
target: DOCKER_USER
environment: environment:
DOCKER_PASS:
from_secret: docker_password
DOCKER_USER:
from_secret: docker_username
PUSHRM_FILE: README.md PUSHRM_FILE: README.md
PUSHRM_SHORT: Automate cloning a single branch from a list of repositories PUSHRM_SHORT: Create docker tags from a given version string
PUSHRM_TARGET: ${CI_REPO} PUSHRM_TARGET: ${CI_REPO}
when: when:
- event: [push, manual] - event: [push, manual]
@ -45,10 +42,10 @@ steps:
- name: pushrm-quay - name: pushrm-quay
image: docker.io/chko/docker-pushrm:1 image: docker.io/chko/docker-pushrm:1
secrets: depends_on: [markdownlint, spellcheck, link-validation]
- source: quay_token
target: APIKEY__QUAY_IO
environment: environment:
APIKEY__QUAY_IO:
from_secret: quay_token
PUSHRM_FILE: README.md PUSHRM_FILE: README.md
PUSHRM_TARGET: quay.io/${CI_REPO} PUSHRM_TARGET: quay.io/${CI_REPO}
when: when:

2
.woodpecker/lint.yml
View File

@ -8,6 +8,7 @@ when:
steps: steps:
- name: check-format - name: check-format
image: docker.io/library/python:3.12 image: docker.io/library/python:3.12
depends_on: []
commands: commands:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry install - poetry install
@ -17,6 +18,7 @@ steps:
- name: check-coding - name: check-coding
image: docker.io/library/python:3.12 image: docker.io/library/python:3.12
depends_on: []
commands: commands:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry install - poetry install

2
.woodpecker/test.yml
View File

@ -7,7 +7,7 @@ when:
variables: variables:
- &pytest_base - &pytest_base
group: pytest depends_on: []
commands: commands:
- pip install poetry poetry-dynamic-versioning -qq - pip install poetry poetry-dynamic-versioning -qq
- poetry install - poetry install