ci: replace deprecated workflow syntax and add trivy (#128)

2024-11-21 12:00:40 +00:00 · 2024-10-30 22:46:12 +01:00 · 2024-10-30 22:46:12 +01:00 · 6dbc41850a
commit 6dbc41850a
parent f667989933
3 changed files with 27 additions and 22 deletions
--- a/.woodpecker/build-container.yml
+++ b/.woodpecker/build-container.yml
@ -6,22 +6,30 @@ when:
      - ${CI_REPO_DEFAULT_BRANCH}

 steps:
-  - name: dryrun
+  - name: security-build
    image: quay.io/thegeeklab/wp-docker-buildx:5
    settings:
      containerfile: Containerfile.multiarch
-      dry_run: true
-      platforms:
-        - linux/amd64
-        - linux/arm64
-      provenance: false
+      output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
      repo: ${CI_REPO}
-    when:
-      - event: [pull_request]
+
+  - name: security-scan
+    image: docker.io/aquasec/trivy
+    depends_on: [security-build]
+    commands:
+      - trivy -v
+      - trivy image --input oci/${CI_REPO_NAME}
+    environment:
+      TRIVY_EXIT_CODE: "1"
+      TRIVY_IGNORE_UNFIXED: "true"
+      TRIVY_NO_PROGRESS: "true"
+      TRIVY_SEVERITY: HIGH,CRITICAL
+      TRIVY_TIMEOUT: 1m
+      TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2

  - name: publish-dockerhub
    image: quay.io/thegeeklab/wp-docker-buildx:5
-    group: container
+    depends_on: [security-scan]
    settings:
      auto_tag: true
      containerfile: Containerfile.multiarch
@ -42,7 +50,7 @@ steps:

  - name: publish-quay
    image: quay.io/thegeeklab/wp-docker-buildx:5
-    group: container
+    depends_on: [security-scan]
    settings:
      auto_tag: true
      containerfile: Containerfile.multiarch
--- a/.woodpecker/docs.yml
+++ b/.woodpecker/docs.yml
@ -8,13 +8,11 @@ when:
 steps:
  - name: markdownlint
    image: quay.io/thegeeklab/markdownlint-cli
-    group: test
    commands:
      - markdownlint 'README.md' 'CONTRIBUTING.md'

  - name: spellcheck
    image: quay.io/thegeeklab/alpine-tools
-    group: test
    commands:
      - spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
    environment:
@ -22,18 +20,17 @@ steps:

  - name: link-validation
    image: docker.io/lycheeverse/lychee
-    group: test
    commands:
      - lychee --no-progress --format detailed README.md

  - name: pushrm-dockerhub
    image: docker.io/chko/docker-pushrm:1
-    secrets:
-      - source: docker_password
-        target: DOCKER_PASS
-      - source: docker_username
-        target: DOCKER_USER
+    depends_on: [markdownlint, spellcheck, link-validation]
    environment:
+      DOCKER_PASS:
+        from_secret: docker_password
+      DOCKER_USER:
+        from_secret: docker_username
      PUSHRM_FILE: README.md
      PUSHRM_SHORT: Semantic versioning tool for git based on conventional commits
      PUSHRM_TARGET: ${CI_REPO}
@ -45,10 +42,10 @@ steps:

  - name: pushrm-quay
    image: docker.io/chko/docker-pushrm:1
-    secrets:
-      - source: quay_token
-        target: APIKEY__QUAY_IO
+    depends_on: [markdownlint, spellcheck, link-validation]
    environment:
+      APIKEY__QUAY_IO:
+        from_secret: quay_token
      PUSHRM_FILE: README.md
      PUSHRM_TARGET: quay.io/${CI_REPO}
    when:
--- a/Containerfile.multiarch
+++ b/Containerfile.multiarch
@ -1,4 +1,4 @@
-FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f as build
+FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f AS build

 ARG TARGETOS
 ARG TARGETARCH