From 6dbc41850a0324dce34fe19478d869e817fcc7e7 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Wed, 30 Oct 2024 22:46:12 +0100 Subject: [PATCH] ci: replace deprecated workflow syntax and add trivy (#128) --- .woodpecker/build-container.yml | 28 ++++++++++++++++++---------- .woodpecker/docs.yml | 19 ++++++++----------- Containerfile.multiarch | 2 +- 3 files changed, 27 insertions(+), 22 deletions(-) diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml index 0f1a342..22bff86 100644 --- a/.woodpecker/build-container.yml +++ b/.woodpecker/build-container.yml @@ -6,22 +6,30 @@ when: - ${CI_REPO_DEFAULT_BRANCH} steps: - - name: dryrun + - name: security-build image: quay.io/thegeeklab/wp-docker-buildx:5 settings: containerfile: Containerfile.multiarch - dry_run: true - platforms: - - linux/amd64 - - linux/arm64 - provenance: false + output: type=oci,dest=oci/${CI_REPO_NAME},tar=false repo: ${CI_REPO} - when: - - event: [pull_request] + + - name: security-scan + image: docker.io/aquasec/trivy + depends_on: [security-build] + commands: + - trivy -v + - trivy image --input oci/${CI_REPO_NAME} + environment: + TRIVY_EXIT_CODE: "1" + TRIVY_IGNORE_UNFIXED: "true" + TRIVY_NO_PROGRESS: "true" + TRIVY_SEVERITY: HIGH,CRITICAL + TRIVY_TIMEOUT: 1m + TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2 - name: publish-dockerhub image: quay.io/thegeeklab/wp-docker-buildx:5 - group: container + depends_on: [security-scan] settings: auto_tag: true containerfile: Containerfile.multiarch @@ -42,7 +50,7 @@ steps: - name: publish-quay image: quay.io/thegeeklab/wp-docker-buildx:5 - group: container + depends_on: [security-scan] settings: auto_tag: true containerfile: Containerfile.multiarch diff --git a/.woodpecker/docs.yml b/.woodpecker/docs.yml index b781b90..ed74229 100644 --- a/.woodpecker/docs.yml +++ b/.woodpecker/docs.yml @@ -8,13 +8,11 @@ when: steps: - name: markdownlint image: quay.io/thegeeklab/markdownlint-cli - group: test commands: - markdownlint 'README.md' 'CONTRIBUTING.md' - name: spellcheck image: quay.io/thegeeklab/alpine-tools - group: test commands: - spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls environment: @@ -22,18 +20,17 @@ steps: - name: link-validation image: docker.io/lycheeverse/lychee - group: test commands: - lychee --no-progress --format detailed README.md - name: pushrm-dockerhub image: docker.io/chko/docker-pushrm:1 - secrets: - - source: docker_password - target: DOCKER_PASS - - source: docker_username - target: DOCKER_USER + depends_on: [markdownlint, spellcheck, link-validation] environment: + DOCKER_PASS: + from_secret: docker_password + DOCKER_USER: + from_secret: docker_username PUSHRM_FILE: README.md PUSHRM_SHORT: Semantic versioning tool for git based on conventional commits PUSHRM_TARGET: ${CI_REPO} @@ -45,10 +42,10 @@ steps: - name: pushrm-quay image: docker.io/chko/docker-pushrm:1 - secrets: - - source: quay_token - target: APIKEY__QUAY_IO + depends_on: [markdownlint, spellcheck, link-validation] environment: + APIKEY__QUAY_IO: + from_secret: quay_token PUSHRM_FILE: README.md PUSHRM_TARGET: quay.io/${CI_REPO} when: diff --git a/Containerfile.multiarch b/Containerfile.multiarch index 32629e8..0b00eaf 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -1,4 +1,4 @@ -FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f as build +FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f AS build ARG TARGETOS ARG TARGETARCH