From 147177920b8105a823ca6b1e48ed8cdff68b5763 Mon Sep 17 00:00:00 2001 From: Robert Kaussow Date: Thu, 31 Oct 2024 00:14:33 +0100 Subject: [PATCH] ci: replace deprecated workflow syntax and add trivy (#106) --- .woodpecker/build-container.yml | 28 ++++++++++++++++++---------- .woodpecker/docs.yml | 20 +++++++++----------- Containerfile.multiarch | 2 +- trivy.yaml | 4 ++++ 4 files changed, 32 insertions(+), 22 deletions(-) create mode 100644 trivy.yaml diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml index 0f1a342..22bff86 100644 --- a/.woodpecker/build-container.yml +++ b/.woodpecker/build-container.yml @@ -6,22 +6,30 @@ when: - ${CI_REPO_DEFAULT_BRANCH} steps: - - name: dryrun + - name: security-build image: quay.io/thegeeklab/wp-docker-buildx:5 settings: containerfile: Containerfile.multiarch - dry_run: true - platforms: - - linux/amd64 - - linux/arm64 - provenance: false + output: type=oci,dest=oci/${CI_REPO_NAME},tar=false repo: ${CI_REPO} - when: - - event: [pull_request] + + - name: security-scan + image: docker.io/aquasec/trivy + depends_on: [security-build] + commands: + - trivy -v + - trivy image --input oci/${CI_REPO_NAME} + environment: + TRIVY_EXIT_CODE: "1" + TRIVY_IGNORE_UNFIXED: "true" + TRIVY_NO_PROGRESS: "true" + TRIVY_SEVERITY: HIGH,CRITICAL + TRIVY_TIMEOUT: 1m + TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2 - name: publish-dockerhub image: quay.io/thegeeklab/wp-docker-buildx:5 - group: container + depends_on: [security-scan] settings: auto_tag: true containerfile: Containerfile.multiarch @@ -42,7 +50,7 @@ steps: - name: publish-quay image: quay.io/thegeeklab/wp-docker-buildx:5 - group: container + depends_on: [security-scan] settings: auto_tag: true containerfile: Containerfile.multiarch diff --git a/.woodpecker/docs.yml b/.woodpecker/docs.yml index a2777f7..58f05bd 100644 --- a/.woodpecker/docs.yml +++ b/.woodpecker/docs.yml @@ -8,13 +8,11 @@ when: steps: - name: markdownlint image: quay.io/thegeeklab/markdownlint-cli - group: test commands: - markdownlint 'README.md' 'CONTRIBUTING.md' - name: spellcheck image: quay.io/thegeeklab/alpine-tools - group: test commands: - spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls environment: @@ -22,12 +20,12 @@ steps: - name: link-validation image: docker.io/lycheeverse/lychee - group: test commands: - lychee --no-progress --format detailed docs/content README.md - name: publish image: quay.io/thegeeklab/wp-git-action + depends_on: [markdownlint, spellcheck, link-validation] settings: action: - pages @@ -46,12 +44,12 @@ steps: - name: pushrm-dockerhub image: docker.io/chko/docker-pushrm:1 - secrets: - - source: docker_password - target: DOCKER_PASS - - source: docker_username - target: DOCKER_USER + depends_on: [markdownlint, spellcheck, link-validation] environment: + DOCKER_PASS: + from_secret: docker_password + DOCKER_USER: + from_secret: docker_username PUSHRM_FILE: README.md PUSHRM_SHORT: Woodpecker CI plugin to manage infrastructure with OpenTofu PUSHRM_TARGET: ${CI_REPO} @@ -63,10 +61,10 @@ steps: - name: pushrm-quay image: docker.io/chko/docker-pushrm:1 - secrets: - - source: quay_token - target: APIKEY__QUAY_IO + depends_on: [markdownlint, spellcheck, link-validation] environment: + APIKEY__QUAY_IO: + from_secret: quay_token PUSHRM_FILE: README.md PUSHRM_TARGET: quay.io/${CI_REPO} when: diff --git a/Containerfile.multiarch b/Containerfile.multiarch index e6a7cff..1ae794b 100644 --- a/Containerfile.multiarch +++ b/Containerfile.multiarch @@ -1,4 +1,4 @@ -FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f as build +FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f AS build ARG TARGETOS ARG TARGETARCH diff --git a/trivy.yaml b/trivy.yaml new file mode 100644 index 0000000..7f14f95 --- /dev/null +++ b/trivy.yaml @@ -0,0 +1,4 @@ +--- +scan: + skip-files: + - /usr/local/bin/tofu