0
0
mirror of https://github.com/thegeeklab/wp-opentofu.git synced 2024-11-23 17:10:38 +00:00

ci: replace deprecated workflow syntax and add trivy (#106)

This commit is contained in:
Robert Kaussow 2024-10-31 00:14:33 +01:00 committed by GitHub
parent b2da539065
commit 147177920b
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 32 additions and 22 deletions

View File

@ -6,22 +6,30 @@ when:
- ${CI_REPO_DEFAULT_BRANCH} - ${CI_REPO_DEFAULT_BRANCH}
steps: steps:
- name: dryrun - name: security-build
image: quay.io/thegeeklab/wp-docker-buildx:5 image: quay.io/thegeeklab/wp-docker-buildx:5
settings: settings:
containerfile: Containerfile.multiarch containerfile: Containerfile.multiarch
dry_run: true output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
platforms:
- linux/amd64
- linux/arm64
provenance: false
repo: ${CI_REPO} repo: ${CI_REPO}
when:
- event: [pull_request] - name: security-scan
image: docker.io/aquasec/trivy
depends_on: [security-build]
commands:
- trivy -v
- trivy image --input oci/${CI_REPO_NAME}
environment:
TRIVY_EXIT_CODE: "1"
TRIVY_IGNORE_UNFIXED: "true"
TRIVY_NO_PROGRESS: "true"
TRIVY_SEVERITY: HIGH,CRITICAL
TRIVY_TIMEOUT: 1m
TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
- name: publish-dockerhub - name: publish-dockerhub
image: quay.io/thegeeklab/wp-docker-buildx:5 image: quay.io/thegeeklab/wp-docker-buildx:5
group: container depends_on: [security-scan]
settings: settings:
auto_tag: true auto_tag: true
containerfile: Containerfile.multiarch containerfile: Containerfile.multiarch
@ -42,7 +50,7 @@ steps:
- name: publish-quay - name: publish-quay
image: quay.io/thegeeklab/wp-docker-buildx:5 image: quay.io/thegeeklab/wp-docker-buildx:5
group: container depends_on: [security-scan]
settings: settings:
auto_tag: true auto_tag: true
containerfile: Containerfile.multiarch containerfile: Containerfile.multiarch

View File

@ -8,13 +8,11 @@ when:
steps: steps:
- name: markdownlint - name: markdownlint
image: quay.io/thegeeklab/markdownlint-cli image: quay.io/thegeeklab/markdownlint-cli
group: test
commands: commands:
- markdownlint 'README.md' 'CONTRIBUTING.md' - markdownlint 'README.md' 'CONTRIBUTING.md'
- name: spellcheck - name: spellcheck
image: quay.io/thegeeklab/alpine-tools image: quay.io/thegeeklab/alpine-tools
group: test
commands: commands:
- spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls - spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
environment: environment:
@ -22,12 +20,12 @@ steps:
- name: link-validation - name: link-validation
image: docker.io/lycheeverse/lychee image: docker.io/lycheeverse/lychee
group: test
commands: commands:
- lychee --no-progress --format detailed docs/content README.md - lychee --no-progress --format detailed docs/content README.md
- name: publish - name: publish
image: quay.io/thegeeklab/wp-git-action image: quay.io/thegeeklab/wp-git-action
depends_on: [markdownlint, spellcheck, link-validation]
settings: settings:
action: action:
- pages - pages
@ -46,12 +44,12 @@ steps:
- name: pushrm-dockerhub - name: pushrm-dockerhub
image: docker.io/chko/docker-pushrm:1 image: docker.io/chko/docker-pushrm:1
secrets: depends_on: [markdownlint, spellcheck, link-validation]
- source: docker_password
target: DOCKER_PASS
- source: docker_username
target: DOCKER_USER
environment: environment:
DOCKER_PASS:
from_secret: docker_password
DOCKER_USER:
from_secret: docker_username
PUSHRM_FILE: README.md PUSHRM_FILE: README.md
PUSHRM_SHORT: Woodpecker CI plugin to manage infrastructure with OpenTofu PUSHRM_SHORT: Woodpecker CI plugin to manage infrastructure with OpenTofu
PUSHRM_TARGET: ${CI_REPO} PUSHRM_TARGET: ${CI_REPO}
@ -63,10 +61,10 @@ steps:
- name: pushrm-quay - name: pushrm-quay
image: docker.io/chko/docker-pushrm:1 image: docker.io/chko/docker-pushrm:1
secrets: depends_on: [markdownlint, spellcheck, link-validation]
- source: quay_token
target: APIKEY__QUAY_IO
environment: environment:
APIKEY__QUAY_IO:
from_secret: quay_token
PUSHRM_FILE: README.md PUSHRM_FILE: README.md
PUSHRM_TARGET: quay.io/${CI_REPO} PUSHRM_TARGET: quay.io/${CI_REPO}
when: when:

View File

@ -1,4 +1,4 @@
FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f as build FROM --platform=$BUILDPLATFORM docker.io/library/golang:1.23@sha256:ad5c126b5cf501a8caef751a243bb717ec204ab1aa56dc41dc11be089fafcb4f AS build
ARG TARGETOS ARG TARGETOS
ARG TARGETARCH ARG TARGETARCH

4
trivy.yaml Normal file
View File

@ -0,0 +1,4 @@
---
scan:
skip-files:
- /usr/local/bin/tofu