feat: add linter to ci workflow
All checks were successful
Lint, Build, Scan and Publish Docker Image / build-and-push (push) Successful in 1m28s
All checks were successful
Lint, Build, Scan and Publish Docker Image / build-and-push (push) Successful in 1m28s
This commit is contained in:
@@ -8,12 +8,16 @@ on:
|
|||||||
- 'v*'
|
- 'v*'
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
lint:
|
build-and-push:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout code
|
- name: Checkout
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
|
- name: install Trivy Security scanner
|
||||||
|
run: |
|
||||||
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
||||||
|
|
||||||
- name: Lint & Format Check python code with ruff
|
- name: Lint & Format Check python code with ruff
|
||||||
uses: astral-sh/ruff-action@v3
|
uses: astral-sh/ruff-action@v3
|
||||||
|
|
||||||
@@ -24,16 +28,8 @@ jobs:
|
|||||||
|
|
||||||
- name: Security Lint Dockerfile (Trivy)
|
- name: Security Lint Dockerfile (Trivy)
|
||||||
run: |
|
run: |
|
||||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
||||||
trivy config .
|
trivy config .
|
||||||
|
|
||||||
|
|
||||||
build-and-push:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
steps:
|
|
||||||
- name: Checkout
|
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Log in to Gitea Container Registry
|
- name: Log in to Gitea Container Registry
|
||||||
uses: docker/login-action@v3
|
uses: docker/login-action@v3
|
||||||
with:
|
with:
|
||||||
@@ -53,7 +49,6 @@ jobs:
|
|||||||
type=semver,pattern={{version}}
|
type=semver,pattern={{version}}
|
||||||
type=sha
|
type=sha
|
||||||
|
|
||||||
# Step 1: Build the image locally (do not push yet)
|
|
||||||
- name: Build Docker image locally
|
- name: Build Docker image locally
|
||||||
uses: docker/build-push-action@v5
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
@@ -61,27 +56,10 @@ jobs:
|
|||||||
load: true # This loads the image into the local docker daemon for Trivy to find
|
load: true # This loads the image into the local docker daemon for Trivy to find
|
||||||
tags: local_scan_target:${{ github.sha }}
|
tags: local_scan_target:${{ github.sha }}
|
||||||
|
|
||||||
# - name: Run Trivy vulnerability scanner
|
|
||||||
# uses: aquasecurity/trivy-action@master
|
|
||||||
# with:
|
|
||||||
# image-ref: 'local_scan_target:${{ github.sha }}'
|
|
||||||
# format: 'table'
|
|
||||||
# exit-code: '1' # This will fail the pipeline if vulnerabilities are found
|
|
||||||
# ignore-unfixed: true
|
|
||||||
# vuln-type: 'os,library'
|
|
||||||
# severity: 'CRITICAL,HIGH'
|
|
||||||
# server-url: 'http://trivy-server:8080'
|
|
||||||
# env:
|
|
||||||
# - DOCKER_HOST: unix:///var/run/docker.sock
|
|
||||||
# - TRIVY_USERNAME: ${{ secrets.PACKAGE_USER }}
|
|
||||||
# - TRIVY_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
|
|
||||||
|
|
||||||
- name: Run Trivy scanner (Binary Mode)
|
- name: Run Trivy scanner (Binary Mode)
|
||||||
run: |
|
run: |
|
||||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
|
||||||
trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed --server http://trivy-server:8080 local_scan_target:${{ github.sha }}
|
trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed --server http://trivy-server:8080 local_scan_target:${{ github.sha }}
|
||||||
|
|
||||||
# Step 3: If scan passes, Build and Push to Registry
|
|
||||||
- name: Build and push Docker image
|
- name: Build and push Docker image
|
||||||
uses: docker/build-push-action@v5
|
uses: docker/build-push-action@v5
|
||||||
with:
|
with:
|
||||||
|
|||||||
Reference in New Issue
Block a user