feat: add linter to ci workflow
All checks were successful
Lint, Build, Scan and Publish Docker Image / build-and-push (push) Successful in 1m28s
All checks were successful
Lint, Build, Scan and Publish Docker Image / build-and-push (push) Successful in 1m28s
This commit is contained in:
@@ -8,12 +8,16 @@ on:
|
||||
- 'v*'
|
||||
|
||||
jobs:
|
||||
lint:
|
||||
build-and-push:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout code
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: install Trivy Security scanner
|
||||
run: |
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
||||
|
||||
- name: Lint & Format Check python code with ruff
|
||||
uses: astral-sh/ruff-action@v3
|
||||
|
||||
@@ -24,16 +28,8 @@ jobs:
|
||||
|
||||
- name: Security Lint Dockerfile (Trivy)
|
||||
run: |
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
||||
trivy config .
|
||||
|
||||
|
||||
build-and-push:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Log in to Gitea Container Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
@@ -53,7 +49,6 @@ jobs:
|
||||
type=semver,pattern={{version}}
|
||||
type=sha
|
||||
|
||||
# Step 1: Build the image locally (do not push yet)
|
||||
- name: Build Docker image locally
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
@@ -61,27 +56,10 @@ jobs:
|
||||
load: true # This loads the image into the local docker daemon for Trivy to find
|
||||
tags: local_scan_target:${{ github.sha }}
|
||||
|
||||
# - name: Run Trivy vulnerability scanner
|
||||
# uses: aquasecurity/trivy-action@master
|
||||
# with:
|
||||
# image-ref: 'local_scan_target:${{ github.sha }}'
|
||||
# format: 'table'
|
||||
# exit-code: '1' # This will fail the pipeline if vulnerabilities are found
|
||||
# ignore-unfixed: true
|
||||
# vuln-type: 'os,library'
|
||||
# severity: 'CRITICAL,HIGH'
|
||||
# server-url: 'http://trivy-server:8080'
|
||||
# env:
|
||||
# - DOCKER_HOST: unix:///var/run/docker.sock
|
||||
# - TRIVY_USERNAME: ${{ secrets.PACKAGE_USER }}
|
||||
# - TRIVY_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
|
||||
|
||||
- name: Run Trivy scanner (Binary Mode)
|
||||
run: |
|
||||
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
|
||||
trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed --server http://trivy-server:8080 local_scan_target:${{ github.sha }}
|
||||
|
||||
# Step 3: If scan passes, Build and Push to Registry
|
||||
- name: Build and push Docker image
|
||||
uses: docker/build-push-action@v5
|
||||
with:
|
||||
|
||||
Reference in New Issue
Block a user