apps/scratch-cloudvars-server
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Activity
Files
2b2e12d06e5f51d06b6e30edd3147c835a3bf4b2
scratch-cloudvars-server/.gitea/workflows/publish-docker.yml
Arne Baeumler 2b2e12d06e
All checks were successful
Lint, Build, Scan and Publish Docker Image / lint (push) Successful in 35s
Details
Lint, Build, Scan and Publish Docker Image / build-and-push (push) Successful in 1m34s
Details
feat: add linter to ci workflow
2026-01-18 13:02:59 +01:00

92 lines
2.9 KiB
YAML
Raw Blame History

---
name: Lint, Build, Scan and Publish Docker Image
on:
push:
branches:
- main
tags:
- 'v*'
jobs:
lint:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Lint & Format Check python code with ruff
uses: astral-sh/ruff-action@v3
- name: Lint Dockerfile (Hadolint)
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
- name: Security Lint Dockerfile (Trivy)
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy config .
build-and-push:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Log in to Gitea Container Registry
uses: docker/login-action@v3
with:
registry: git.br0tkasten.de
username: ${{ secrets.PACKAGE_USER }}
password: ${{ secrets.PACKAGE_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: git.br0tkasten.de/${{ gitea.repository }}
flavor: |
latest=true
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=sha
# Step 1: Build the image locally (do not push yet)
- name: Build Docker image locally
uses: docker/build-push-action@v5
with:
context: .
load: true # This loads the image into the local docker daemon for Trivy to find
tags: local_scan_target:${{ github.sha }}
# - name: Run Trivy vulnerability scanner
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: 'local_scan_target:${{ github.sha }}'
# format: 'table'
# exit-code: '1' # This will fail the pipeline if vulnerabilities are found
# ignore-unfixed: true
# vuln-type: 'os,library'
# severity: 'CRITICAL,HIGH'
# server-url: 'http://trivy-server:8080'
# env:
# - DOCKER_HOST: unix:///var/run/docker.sock
# - TRIVY_USERNAME: ${{ secrets.PACKAGE_USER }}
# - TRIVY_PASSWORD: ${{ secrets.PACKAGE_TOKEN }}
- name: Run Trivy scanner (Binary Mode)
run: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
trivy image --exit-code 1 --severity CRITICAL,HIGH --ignore-unfixed --server http://trivy-server:8080 local_scan_target:${{ github.sha }}
# Step 3: If scan passes, Build and Push to Registry
- name: Build and push Docker image
uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
Reference in New Issue View Git Blame Copy Permalink