paspo/docker-aptly-pusher
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: paspo:ed99be0c848df6e1c25c0fe5a108c4641fc10de3
Branches Tags
paspo:master
...
compare: paspo:af6544eabe54cb5e94e7532ffd51f8bd66adf9a5
Branches Tags
paspo:master

3 Commits
ed99be0c84 ... af6544eabe

Author SHA1 Message Date
paspo
af6544eabe switched from drone to gitea actions 2025-06-15 12:22:09 +02:00
paspo
1505a64b11 alpine upgrade 2025-06-15 12:21:02 +02:00
paspo
d9c7566215 fix some shellchecks 2025-06-15 12:20:46 +02:00
5 changed files with 158 additions and 37 deletions
Expand all files Collapse all files

21
.drone.yml
View File

@@ -1,21 +0,0 @@
kind: pipeline
type: docker
name: default
steps:
- name: build_and_publish
image: plugins/docker:linux-amd64
settings:
password:
from_secret: docker_password
registry: docker.asperti.com
repo: docker.asperti.com/paspo/docker-aptly-pusher
tags:
- latest
force_tag: true
username:
from_secret: docker_username
trigger:
event:
- tag

75
.gitea/workflows/build_and_publish.yaml Normal file
View File

@@ -0,0 +1,75 @@
---
name: Container Publish
env:
REGISTRY: docker.asperti.com
REPOSITORY: paspo/docker-aptly-pusher
on:
push:
tags:
- '*'
schedule:
- cron: "0 12 3 * *"
workflow_dispatch:
workflow_call:
workflow_run:
workflows: [vulnscan.yaml]
types: [completed]
jobs:
on-success-skip:
runs-on:
labels: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- run: exit_with_success
build-image:
runs-on:
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
container:
image: catthehacker/ubuntu:act-latest
strategy:
matrix:
arch: [amd64, arm64]
steps:
- uses: actions/checkout@v4
- name: Login to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and publish
run: |
docker build \
--tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
--platform linux/${{ matrix.arch }} -f Dockerfile .
docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
manifest:
name: update docker manifest
needs: build-image
runs-on: ubuntu-latest
container:
image: catthehacker/ubuntu:act-latest
steps:
- name: Login to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: latest
run: |
docker manifest create \
${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
--amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
--amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest

64
.gitea/workflows/vulnscan.yaml Normal file
View File

@@ -0,0 +1,64 @@
---
name: Vulnerability Scan
env:
REGISTRY: docker.asperti.com
REPOSITORY: paspo/docker-aptly-pusher
on:
schedule:
- cron: "0 14 * * *"
workflow_dispatch:
workflow_call:
workflow_run:
workflows: [build_and_publish.yaml]
types: [completed]
jobs:
scan:
name: Daily Vulnerability Scan
runs-on:
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
container:
image: catthehacker/ubuntu:act-latest
strategy:
matrix:
arch: [amd64, arm64]
steps:
- name: Pull docker image
run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
- name: Setup trivy
run: |
echo "Installing Trivy for arch: $(uname -m)"
case $(uname -m) in
x86_64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
aarch64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
*) exit 1 ;;
esac
dpkg -i /tmp/trivy.deb
- name: Run Trivy vulnerability scanner
id: scan
run: |
trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json
# if some vulnerability is found, we fail
- name: check output
id: vulncount
run: |
echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
- name: send telegram notification
if: failure()
uses: appleboy/telegram-action@master
with:
to: ${{ secrets.TELEGRAM_TO }}
token: ${{ secrets.TELEGRAM_TOKEN }}
format: markdown
message: |
Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`

4
Dockerfile
View File

@@ -1,9 +1,9 @@
FROM alpine:3.15 FROM alpine:latest
RUN \ RUN \
apk -U upgrade && \ apk -U upgrade && \
apk add curl bash apk add curl bash
COPY run.sh / COPY --chown=root:root --chmod=0755 run.sh /
ENTRYPOINT [ "/run.sh" ] ENTRYPOINT [ "/run.sh" ]

31
run.sh
View File

@@ -3,24 +3,24 @@
# parameters # parameters
FILES=${PLUGIN_FILES:-"*"} FILES=${PLUGIN_FILES:-"*"}
API_URL=${PLUGIN_API_URL} API_URL=${PLUGIN_API_URL:-}
REPO=${PLUGIN_REPO} REPO=${PLUGIN_REPO:-}
DISTRIBUTION=${PLUGIN_DISTRIBUTION} DISTRIBUTION=${PLUGIN_DISTRIBUTION:-}
PASSPHRASE=${PLUGIN_PASSPHRASE} PASSPHRASE=${PLUGIN_PASSPHRASE:-}
HTTP_USER=${PLUGIN_HTTP_USER} HTTP_USER=${PLUGIN_HTTP_USER:-}
HTTP_PASS=${PLUGIN_HTTP_PASS} HTTP_PASS=${PLUGIN_HTTP_PASS:-}
if [ -z "$API_URL" ] ; then if [[ -z "${API_URL}" ]] ; then
echo "API_URL is required" echo "API_URL is required"
exit 1 exit 1
fi fi
if [ -z "$REPO" ] ; then if [[ -z "${REPO}" ]] ; then
echo "REPO is required" echo "REPO is required"
exit 1 exit 1
fi fi
if [ -z "$DISTRIBUTION" ] ; then if [[ -z "${DISTRIBUTION}" ]] ; then
echo "DISTRIBUTION is required" echo "DISTRIBUTION is required"
exit 1 exit 1
fi fi
@@ -30,28 +30,31 @@ TMPDIR=$( mktemp -d )
UPLOADDIRNAME=$( head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 ) UPLOADDIRNAME=$( head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 )
NETRC=$( mktemp ) NETRC=$( mktemp )
if [ -z "${HTTP_USER}" ] || [ -z "${HTTP_PASS}" ] ; then if [[ -z "${HTTP_USER}" || -z "${HTTP_PASS}" ]] ; then
AUTH="" AUTH=""
else else
HOST=$(echo "$API_URL" | sed -E 's/^https?\:\/\/(.*)\/.*/\1/g' ) HOST=$(echo "${API_URL}" | sed -E 's/^https?\:\/\/(.*)\/.*/\1/g' )
echo "machine ${HOST} login ${HTTP_USER} password ${HTTP_PASS}" > "$NETRC" echo "machine ${HOST} login ${HTTP_USER} password ${HTTP_PASS}" > "${NETRC}"
AUTH="--netrc-file ${NETRC}" AUTH="--netrc-file ${NETRC}"
fi fi
# maybe do this better, it can lead to unwanted word splitting # TODO: maybe do this better, it can lead to unwanted word splitting
cp -r $( echo "${FILES}" | sed 's/\([^\\]\)\,/\1 /g' ) "${TMPDIR}/" cp -r $( echo "${FILES}" | sed 's/\([^\\]\)\,/\1 /g' ) "${TMPDIR}/"
cd "${TMPDIR}" || exit cd "${TMPDIR}" || exit
for file in *.deb ; do for file in *.deb ; do
echo "uploading '$file' to remote directory '${UPLOADDIRNAME}'" echo "uploading '$file' to remote directory '${UPLOADDIRNAME}'"
# shellcheck disable=SC2086
curl ${AUTH} -X POST -F "file=@${file}" "${API_URL}/files/${UPLOADDIRNAME}" curl ${AUTH} -X POST -F "file=@${file}" "${API_URL}/files/${UPLOADDIRNAME}"
done done
echo "Adding files to ${REPO}" echo "Adding files to ${REPO}"
# shellcheck disable=SC2086
curl ${AUTH} -X POST "${API_URL}/repos/${REPO}/file/${UPLOADDIRNAME}" curl ${AUTH} -X POST "${API_URL}/repos/${REPO}/file/${UPLOADDIRNAME}"
if [ -n "${PASSPHRASE}" ] ; then if [[ -n "${PASSPHRASE}" ]] ; then
echo "Signing and publishing ${REPO}" echo "Signing and publishing ${REPO}"
# shellcheck disable=SC2086
curl ${AUTH} -X PUT -H 'Content-Type: application/json' --data "{\"Signing\": {\"Passphrase\": \"${PASSPHRASE}\", \"Batch\":true}, \"ForceOverwrite\": true}" "${API_URL}/publish/:./${DISTRIBUTION}" curl ${AUTH} -X PUT -H 'Content-Type: application/json' --data "{\"Signing\": {\"Passphrase\": \"${PASSPHRASE}\", \"Batch\":true}, \"ForceOverwrite\": true}" "${API_URL}/publish/:./${DISTRIBUTION}"
fi fi