fix build pipeline

.drone.yml

@@ -1,21 +0,0 @@
-kind: pipeline
-type: docker
-name: default
-
-steps:
-  - name: build_and_publish
-    image: plugins/docker:linux-amd64
-    settings:
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/docker-aptly-pusher
-      tags:
-        - latest
-      force_tag: true
-      username:
-        from_secret: docker_username
-
-trigger:
-  event:
-    - tag

.gitea/workflows/build_and_publish.yaml

@@ -0,0 +1,73 @@
+---
+name: Container Publish
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/docker-aptly-pusher
+
+on:
+  push:
+  schedule:
+    - cron: "0 12 * * 3"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} --no-cache -f Dockerfile .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest

.gitea/workflows/vulnscan.yaml

@@ -0,0 +1,64 @@
+---
+name: Vulnerability Scan
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/docker-aptly-pusher
+
+on:
+  schedule:
+    - cron: "0 14 * * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
+
+jobs:
+  scan:
+    name: Daily Vulnerability Scan
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - name: Pull docker image
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
+
+      - name: Setup trivy
+        run: |
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
+          dpkg -i /tmp/trivy.deb
+
+      - name: Run Trivy vulnerability scanner
+        id: scan
+        run: |
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json
+
+      # if some vulnerability is found, we fail
+      - name: check output
+        id: vulncount
+        run: |
+          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
+          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+
+      - name: send telegram notification
+        if: failure()
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TELEGRAM_TO }}
+          token: ${{ secrets.TELEGRAM_TOKEN }}
+          format: markdown
+          message: |
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest`

Dockerfile

@@ -1,9 +1,9 @@
-FROM alpine:3.15
+FROM alpine:latest
 
 RUN \
-  apk -U upgrade && \
-  apk add curl bash
+  apk --no-cache upgrade && \
+  apk --no-cache add curl bash
 
-COPY run.sh /
+COPY --chown=root:root --chmod=0755 run.sh /
 
 ENTRYPOINT [ "/run.sh" ]

run.sh

@@ -3,24 +3,24 @@
 # parameters
 
 FILES=${PLUGIN_FILES:-"*"}
-API_URL=${PLUGIN_API_URL}
-REPO=${PLUGIN_REPO}
-DISTRIBUTION=${PLUGIN_DISTRIBUTION}
-PASSPHRASE=${PLUGIN_PASSPHRASE}
-HTTP_USER=${PLUGIN_HTTP_USER}
-HTTP_PASS=${PLUGIN_HTTP_PASS}
+API_URL=${PLUGIN_API_URL:-}
+REPO=${PLUGIN_REPO:-}
+DISTRIBUTION=${PLUGIN_DISTRIBUTION:-}
+PASSPHRASE=${PLUGIN_PASSPHRASE:-}
+HTTP_USER=${PLUGIN_HTTP_USER:-}
+HTTP_PASS=${PLUGIN_HTTP_PASS:-}
 
-if [ -z "$API_URL" ] ; then
+if [[ -z "${API_URL}" ]] ; then
     echo "API_URL is required"
     exit 1
 fi
 
-if [ -z "$REPO" ] ; then
+if [[ -z "${REPO}" ]] ; then
     echo "REPO is required"
     exit 1
 fi
 
-if [ -z "$DISTRIBUTION" ] ; then
+if [[ -z "${DISTRIBUTION}" ]] ; then
     echo "DISTRIBUTION is required"
     exit 1
 fi
@@ -30,28 +30,31 @@ TMPDIR=$( mktemp -d )
 UPLOADDIRNAME=$( head /dev/urandom | tr -dc A-Za-z0-9 | head -c 16 )
 NETRC=$( mktemp )
 
-if [ -z "${HTTP_USER}" ] || [ -z "${HTTP_PASS}" ] ; then
+if [[ -z "${HTTP_USER}" || -z "${HTTP_PASS}" ]] ; then
   AUTH=""
 else
-  HOST=$(echo "$API_URL" | sed -E 's/^https?\:\/\/(.*)\/.*/\1/g' )
-  echo "machine ${HOST} login ${HTTP_USER} password ${HTTP_PASS}" > "$NETRC"
+  HOST=$(echo "${API_URL}" | sed -E 's/^https?\:\/\/(.*)\/.*/\1/g' )
+  echo "machine ${HOST} login ${HTTP_USER} password ${HTTP_PASS}" > "${NETRC}"
   AUTH="--netrc-file ${NETRC}"
 fi
 
-# maybe do this better, it can lead to unwanted word splitting
+# TODO: maybe do this better, it can lead to unwanted word splitting
 cp -r $( echo "${FILES}" | sed 's/\([^\\]\)\,/\1 /g' ) "${TMPDIR}/"
 
 cd "${TMPDIR}" || exit
 for file in *.deb ; do
     echo "uploading '$file' to remote directory '${UPLOADDIRNAME}'"
+    # shellcheck disable=SC2086
     curl ${AUTH} -X POST -F "file=@${file}" "${API_URL}/files/${UPLOADDIRNAME}"
 done
 
 echo "Adding files to ${REPO}"
+# shellcheck disable=SC2086
 curl ${AUTH} -X POST "${API_URL}/repos/${REPO}/file/${UPLOADDIRNAME}"
 
-if [ -n "${PASSPHRASE}" ] ; then
+if [[ -n "${PASSPHRASE}" ]] ; then
     echo "Signing and publishing ${REPO}"
+    # shellcheck disable=SC2086
     curl ${AUTH} -X PUT -H 'Content-Type: application/json' --data "{\"Signing\": {\"Passphrase\": \"${PASSPHRASE}\", \"Batch\":true}, \"ForceOverwrite\": true}" "${API_URL}/publish/:./${DISTRIBUTION}"
 fi