switched from drone to gitea actions

2025-06-12 23:49:30 +02:00
parent 4b63427319
commit d6a005e72b
4 changed files with 160 additions and 55 deletions
--- a/.gitea/workflows/build_and_publish.yaml
+++ b/.gitea/workflows/build_and_publish.yaml
@@ -0,0 +1,92 @@
+---
+name: Container Publish
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/barracudavpn
+
+on:
+  push:
+    tags:
+      - '*'
+  schedule:
+    - cron: "0 12 3 * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        include:
+          - ver: "5.2.2"
+            debname: barracudavpn_5.2.2_amd64.deb
+            url: https://d.barracudanetworks.com/VPN/Linux/VPNClient_5.2.2_Linux.tar.gz
+            arch: amd64
+          - ver: "5.1.4"
+            debname: barracudavpn_5.1.4_amd64.deb
+            url: https://d.barracudanetworks.com/VPN/Linux/VPNClient_5.1.4_Linux.tar.gz
+            arch: amd64
+          - ver: "5.0.2.7"
+            debname: barracudavpn_5.0.2.7_amd64.deb
+            url: https://d.barracudanetworks.com/VPN/Linux/VPNClient_5.0.2.7_Linux.tar.gz
+            arch: amd64
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          cd src
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }}-${{ matrix.arch }} \
+            --build-arg URL=${{ matrix.url }} \
+            --build-arg DEBNAME=${{ matrix.debname }} \
+            --platform linux/${{ matrix.arch }} -f Dockerfile .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }}-${{ matrix.arch }}
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        ver: ["5.2.2", "5.1.4", "5.0.2.7"]
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }} \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }}-amd64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }}
--- a/.gitea/workflows/vulnscan.yaml
+++ b/.gitea/workflows/vulnscan.yaml
@@ -0,0 +1,65 @@
+---
+name: Vulnerability Scan
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/barracudavpn
+
+on:
+  schedule:
+    - cron: "0 14 * * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
+
+jobs:
+  scan:
+    name: Daily Vulnerability Scan
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64]
+        ver: ["5.2.2", "5.1.4", "5.0.2.7"]
+
+    steps:
+      - name: Pull docker image
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }}
+
+      - name: Setup trivy
+        run: |
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
+          dpkg -i /tmp/trivy.deb
+
+      - name: Run Trivy vulnerability scanner
+        id: scan
+        run: |
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.ver }} > trivy-results.json
+
+      # if some vulnerability is found, we fail
+      - name: check output
+        id: vulncount
+        run: |
+          echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT}
+          if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi
+
+      - name: send telegram notification
+        if: failure()
+        uses: appleboy/telegram-action@master
+        with:
+          to: ${{ secrets.TELEGRAM_TO }}
+          token: ${{ secrets.TELEGRAM_TOKEN }}
+          format: markdown
+          message: |
+            Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}`