switched from drone to gitea actions

.gitea/workflows/build_and_publish.yaml

@@ -1,6 +1,10 @@
 ---
 name: Container Publish
 
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/borgstore
+
 on:
   push:
     tags:
@@ -8,23 +12,64 @@ on:
   schedule:
     - cron: "0 12 3 * *"
   workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
 
 jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
   build-image:
-    runs-on: ubuntu-latest
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
     container:
       image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
     steps:
       - uses: actions/checkout@v4
 
       - name: Login to registry
         uses: docker/login-action@v3
         with:
-          registry: docker.asperti.com
+          registry: ${{ env.REGISTRY }}
           username: ${{ secrets.REGISTRY_USER }}
           password: ${{ secrets.REGISTRY_TOKEN }}
 
       - name: Build and publish
         run: |
-          docker build -t docker.asperti.com/paspo/borgstore:latest --platform linux/amd64 -f Dockerfile .
-          docker push docker.asperti.com/paspo/borgstore:latest
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} -f Dockerfile .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest

.gitea/workflows/vulnscan.yaml

@@ -1,21 +1,33 @@
 ---
 name: Vulnerability Scan
 
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/borgstore
+
 on:
   schedule:
     - cron: "0 14 * * *"
   workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
 
 jobs:
   scan:
     name: Daily Vulnerability Scan
-    runs-on: ubuntu-latest
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
     container:
       image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
 
     steps:
       - name: Pull docker image
-        run: docker pull docker.asperti.com/paspo/borgstore:latest
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
 
       - name: Setup trivy
         run: |
@@ -32,7 +44,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         id: scan
         run: |
-          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json docker.asperti.com/paspo/borgstore:latest > trivy-results.json
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json
 
       # if some vulnerability is found, we fail
       - name: check output