switched from drone to gitea actions

.drone.star

@@ -1,120 +0,0 @@
-def main(ctx):
-    archs = ["amd64", "arm64"]   ## arm
-    alpine_version = "3.19"
-
-    out = []
-    for arch in archs:
-        out += onpush(ctx, alpine_version, arch)
-
-    for arch in archs:
-        out += build_publish(ctx, alpine_version, arch)
-
-    out += manifest_publish(ctx, archs)
-
-    return out
-
-def onpush(ctx, alpine_version, arch):
-    return [{
-        "kind": "pipeline",
-        "type": "docker",
-        "name": "build-onpush-%s" % (arch),
-        "platform": {
-            "arch": arch,
-            "os": "linux",
-        },
-        "steps": [{
-            "name": "build_on_push",
-            "image": "plugins/docker:linux-%s" % (arch),
-            "settings": {
-                "context": ".",
-                "dockerfile": "Dockerfile",
-                "dry_run": True,
-                "repo": "docker.asperti.com/paspo/dnscache", 
-                "build_args": [
-                    "ALPINE_VERSION=%s" % (alpine_version)
-                ],
-            },
-        }],
-        "trigger": {
-            "event": ['push'],
-        }
-    }]
-
-def build_publish(ctx, alpine_version, arch):
-    return [{
-        "kind": "pipeline",
-        "type": "docker",
-        "name": "build-publish-%s" % (arch),
-        "platform": {
-            "arch": arch,
-            "os": "linux",
-        },
-        "steps": [{
-            "name": "build_on_push",
-            "image": "plugins/docker:linux-%s" % (arch),
-            "settings": {
-                "context": ".",
-                "dockerfile": "Dockerfile",
-                "build_args": [
-                    "ALPINE_VERSION=%s" % (alpine_version)
-                ],
-                "username": {
-                    "from_secret": "docker_username",
-                },
-                "password": {
-                    "from_secret": "docker_password",
-                },
-                "registry": "docker.asperti.com",
-                "repo": "docker.asperti.com/paspo/dnscache",    
-                "tags": [ 
-                    "latest-%s" % (arch)
-                ],
-                "auto_tag": False,
-                "force_tag": True,
-                "daemon_off": False,            
-            },
-        }],
-        "trigger": {
-            "ref": [
-                "refs/heads/master",
-                "refs/tags/**",
-            ],
-        },
-    }]
-
-def manifest_publish(ctx, archs):
-    return [{
-        "kind": "pipeline",
-        "type": "docker",
-        "name": "manifest",
-        "platform": {
-            "arch": archs[0],
-            "os": "linux",
-        },
-        "steps": [{
-            "name": "manifest",
-            "image": "plugins/manifest",
-            "settings": {
-                "spec": "manifest.tmpl",
-                "username": {
-                    "from_secret": "docker_username",
-                },
-                "password": {
-                    "from_secret": "docker_password",
-                }, 
-                "tags": [ 
-                    "latest"
-                ],
-                "ignore_missing": True,
-                "force_tag": True,
-            },
-        }],
-        "trigger": {
-            "ref": [
-                "refs/heads/master",
-                "refs/tags/**",
-            ],
-        },
-        "depends_on": ["build-publish-%s" % (arch) for arch in archs]
-    }]
-

.gitea/workflows/build_and_publish.yaml

@@ -0,0 +1,77 @@
+---
+name: Container Publish
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/dnscache
+  ALPINE_VERSION: "3.19"
+
+on:
+  push:
+    tags:
+      - '*'
+  schedule:
+    - cron: "0 12 3 * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
+            --build-arg "ALPINE_VERSION=${{ env.ALPINE_VERSION }}" \
+            --platform linux/${{ matrix.arch }} -f Dockerfile .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest

.gitea/workflows/vulnscan.yaml

@@ -1,20 +1,33 @@
+---
 name: Vulnerability Scan
 
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/dnscache
+
 on:
   schedule:
     - cron: "0 14 * * *"
   workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
 
 jobs:
   scan:
     name: Daily Vulnerability Scan
-    runs-on: ubuntu-latest
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
     container:
       image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
 
     steps:
       - name: Pull docker image
-        run: docker pull docker.asperti.com/paspo/dnscache:latest
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
 
       - name: Setup trivy
         run: |
@@ -31,7 +44,7 @@ jobs:
       - name: Run Trivy vulnerability scanner
         id: scan
         run: |
-          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json docker.asperti.com/paspo/dnscache:latest > trivy-results.json
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json
 
       # if some vulnerability is found, we fail
       - name: check output

manifest.tmpl

@@ -1,25 +0,0 @@
-image: docker.asperti.com/paspo/dnscache:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}
-{{#if build.tags}}
-tags:
-{{#each build.tags}}
-  - {{this}}
-{{/each}}
-{{/if}}
-manifests:
-  -
-    image: docker.asperti.com/paspo/dnscache:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-amd64
-    platform:
-      architecture: amd64
-      os: linux
-  -
-    image: docker.asperti.com/paspo/dnscache:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm64
-    platform:
-      variant: v8
-      architecture: arm64
-      os: linux
-  -
-    image: docker.asperti.com/paspo/dnscache:{{#if build.tag}}{{trimPrefix "v" build.tag}}{{else}}latest{{/if}}-arm
-    platform:
-      variant: v7
-      architecture: arm
-      os: linux