fix case warning

.drone.yml

@@ -1,110 +0,0 @@
----
-kind: pipeline
-type: docker
-name: linux-amd64
-
-platform:
-  arch: amd64
-  os: linux
-
-steps:
-  - name: build
-    image: plugins/docker:linux-amd64
-    settings:
-      build_args:
-        - HUGO_ARCH=amd64
-      dockerfile: Dockerfile
-      dry_run: true
-      repo: docker.asperti.com/paspo/hugo
-    when:
-      event:
-        - push
-
-  - name: build_and_publish
-    image: plugins/docker:linux-amd64
-    settings:
-      build_args:
-        - HUGO_ARCH=amd64
-      dockerfile: Dockerfile
-      force_tag: true
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/hugo
-      squash: true
-      username:
-        from_secret: docker_username
-      tags:
-        - latest-amd64
-    when:
-      event:
-        - tag
-
----
-kind: pipeline
-type: docker
-name: linux-arm64
-
-platform:
-  arch: arm64
-  os: linux
-
-steps:
-  - name: build
-    image: plugins/docker:linux-arm64
-    settings:
-      build_args:
-        - HUGO_ARCH=arm64
-      dockerfile: Dockerfile
-      dry_run: true
-      repo: docker.asperti.com/paspo/hugo
-    when:
-      event:
-        - push
-
-  - name: build_and_publish
-    image: plugins/docker:linux-arm64
-    settings:
-      build_args:
-        - HUGO_ARCH=arm64
-      dockerfile: Dockerfile
-      force_tag: true
-      password:
-        from_secret: docker_password
-      registry: docker.asperti.com
-      repo: docker.asperti.com/paspo/hugo
-      squash: true
-      username:
-        from_secret: docker_username
-      tags:
-        - latest-arm64
-    when:
-      event:
-        - tag
-
----
-kind: pipeline
-type: docker
-name: manifest
-
-steps:
-  - name: manifest
-    image: plugins/manifest
-    settings:
-      force_tag: true
-      ignore_missing: true
-      spec: manifest.tmpl
-      username:
-        from_secret: docker_username
-      password:
-        from_secret: docker_password
-      tags:
-        - latest
-
-trigger:
-  event:
-    - tag
-
-depends_on:
-  - linux-amd64
-  - linux-arm64

.gitea/workflows/build_and_publish.yaml

@@ -0,0 +1,76 @@
+---
+name: Container Publish
+
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/hugo
+
+on:
+  push:
+    tags:
+      - '*'
+  schedule:
+    - cron: "0 12 3 * *"
+  workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [vulnscan.yaml]
+    types: [completed]
+
+jobs:
+  on-success-skip:
+    runs-on:
+      labels: ubuntu-latest
+    if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    steps:
+      - run: exit_with_success
+
+  build-image:
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
+    container:
+      image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Build and publish
+        run: |
+          docker build \
+            --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
+            --build-arg HUGO_ARCH=${{ matrix.arch }} \
+            --platform linux/${{ matrix.arch }} -f Dockerfile .
+          docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
+
+  manifest:
+    name: update docker manifest
+    needs: build-image
+    runs-on: ubuntu-latest
+    container:
+      image: catthehacker/ubuntu:act-latest
+
+    steps:
+      - name: Login to registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USER }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: latest
+        run: |
+          docker manifest create \
+            ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
+            --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
+          docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest

.gitea/workflows/vulnscan.yaml

@@ -1,28 +1,50 @@
+---
 name: Vulnerability Scan
 
+env:
+  REGISTRY: docker.asperti.com
+  REPOSITORY: paspo/hugo
+
 on:
   schedule:
     - cron: "0 14 * * *"
   workflow_dispatch:
+  workflow_call:
+  workflow_run:
+    workflows: [build_and_publish.yaml]
+    types: [completed]
 
 jobs:
   scan:
     name: Daily Vulnerability Scan
-    runs-on: ubuntu-latest
+    runs-on:
+      labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
     container:
       image: catthehacker/ubuntu:act-latest
+    strategy:
+      matrix:
+        arch: [amd64, arm64]
 
     steps:
       - name: Pull docker image
-        run: docker pull docker.asperti.com/${{ github.repository_owner }}/hugo:latest
+        run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
+
+      - name: Setup trivy
+        run: |
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
+          dpkg -i /tmp/trivy.deb
 
       - name: Run Trivy vulnerability scanner
         id: scan
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: "docker.asperti.com/${{ github.repository_owner }}/hugo:latest"
-          format: "json"
-          output: "trivy-results.json"
+        run: |
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json
 
       # if some vulnerability is found, we fail
       - name: check output

Dockerfile

@@ -1,24 +1,26 @@
-##### this stage will download latest deb package
+##### this stage will download latest tarball
 
-FROM alpine:latest as prep
+FROM alpine:latest AS prep
 
 ARG HUGO_ARCH=amd64
 
 RUN \
-    apk -U add lastversion && \
-    wget $(lastversion --filter "hugo_extended_.*\-${HUGO_ARCH}\.deb$" --pre gohugoio/hugo  --format assets ) -O /tmp/hugo.deb
-
+    apk --no-cache upgrade && \
+    apk --no-cache add curl jq && \
+    LATEST_RELEASE=$(curl -L -s -H 'Accept: application/json' https://github.com/gohugoio/hugo/releases/latest | jq --raw-output ".tag_name" | sed 's/^v//' ) && \
+    LATEST_RELEASE=0.139.4 && \
+    URL="https://github.com/gohugoio/hugo/releases/download/v${LATEST_RELEASE}/hugo_extended_${LATEST_RELEASE}_linux-${HUGO_ARCH}.tar.gz " && \
+    echo "Downloading: ${URL}" && \
+    wget "${URL}" -O - | tar xzv -C /tmp
 
 ##### final image
 
-FROM debian:12-slim
+FROM alpine:latest
 
-COPY --from=prep /tmp/hugo.deb /tmp/hugo.deb
+COPY --from=prep /tmp/hugo /usr/local/bin/hugo
 
 RUN \
-    apt update && \
-    DEBIAN_FRONTEND=noninteractive apt -y upgrade && \
-    apt install -y /tmp/hugo.deb && \
-    rm -rf /var/lib/apt/lists/ /tmp/hugo.deb
+    apk --no-cache upgrade && \
+    apk --no-cache add git gcompat libstdc++
 
 ENTRYPOINT [ "/usr/local/bin/hugo" ]

README.md

@@ -48,7 +48,3 @@ steps:
     commands:
       - "hugo -s /drone/src --gc --minify"
 ```
-
-## TODO
-
-- Auto build and update based on hugo version

manifest.tmpl

@@ -1,13 +0,0 @@
-image: docker.asperti.com/paspo/hugo:latest
-manifests:
-  -
-    image: docker.asperti.com/paspo/hugo:latest-amd64
-    platform:
-      architecture: amd64
-      os: linux
-  -
-    image: docker.asperti.com/paspo/hugo:latest-arm64
-    platform:
-      variant: v8
-      architecture: arm64
-      os: linux