trivy multiarch

.drone.yml

@@ -39,6 +39,7 @@ steps:
     when:
       event:
         - tag
+        - cron
 
 ---
 kind: pipeline
@@ -81,6 +82,7 @@ steps:
     when:
       event:
         - tag
+        - cron
 
 ---
 kind: pipeline
@@ -104,6 +106,7 @@ steps:
 trigger:
   event:
     - tag
+    - cron
 
 depends_on:
   - linux-amd64

.gitea/workflows/vulnscan.yaml

@@ -1,3 +1,4 @@
+---
 name: Vulnerability Scan
 
 on:
@@ -14,15 +15,24 @@ jobs:
 
     steps:
       - name: Pull docker image
-        run: docker pull docker.asperti.com/${{ github.repository_owner }}/hugo:latest
+        run: docker pull docker.asperti.com/paspo/hugo:latest
+
+      - name: Setup trivy
+        run: |
+          echo "Installing Trivy for arch: $(uname -m)"
+          case $(uname -m) in
+            x86_64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
+            aarch64)
+              wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
+            *) exit 1 ;;
+          esac
+          dpkg -i /tmp/trivy.deb
 
       - name: Run Trivy vulnerability scanner
         id: scan
-        uses: aquasecurity/trivy-action@master
+        run: |
-        with:
+          trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json docker.asperti.com/paspo/hugo:latest > trivy-results.json
-          image-ref: "docker.asperti.com/${{ github.repository_owner }}/hugo:latest"
-          format: "json"
-          output: "trivy-results.json"
 
       # if some vulnerability is found, we fail
       - name: check output

Dockerfile

@@ -1,24 +1,26 @@
-##### this stage will download latest deb package
+##### this stage will download latest tarball
 
 FROM alpine:latest as prep
 
 ARG HUGO_ARCH=amd64
 
 RUN \
-    apk -U add lastversion && \
+    apk --no-cache upgrade && \
-    wget $(lastversion --filter "hugo_extended_.*\-${HUGO_ARCH}\.deb$" --pre gohugoio/hugo  --format assets ) -O /tmp/hugo.deb
+    apk --no-cache add curl jq && \
-
+    LATEST_RELEASE=$(curl -L -s -H 'Accept: application/json' https://github.com/gohugoio/hugo/releases/latest | jq --raw-output ".tag_name" | sed 's/^v//' ) && \
+    LATEST_RELEASE=0.139.4 && \
+    URL="https://github.com/gohugoio/hugo/releases/download/v${LATEST_RELEASE}/hugo_extended_${LATEST_RELEASE}_linux-${HUGO_ARCH}.tar.gz " && \
+    echo "Downloading: ${URL}" && \
+    wget "${URL}" -O - | tar xzv -C /tmp
 
 ##### final image
 
-FROM debian:12-slim
+FROM alpine:latest
 
-COPY --from=prep /tmp/hugo.deb /tmp/hugo.deb
+COPY --from=prep /tmp/hugo /usr/local/bin/hugo
 
 RUN \
-    apt update && \
+    apk --no-cache upgrade && \
-    DEBIAN_FRONTEND=noninteractive apt -y upgrade && \
+    apk --no-cache add git gcompat libstdc++
-    apt install -y /tmp/hugo.deb && \
-    rm -rf /var/lib/apt/lists/ /tmp/hugo.deb
 
 ENTRYPOINT [ "/usr/local/bin/hugo" ]

README.md

@@ -48,7 +48,3 @@ steps:
     commands:
       - "hugo -s /drone/src --gc --minify"
 ```
-
-## TODO
-
-- Auto build and update based on hugo version