From 4f9dd8f51f55a7d907cd8dd6d7206962ab810f81 Mon Sep 17 00:00:00 2001 From: paspo Date: Fri, 13 Jun 2025 08:19:45 +0200 Subject: [PATCH] switched from drone to gitea actions --- .drone.yaml | 45 --------------- .gitea/workflows/build_and_publish.yaml | 76 +++++++++++++++++++++++++ .gitea/workflows/vulnscan.yaml | 64 +++++++++++++++++++++ {docker => src}/Dockerfile | 0 {docker => src}/entrypoint.sh | 0 {docker => src}/logrotate-cron | 0 6 files changed, 140 insertions(+), 45 deletions(-) delete mode 100644 .drone.yaml create mode 100644 .gitea/workflows/build_and_publish.yaml create mode 100644 .gitea/workflows/vulnscan.yaml rename {docker => src}/Dockerfile (100%) rename {docker => src}/entrypoint.sh (100%) rename {docker => src}/logrotate-cron (100%) diff --git a/.drone.yaml b/.drone.yaml deleted file mode 100644 index f465072..0000000 --- a/.drone.yaml +++ /dev/null @@ -1,45 +0,0 @@ -kind: pipeline -type: docker -name: default - -steps: - - name: build_and_publish_tag - image: plugins/docker:linux-amd64 - settings: - force_tag: true - password: - from_secret: docker_password - registry: docker.asperti.com - repo: docker.asperti.com/paspo/python-runner - context: docker - dockerfile: docker/Dockerfile - username: - from_secret: docker_username - tags: - - latest - - ${DRONE_TAG} - - ${DRONE_SEMVER_MAJOR}.${DRONE_SEMVER_MINOR} - when: - event: - - tag - - - name: build_and_publish - image: plugins/docker:linux-amd64 - settings: - force_tag: true - password: - from_secret: docker_password - registry: docker.asperti.com - repo: docker.asperti.com/paspo/python-runner - context: docker - dockerfile: docker/Dockerfile - username: - from_secret: docker_username - tags: - - latest - when: - branch: - - main - event: - - push - - cron diff --git a/.gitea/workflows/build_and_publish.yaml b/.gitea/workflows/build_and_publish.yaml new file mode 100644 index 0000000..ee8d673 --- /dev/null +++ b/.gitea/workflows/build_and_publish.yaml @@ -0,0 +1,76 @@ +--- +name: Container Publish + +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/python-runner + +on: + push: + tags: + - '*' + schedule: + - cron: "0 12 3 * *" + workflow_dispatch: + workflow_call: + workflow_run: + workflows: [vulnscan.yaml] + types: [completed] + +jobs: + on-success-skip: + runs-on: + labels: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + steps: + - run: exit_with_success + + build-image: + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] + + steps: + - uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Build and publish + run: | + cd src + docker build \ + --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \ + --platform linux/${{ matrix.arch }} -f Dockerfile . + docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} + + manifest: + name: update docker manifest + needs: build-image + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + + steps: + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: latest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64 + docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml new file mode 100644 index 0000000..85a646c --- /dev/null +++ b/.gitea/workflows/vulnscan.yaml @@ -0,0 +1,64 @@ +--- +name: Vulnerability Scan + +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/python-runner + +on: + schedule: + - cron: "0 14 * * *" + workflow_dispatch: + workflow_call: + workflow_run: + workflows: [build_and_publish.yaml] + types: [completed] + +jobs: + scan: + name: Daily Vulnerability Scan + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] + + steps: + - name: Pull docker image + run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest + + - name: Setup trivy + run: | + echo "Installing Trivy for arch: $(uname -m)" + case $(uname -m) in + x86_64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;; + aarch64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;; + *) exit 1 ;; + esac + dpkg -i /tmp/trivy.deb + + - name: Run Trivy vulnerability scanner + id: scan + run: | + trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json + + # if some vulnerability is found, we fail + - name: check output + id: vulncount + run: | + echo "VULNCOUNT=$(jq '.Results[0].Vulnerabilities|length' trivy-results.json)" >> ${GITHUB_OUTPUT} + if [ $(jq '.Results[0].Vulnerabilities|length' trivy-results.json) -ne "0" ] ; then exit 1 ; fi + + - name: send telegram notification + if: failure() + uses: appleboy/telegram-action@master + with: + to: ${{ secrets.TELEGRAM_TO }} + token: ${{ secrets.TELEGRAM_TOKEN }} + format: markdown + message: | + Found **${{ steps.vulncount.outputs.VULNCOUNT }}** vulnerabilities in `${{ github.repository }}` diff --git a/docker/Dockerfile b/src/Dockerfile similarity index 100% rename from docker/Dockerfile rename to src/Dockerfile diff --git a/docker/entrypoint.sh b/src/entrypoint.sh similarity index 100% rename from docker/entrypoint.sh rename to src/entrypoint.sh diff --git a/docker/logrotate-cron b/src/logrotate-cron similarity index 100% rename from docker/logrotate-cron rename to src/logrotate-cron