diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index 948def7..0000000 --- a/.drone.yml +++ /dev/null @@ -1,105 +0,0 @@ ---- -kind: pipeline -type: docker -name: linux-amd64 - -platform: - arch: amd64 - os: linux - -steps: - - name: build - image: plugins/docker:linux-amd64 - settings: - dockerfile: Dockerfile - dry_run: true - repo: docker.asperti.com/paspo/smtp-relay - when: - event: - - push - - - name: build_and_publish - image: plugins/docker:linux-amd64 - settings: - dockerfile: Dockerfile - force_tag: true - password: - from_secret: docker_password - registry: docker.asperti.com - repo: docker.asperti.com/paspo/smtp-relay - squash: true - username: - from_secret: docker_username - tags: - - latest-amd64 - when: - event: - - tag - - cron - ---- -kind: pipeline -type: docker -name: linux-arm64 - -platform: - arch: arm64 - os: linux - -steps: - - name: build - image: plugins/docker:linux-arm64 - settings: - dockerfile: Dockerfile - dry_run: true - repo: docker.asperti.com/paspo/smtp-relay - when: - event: - - push - - - name: build_and_publish - image: plugins/docker:linux-arm64 - settings: - dockerfile: Dockerfile - force_tag: true - password: - from_secret: docker_password - registry: docker.asperti.com - repo: docker.asperti.com/paspo/smtp-relay - squash: true - username: - from_secret: docker_username - tags: - - latest-arm64 - when: - event: - - tag - - cron - ---- -kind: pipeline -type: docker -name: manifest - -steps: - - name: manifest - image: plugins/manifest - settings: - force_tag: true - ignore_missing: true - spec: manifest.tmpl - username: - from_secret: docker_username - password: - from_secret: docker_password - tags: - - latest - -trigger: - event: - - tag - - cron - -depends_on: - - linux-amd64 - - linux-arm64 diff --git a/.gitea/workflows/build_and_publish.yaml b/.gitea/workflows/build_and_publish.yaml new file mode 100644 index 0000000..84b2e13 --- /dev/null +++ b/.gitea/workflows/build_and_publish.yaml @@ -0,0 +1,75 @@ +--- +name: Container Publish + +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/smtp-relay + +on: + push: + tags: + - '*' + schedule: + - cron: "0 12 3 * *" + workflow_dispatch: + workflow_call: + workflow_run: + workflows: [vulnscan.yaml] + types: [completed] + +jobs: + on-success-skip: + runs-on: + labels: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + steps: + - run: exit_with_success + + build-image: + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] + + steps: + - uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Build and publish + run: | + docker build \ + --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \ + --platform linux/${{ matrix.arch }} -f Dockerfile . + docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} + + manifest: + name: update docker manifest + needs: build-image + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + + steps: + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: latest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64 + docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml index e5d006d..bd3788a 100644 --- a/.gitea/workflows/vulnscan.yaml +++ b/.gitea/workflows/vulnscan.yaml @@ -1,21 +1,33 @@ --- name: Vulnerability Scan +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/smtp-relay + on: schedule: - cron: "0 14 * * *" workflow_dispatch: + workflow_call: + workflow_run: + workflows: [build_and_publish.yaml] + types: [completed] jobs: scan: name: Daily Vulnerability Scan - runs-on: ubuntu-latest + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] container: image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] steps: - name: Pull docker image - run: docker pull docker.asperti.com/paspo/smtp-relay:latest + run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest - name: Setup trivy run: | @@ -32,7 +44,7 @@ jobs: - name: Run Trivy vulnerability scanner id: scan run: | - trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json docker.asperti.com/paspo/smtp-relay:latest > trivy-results.json + trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest > trivy-results.json # if some vulnerability is found, we fail - name: check output diff --git a/manifest.tmpl b/manifest.tmpl deleted file mode 100644 index 3b7558e..0000000 --- a/manifest.tmpl +++ /dev/null @@ -1,13 +0,0 @@ -image: docker.asperti.com/paspo/smtp-relay:latest -manifests: - - - image: docker.asperti.com/paspo/smtp-relay:latest-amd64 - platform: - architecture: amd64 - os: linux - - - image: docker.asperti.com/paspo/smtp-relay:latest-arm64 - platform: - variant: v8 - architecture: arm64 - os: linux