From 6b9c9d86e66c6ca4c7f4d1c88ec9b7d3f63f7293 Mon Sep 17 00:00:00 2001 From: paspo Date: Sun, 15 Jun 2025 13:40:22 +0200 Subject: [PATCH] switched from drone to gitea actions --- .drone.yml | 47 ------------- .gitea/workflows/build_and_publish.yaml | 91 +++++++++++++++++++++++++ .gitea/workflows/vulnscan.yaml | 41 ++++++----- 3 files changed, 115 insertions(+), 64 deletions(-) delete mode 100644 .drone.yml create mode 100644 .gitea/workflows/build_and_publish.yaml diff --git a/.drone.yml b/.drone.yml deleted file mode 100644 index faa0da3..0000000 --- a/.drone.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- -kind: pipeline -type: docker -name: default - -steps: - - name: build_and_publish - image: plugins/docker:linux-amd64 - settings: - force_tag: true - password: - from_secret: docker_password - registry: docker.asperti.com - repo: docker.asperti.com/paspo/webserver-nginx - context: . - dockerfile: ./Dockerfile - username: - from_secret: docker_username - tags: - - latest - when: - branch: - - master - event: - - push - - cron - - - name: build_and_publish_php74 - image: plugins/docker:linux-amd64 - settings: - force_tag: true - password: - from_secret: docker_password - registry: docker.asperti.com - repo: docker.asperti.com/paspo/webserver-nginx - context: . - dockerfile: ./Dockerfile-php74 - username: - from_secret: docker_username - tags: - - latest-php74 - when: - branch: - - master - event: - - push - - cron diff --git a/.gitea/workflows/build_and_publish.yaml b/.gitea/workflows/build_and_publish.yaml new file mode 100644 index 0000000..0690f20 --- /dev/null +++ b/.gitea/workflows/build_and_publish.yaml @@ -0,0 +1,91 @@ +--- +name: Container Publish + +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/webserver-nginx + +on: + push: + tags: + - '*' + schedule: + - cron: "0 12 3 * *" + workflow_dispatch: + workflow_call: + workflow_run: + workflows: [vulnscan.yaml] + types: [completed] + +jobs: + on-success-skip: + runs-on: + labels: ubuntu-latest + if: ${{ github.event.workflow_run.conclusion == 'success' }} + steps: + - run: exit_with_success + + build-image: + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] + container: + image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] + + steps: + - uses: actions/checkout@v4 + + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: Build and publish + run: | + docker build \ + --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \ + --platform linux/${{ matrix.arch }} -f Dockerfile . + docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} + + - name: Build and publish php74 + run: | + docker build \ + --tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} \ + --platform linux/${{ matrix.arch }} -f Dockerfile . + docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} + + + manifest: + name: update docker manifest + needs: build-image + runs-on: ubuntu-latest + container: + image: catthehacker/ubuntu:act-latest + + steps: + - name: Login to registry + uses: docker/login-action@v3 + with: + registry: ${{ env.REGISTRY }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_TOKEN }} + + - name: latest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64 + docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest + + - name: latest + run: | + docker manifest create \ + ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74 \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-amd64 \ + --amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-arm64 + docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74 diff --git a/.gitea/workflows/vulnscan.yaml b/.gitea/workflows/vulnscan.yaml index fdafe89..64093bc 100644 --- a/.gitea/workflows/vulnscan.yaml +++ b/.gitea/workflows/vulnscan.yaml @@ -1,44 +1,51 @@ --- name: Vulnerability Scan +env: + REGISTRY: docker.asperti.com + REPOSITORY: paspo/webserver-nginx + on: schedule: - cron: "0 14 * * *" workflow_dispatch: + workflow_call: + workflow_run: + workflows: [build_and_publish.yaml] + types: [completed] jobs: scan: name: Daily Vulnerability Scan - runs-on: ubuntu-latest + runs-on: + labels: [ubuntu-latest, "arch-${{ matrix.arch }}"] container: image: catthehacker/ubuntu:act-latest + strategy: + matrix: + arch: [amd64, arm64] + tag: [latest, latest-php74] steps: - name: Pull docker image - run: docker pull docker.asperti.com/paspo/webserver-nginx:latest - - - uses: actions/cache/restore@v4 - with: - path: | - /root/.cache/trivy - key: trivy-db + run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }} - name: Setup trivy run: | - wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb + echo "Installing Trivy for arch: $(uname -m)" + case $(uname -m) in + x86_64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;; + aarch64) + wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;; + *) exit 1 ;; + esac dpkg -i /tmp/trivy.deb - name: Run Trivy vulnerability scanner id: scan run: | - trivy image --format json docker.asperti.com/paspo/webserver-nginx:latest > trivy-results.json - - - uses: actions/cache/save@v4 - if: always() # salva in cache anche se trova vulnerabilità - with: - path: | - /root/.cache/trivy - key: trivy-db + trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }} > trivy-results.json # if some vulnerability is found, we fail - name: check output