paspo/docker-webserver-nginx
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Releases Activity

switched from drone to gitea actions
All checks were successful
Container Publish / on-success-skip (push) Has been skipped
Details
Container Publish / build-image (arm64) (push) Successful in 32s
Details
Container Publish / build-image (amd64) (push) Successful in 51s
Details
Container Publish / update docker manifest (push) Successful in 11s
Details
Vulnerability Scan / Daily Vulnerability Scan (arm64, latest) (push) Successful in 5s
Details
Vulnerability Scan / Daily Vulnerability Scan (amd64, latest) (push) Successful in 17s
Details
Vulnerability Scan / Daily Vulnerability Scan (arm64, latest-php74) (push) Successful in 5s
Details
Vulnerability Scan / Daily Vulnerability Scan (amd64, latest-php74) (push) Successful in 18s
Details

Browse Source
This commit is contained in:
Paolo Asperti
2025-06-15 13:40:22 +02:00
parent ad504a8c4f
commit 6b9c9d86e6
3 changed files with 115 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

91
.gitea/workflows/build_and_publish.yaml Normal file
View File

@@ -0,0 +1,91 @@
---
name: Container Publish
env:
REGISTRY: docker.asperti.com
REPOSITORY: paspo/webserver-nginx
on:
push:
tags:
- '*'
schedule:
- cron: "0 12 3 * *"
workflow_dispatch:
workflow_call:
workflow_run:
workflows: [vulnscan.yaml]
types: [completed]
jobs:
on-success-skip:
runs-on:
labels: ubuntu-latest
if: ${{ github.event.workflow_run.conclusion == 'success' }}
steps:
- run: exit_with_success
build-image:
runs-on:
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
container:
image: catthehacker/ubuntu:act-latest
strategy:
matrix:
arch: [amd64, arm64]
steps:
- uses: actions/checkout@v4
- name: Login to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: Build and publish
run: |
docker build \
--tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }} \
--platform linux/${{ matrix.arch }} -f Dockerfile .
docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-${{ matrix.arch }}
- name: Build and publish php74
run: |
docker build \
--tag ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }} \
--platform linux/${{ matrix.arch }} -f Dockerfile .
docker push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-${{ matrix.arch }}
manifest:
name: update docker manifest
needs: build-image
runs-on: ubuntu-latest
container:
image: catthehacker/ubuntu:act-latest
steps:
- name: Login to registry
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ secrets.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_TOKEN }}
- name: latest
run: |
docker manifest create \
${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest \
--amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-amd64 \
--amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-arm64
docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest
- name: latest
run: |
docker manifest create \
${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74 \
--amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-amd64 \
--amend ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74-arm64
docker manifest push ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:latest-php74

41
.gitea/workflows/vulnscan.yaml
View File

@@ -1,44 +1,51 @@
---
name: Vulnerability Scan
env:
REGISTRY: docker.asperti.com
REPOSITORY: paspo/webserver-nginx
on:
schedule:
- cron: "0 14 * * *"
workflow_dispatch:
workflow_call:
workflow_run:
workflows: [build_and_publish.yaml]
types: [completed]
jobs:
scan:
name: Daily Vulnerability Scan
runs-on: ubuntu-latest
runs-on:
labels: [ubuntu-latest, "arch-${{ matrix.arch }}"]
container:
image: catthehacker/ubuntu:act-latest
strategy:
matrix:
arch: [amd64, arm64]
tag: [latest, latest-php74]
steps:
- name: Pull docker image
run: docker pull docker.asperti.com/paspo/webserver-nginx:latest
- uses: actions/cache/restore@v4
with:
path: |
/root/.cache/trivy
key: trivy-db
run: docker pull ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }}
- name: Setup trivy
run: |
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.57.1/trivy_0.57.1_Linux-64bit.deb
echo "Installing Trivy for arch: $(uname -m)"
case $(uname -m) in
x86_64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-64bit.deb ;;
aarch64)
wget -O /tmp/trivy.deb https://github.com/aquasecurity/trivy/releases/download/v0.58.2/trivy_0.58.2_Linux-ARM64.deb ;;
*) exit 1 ;;
esac
dpkg -i /tmp/trivy.deb
- name: Run Trivy vulnerability scanner
id: scan
run: |
trivy image --format json docker.asperti.com/paspo/webserver-nginx:latest > trivy-results.json
- uses: actions/cache/save@v4
if: always() # salva in cache anche se trova vulnerabilità
with:
path: |
/root/.cache/trivy
key: trivy-db
trivy --server ${{ secrets.TRIVY_SERVER }} --token ${{ secrets.TRIVY_TOKEN }} image --format json ${{ env.REGISTRY }}/${{ env.REPOSITORY }}:${{ matrix.tag }} > trivy-results.json
# if some vulnerability is found, we fail
- name: check output