From c8dd558ffbc5e3675b602d26270ad58541c715fa Mon Sep 17 00:00:00 2001 From: Samuel Aubertin Date: Sun, 11 Jan 2026 12:46:53 +0100 Subject: [PATCH] init --- .forgejo/workflows/ci.yaml | 71 ++++++++++++++++++++++++++++++++++++++ Dockerfile | 4 +++ README.md | 7 ++++ app.sh | 4 +++ 4 files changed, 86 insertions(+) create mode 100644 .forgejo/workflows/ci.yaml create mode 100644 Dockerfile create mode 100644 README.md create mode 100644 app.sh diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml new file mode 100644 index 0000000..572f818 --- /dev/null +++ b/.forgejo/workflows/ci.yaml @@ -0,0 +1,71 @@ +name: ci-workflow + +on: + push: + branches: + - main + workflow_dispatch: {} + +jobs: + build-and-scan: + runs-on: docker + env: + REGISTRY_HOST: ${{ vars.REGISTRY_HOST }} + IMAGE_NAMESPACE: ${{ vars.IMAGE_NAMESPACE }} + IMAGE_NAME: ${{ vars.IMAGE_NAME }} + CI_GREETING: ${{ vars.CI_GREETING }} + DEFECTDOJO_URL: ${{ vars.DEFECTDOJO_URL }} + DEFECTDOJO_PRODUCT_TYPE: ${{ vars.DEFECTDOJO_PRODUCT_TYPE }} + DEFECTDOJO_PRODUCT: ${{ vars.DEFECTDOJO_PRODUCT }} + DEFECTDOJO_ENGAGEMENT: ${{ vars.DEFECTDOJO_ENGAGEMENT }} + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Show variables and secrets + run: | + echo "Greeting: ${CI_GREETING}" + echo "HELLO_SECRET length: ${#HELLO_SECRET}" + env: + HELLO_SECRET: ${{ secrets.HELLO_SECRET }} + + - name: Build image + run: | + IMAGE_REF="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${GITHUB_SHA}" + echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}" + docker build -t "${IMAGE_REF}" . + + - name: Login to Forgejo package registry + run: | + echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin + env: + REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }} + REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }} + + - name: Push image + run: | + docker push "${IMAGE_REF}" + + - name: Trivy scan (securecodebox) + run: | + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v "${PWD}:/workspace" \ + -w /workspace \ + docker.io/aquasec/trivy:0.58.1 \ + image --no-progress --format json --output trivy-results.json "${IMAGE_REF}" + + - name: Upload to DefectDojo + run: | + curl -sSf -X POST "${DEFECTDOJO_URL}/api/v2/import-scan/" \ + -H "Authorization: Token ${DEFECTDOJO_API_KEY}" \ + -F "scan_type=Trivy Scan" \ + -F "minimum_severity=Low" \ + -F "product_type_name=${DEFECTDOJO_PRODUCT_TYPE}" \ + -F "product_name=${DEFECTDOJO_PRODUCT}" \ + -F "engagement_name=${DEFECTDOJO_ENGAGEMENT}" \ + -F "file=@trivy-results.json" \ + -F "verified=true" \ + -F "active=true" + env: + DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }} diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..e2bf091 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,4 @@ +FROM alpine:3.20 +COPY app.sh /usr/local/bin/app.sh +RUN chmod +x /usr/local/bin/app.sh +CMD ["/usr/local/bin/app.sh"] diff --git a/README.md b/README.md new file mode 100644 index 0000000..6ea67d1 --- /dev/null +++ b/README.md @@ -0,0 +1,7 @@ +# Forgejo Actions + +This repository demonstrates Forgejo Actions with the SKZ runner. + +- Build and push a container image to the Forgejo package registry. +- Showcase Actions secrets and variables. +- Run a Trivy image scan and upload results to DefectDojo. diff --git a/app.sh b/app.sh new file mode 100644 index 0000000..3e3f93b --- /dev/null +++ b/app.sh @@ -0,0 +1,4 @@ +#!/bin/sh +set -eu +echo "Hello from Forgejo Actions" +echo "CI_GREETING=${CI_GREETING:-unset}"