sk4nz/skz-genesis-actions
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8d2988f28f45b676511ff46edf7ab898fcb15b4d
skz-genesis-actions/.forgejo/workflows/ci.yaml
Samuel Aubertin 8d2988f28f Log into different registry for pulling and pushing
2026-01-17 10:31:05 +01:00

104 lines
3.5 KiB
YAML
Raw Blame History

name: ci-workflow
on:
push:
branches:
- master
workflow_dispatch: {}
jobs:
build-and-scan:
runs-on: docker
env:
REGISTRY_HOST: ${{ secrets.REGISTRY_HOST }}
IMAGE_NAMESPACE: ${{ secrets.IMAGE_NAMESPACE }}
IMAGE_NAME: ${{ secrets.IMAGE_NAME }}
CI_GREETING: ${{ secrets.CI_GREETING }}
DEFECTDOJO_URL: ${{ secrets.DEFECTDOJO_URL }}
DEFECTDOJO_PRODUCT_TYPE: ${{ secrets.DEFECTDOJO_PRODUCT_TYPE }}
DEFECTDOJO_PRODUCT: ${{ secrets.DEFECTDOJO_PRODUCT }}
DEFECTDOJO_ENGAGEMENT: ${{ secrets.DEFECTDOJO_ENGAGEMENT }}
steps:
- name: Checkout
uses: https://data.forgejo.org/actions/checkout@v6
with:
fetch-depth: 0
- name: Trust cluster CA
run: |
cp /etc/cluster-ca/root-ca.crt /usr/local/share/ca-certificates/cluster-root-ca.crt
update-ca-certificates
- name: Install required dependencies
run: |
apt-get update
apt-get install -y \
apt-transport-https \
ca-certificates \
curl \
gnupg2 \
lsb-release \
software-properties-common
- name: Download Docker CLI .deb package
run: |
wget https://download.docker.com/linux/debian/dists/bullseye/pool/stable/amd64/docker-ce-cli_29.1.4-1~debian.11~bullseye_amd64.deb
- name: Install Docker CLI
run: |
dpkg -i docker-ce-cli_29.1.4-1~debian.11~bullseye_amd64.deb
apt-get install -f
- name: Verify Docker CLI version
run: docker --version
- name: Login to docker-mirror (pull)
run: |
echo "${MIRROR_REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${MIRROR_REGISTRY_USERNAME}" --password-stdin
env:
MIRROR_REGISTRY_USERNAME: ${{ secrets.MIRROR_REGISTRY_USERNAME }}
MIRROR_REGISTRY_TOKEN: ${{ secrets.MIRROR_REGISTRY_TOKEN }}
- name: Build image
run: |
IMAGE_REF="${REGISTRY_HOST}/${IMAGE_NAMESPACE}/${IMAGE_NAME}:${GITHUB_SHA}"
echo "IMAGE_REF=${IMAGE_REF}" >> "${GITHUB_ENV}"
docker build -t "${IMAGE_REF}" .
- name: Trivy scan (securecodebox)
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "${PWD}:/workspace" \
-w /workspace \
harbor.k8s.sk4.nz/docker-mirror/aquasec/trivy:latest \
image --no-progress --format json --output trivy-results.json "${IMAGE_REF}"
- name: Upload to DefectDojo
run: |
curl -sSf -X POST "${DEFECTDOJO_URL}/api/v2/import-scan/" \
-H "Authorization: Token ${DEFECTDOJO_API_KEY}" \
-F "scan_type=Trivy Scan" \
-F "minimum_severity=Low" \
-F "product_type_name=${DEFECTDOJO_PRODUCT_TYPE}" \
-F "product_name=${DEFECTDOJO_PRODUCT}" \
-F "engagement_name=${DEFECTDOJO_ENGAGEMENT}" \
-F "file=@trivy-results.json" \
-F "verified=true" \
-F "active=true"
env:
DEFECTDOJO_API_KEY: ${{ secrets.DEFECTDOJO_API_KEY }}
- name: Login to registry (push)
run: |
echo "${REGISTRY_TOKEN}" | docker login "${REGISTRY_HOST}" -u "${REGISTRY_USERNAME}" --password-stdin
env:
REGISTRY_USERNAME: ${{ secrets.REGISTRY_USERNAME }}
REGISTRY_TOKEN: ${{ secrets.REGISTRY_TOKEN }}
- name: Push image
run: |
docker push "${IMAGE_REF}"
Reference in New Issue View Git Blame Copy Permalink