From 0971370b2564e2436cdec83d0837f0770253fd45 Mon Sep 17 00:00:00 2001
From: Oleg Litvinovich <oleg.litvinovich@n1.partners>
Date: Tue, 26 May 2026 14:14:00 +0400
Subject: [PATCH] simplify workflow

---
 .gitea/workflows/build.yml | 54 ++++++++++++++++++--------------------
 1 file changed, 26 insertions(+), 28 deletions(-)

diff --git a/.gitea/workflows/build.yml b/.gitea/workflows/build.yml
index 7a34087..07db57c 100644
--- a/.gitea/workflows/build.yml
+++ b/.gitea/workflows/build.yml
@@ -8,42 +8,40 @@ on:
 env:
   REGISTRY: harbor.furynrage.com
   IMAGE: harbor.furynrage.com/demo-app/app
+  # DinD sidecar в act-runner pod слушает 2375 на host network
+  DOCKER_HOST: tcp://localhost:2375
 
 jobs:
   build:
     runs-on: ubuntu-latest
     steps:
-      - name: Checkout
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
 
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Install docker CLI
+        run: |
+          apt-get update -qq
+          apt-get install -y -qq --no-install-recommends docker.io ca-certificates
 
-      - name: Login to Zot
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ secrets.REGISTRY_USER }}
-          password: ${{ secrets.REGISTRY_PASSWORD }}
-
-      - name: Compute tag
+      - name: Compute sha tag
         id: tag
-        run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
+        run: echo "sha=$(echo $GITHUB_SHA | cut -c1-7)" >> $GITHUB_OUTPUT
 
-      - name: Build & push
-        uses: docker/build-push-action@v5
-        with:
-          context: .
-          platforms: linux/arm64
-          push: true
-          tags: |
-            ${{ env.IMAGE }}:${{ steps.tag.outputs.sha }}
-            ${{ env.IMAGE }}:latest
+      - name: Login + build + push
+        run: |
+          SHA=${{ steps.tag.outputs.sha }}
+          echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login $REGISTRY -u "${{ secrets.REGISTRY_USER }}" --password-stdin
+          docker build -t $IMAGE:$SHA -t $IMAGE:latest .
+          docker push $IMAGE:$SHA
+          docker push $IMAGE:latest
 
       - name: Trivy scan
-        uses: aquasecurity/trivy-action@0.24.0
-        with:
-          image-ref: ${{ env.IMAGE }}:${{ steps.tag.outputs.sha }}
-          format: table
-          severity: CRITICAL,HIGH
-          exit-code: '0'  # для демо не падаем, только репорт
+        run: |
+          SHA=${{ steps.tag.outputs.sha }}
+          docker run --rm \
+            -e TRIVY_USERNAME="${{ secrets.REGISTRY_USER }}" \
+            -e TRIVY_PASSWORD="${{ secrets.REGISTRY_PASSWORD }}" \
+            aquasec/trivy:latest image \
+              --severity CRITICAL,HIGH \
+              --exit-code 0 \
+              --no-progress \
+              $IMAGE:$SHA