Oleg Litvinovich
+26
-28
@@ -8,42 +8,40 @@ on:
|
|||||||
env:
|
env:
|
||||||
REGISTRY: harbor.furynrage.com
|
REGISTRY: harbor.furynrage.com
|
||||||
IMAGE: harbor.furynrage.com/demo-app/app
|
IMAGE: harbor.furynrage.com/demo-app/app
|
||||||
|
# DinD sidecar в act-runner pod слушает 2375 на host network
|
||||||
|
DOCKER_HOST: tcp://localhost:2375
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- uses: actions/checkout@v4
|
||||||
uses: actions/checkout@v4
|
|
||||||
|
|
||||||
- name: Set up Docker Buildx
|
- name: Install docker CLI
|
||||||
uses: docker/setup-buildx-action@v3
|
run: |
|
||||||
|
apt-get update -qq
|
||||||
|
apt-get install -y -qq --no-install-recommends docker.io ca-certificates
|
||||||
|
|
||||||
- name: Login to Zot
|
- name: Compute sha tag
|
||||||
uses: docker/login-action@v3
|
|
||||||
with:
|
|
||||||
registry: ${{ env.REGISTRY }}
|
|
||||||
username: ${{ secrets.REGISTRY_USER }}
|
|
||||||
password: ${{ secrets.REGISTRY_PASSWORD }}
|
|
||||||
|
|
||||||
- name: Compute tag
|
|
||||||
id: tag
|
id: tag
|
||||||
run: echo "sha=$(echo ${{ github.sha }} | cut -c1-7)" >> $GITHUB_OUTPUT
|
run: echo "sha=$(echo $GITHUB_SHA | cut -c1-7)" >> $GITHUB_OUTPUT
|
||||||
|
|
||||||
- name: Build & push
|
- name: Login + build + push
|
||||||
uses: docker/build-push-action@v5
|
run: |
|
||||||
with:
|
SHA=${{ steps.tag.outputs.sha }}
|
||||||
context: .
|
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login $REGISTRY -u "${{ secrets.REGISTRY_USER }}" --password-stdin
|
||||||
platforms: linux/arm64
|
docker build -t $IMAGE:$SHA -t $IMAGE:latest .
|
||||||
push: true
|
docker push $IMAGE:$SHA
|
||||||
tags: |
|
docker push $IMAGE:latest
|
||||||
${{ env.IMAGE }}:${{ steps.tag.outputs.sha }}
|
|
||||||
${{ env.IMAGE }}:latest
|
|
||||||
|
|
||||||
- name: Trivy scan
|
- name: Trivy scan
|
||||||
uses: aquasecurity/trivy-action@0.24.0
|
run: |
|
||||||
with:
|
SHA=${{ steps.tag.outputs.sha }}
|
||||||
image-ref: ${{ env.IMAGE }}:${{ steps.tag.outputs.sha }}
|
docker run --rm \
|
||||||
format: table
|
-e TRIVY_USERNAME="${{ secrets.REGISTRY_USER }}" \
|
||||||
severity: CRITICAL,HIGH
|
-e TRIVY_PASSWORD="${{ secrets.REGISTRY_PASSWORD }}" \
|
||||||
exit-code: '0' # для демо не падаем, только репорт
|
aquasec/trivy:latest image \
|
||||||
|
--severity CRITICAL,HIGH \
|
||||||
|
--exit-code 0 \
|
||||||
|
--no-progress \
|
||||||
|
$IMAGE:$SHA
|
||||||
|
|||||||
Reference in New Issue
Block a user