Oleg Litvinovich
48 lines
1.4 KiB
YAML
48 lines
1.4 KiB
YAML
name: build
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
REGISTRY: harbor.furynrage.com
|
|
IMAGE: harbor.furynrage.com/demo-app/app
|
|
# DinD sidecar в act-runner pod слушает 2375 на host network
|
|
DOCKER_HOST: tcp://localhost:2375
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- uses: actions/checkout@v4
|
|
|
|
- name: Install docker CLI
|
|
run: |
|
|
apt-get update -qq
|
|
apt-get install -y -qq --no-install-recommends docker.io ca-certificates
|
|
|
|
- name: Compute sha tag
|
|
id: tag
|
|
run: echo "sha=$(echo $GITHUB_SHA | cut -c1-7)" >> $GITHUB_OUTPUT
|
|
|
|
- name: Login + build + push
|
|
run: |
|
|
SHA=${{ steps.tag.outputs.sha }}
|
|
echo "${{ secrets.REGISTRY_PASSWORD }}" | docker login $REGISTRY -u "${{ secrets.REGISTRY_USER }}" --password-stdin
|
|
docker build -t $IMAGE:$SHA -t $IMAGE:latest .
|
|
docker push $IMAGE:$SHA
|
|
docker push $IMAGE:latest
|
|
|
|
- name: Trivy scan
|
|
run: |
|
|
SHA=${{ steps.tag.outputs.sha }}
|
|
docker run --rm \
|
|
-e TRIVY_USERNAME="${{ secrets.REGISTRY_USER }}" \
|
|
-e TRIVY_PASSWORD="${{ secrets.REGISTRY_PASSWORD }}" \
|
|
aquasec/trivy:latest image \
|
|
--severity CRITICAL,HIGH \
|
|
--exit-code 0 \
|
|
--no-progress \
|
|
$IMAGE:$SHA
|