From e0b19bc496391ffbc1706d45f22a7f2019de6968 Mon Sep 17 00:00:00 2001 From: Christian Steinle Date: Thu, 20 Mar 2025 16:54:35 +0100 Subject: [PATCH] Use secrets and security check for workflow. --- .gitea/workflows/release.yml | 39 ++++++++++++++++++++++++++++-------- 1 file changed, 31 insertions(+), 8 deletions(-) diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index 54ff90c..09e4a6e 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -3,11 +3,12 @@ name: Build huber-stuck web image on: push: branches: [ master ] + schedule: + # Run every Sunday at midnight + - cron: '0 0 * * 0' env: - USER: chris - PASS: q',\H(Od:G3).Xv<#!5P - + IMAGE: /huber/stuck-web jobs: Build-and-release-image: @@ -24,20 +25,42 @@ jobs: - name: Log into registry uses: docker/login-action@v3 with: - registry: https://cs-git.ddnss.de - username: ${{ env.USER }} - password: ${{ env.PASS }} + registry: ${{ secrets.REGISTRY_URL }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_PASS }} - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: - images: cs-git.ddnss.de/huber/stuck-web + images: ${{ secrets.REGISTRY_URL }}${{ env.IMAGE }} - name: Build and push Docker image uses: docker/build-push-action@v4 env: ACTIONS_RUNTIME_TOKEN: '' with: - tags: cs-git.ddnss.de/huber/stuck-web:latest + tags: ${{ secrets.REGISTRY_URL }}${{ env.IMAGE }}:latest push: true + + - name: Scan image + uses: anchore/scan-action@v6 + id: scan + with: + image: ${{ secrets.REGISTRY_URL }}${{ env.IMAGE }}:latest + fail-build: false + output-format: table + severity-cutoff: critical + registry-username: ${{ secrets.REGISTRY_USER }} + registry-password: ${{ secrets.REGISTRY_PASS }} + grype-version: 'v0.90.0' + + - name: Inspect file + run: cat ${{ steps.scan.outputs.table }} + + - name: Upload Artifact + uses: actions/upload-artifact@v3 + with: + name: scan-result + path: ${{ steps.scan.outputs.table }} +