From f5f744c5dfb1e6c0420c664825ac0f47e38155d5 Mon Sep 17 00:00:00 2001 From: chris Date: Fri, 21 Mar 2025 12:14:57 +0100 Subject: [PATCH] Use secrets and security scan for workflow. --- .gitea/workflows/release.yml | 40 +++++++++++++++++++++++++++--------- 1 file changed, 30 insertions(+), 10 deletions(-) diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index dca611f..539e448 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -3,13 +3,12 @@ name: Build startup image on: push: branches: [ master ] + schedule: + # Run every Sunday at midnight + - cron: '0 0 * * 0' env: - # Use docker.io for Docker Hub if empty - REGISTRY: cs-registry.ddnss.de - USER: chris - PASS: q',\H(Od:G3).Xv<#!5P - + IMAGE: /ri-st/startup jobs: Build-and-release-image: @@ -26,20 +25,41 @@ jobs: - name: Log into registry uses: docker/login-action@v3 with: - registry: https://cs-git.ddnss.de - username: ${{ env.USER }} - password: ${{ env.PASS }} + registry: ${{ secrets.REGISTRY_URL }} + username: ${{ secrets.REGISTRY_USER }} + password: ${{ secrets.REGISTRY_PASS }} - name: Extract Docker metadata id: meta uses: docker/metadata-action@v5 with: - images: cs-git.ddnss.de/ri-st/startup + images: ${{ secrets.REGISTRY_URL }}${{ env.IMAGE }} - name: Build and push Docker image uses: docker/build-push-action@v4 env: ACTIONS_RUNTIME_TOKEN: '' with: - tags: cs-git.ddnss.de/ri-st/startup:latest + tags: ${{ secrets.REGISTRY_URL }}${{ env.IMAGE }}:latest push: true + + - name: Scan image + uses: anchore/scan-action@v6 + id: scan + with: + image: ${{ secrets.REGISTRY_URL }}${{ env.IMAGE }}:latest + fail-build: false + output-format: table + severity-cutoff: critical + registry-username: ${{ secrets.REGISTRY_USER }} + registry-password: ${{ secrets.REGISTRY_PASS }} + grype-version: 'v0.90.0' + + - name: Inspect file + run: cat ${{ steps.scan.outputs.table }} + + - name: Upload Artifact + uses: actions/upload-artifact@v3 + with: + name: scan-result + path: ${{ steps.scan.outputs.table }}