.gitea/workflows/create_and_push_multiarch_container.yml aktualisiert

.gitea/workflows/create_and_push_multiarch_container.yml

@@ -1,12 +1,10 @@
-name: release-tag
+name: build-image
+run-name: build and push Docker-Image with tag:${{ github.ref_name }}
 
 on:
-  workflow_dispatch: # Manuelles Auslösen des Workflows
-    inputs:
-      image_tag:
-        description: '2. Tag für das Docker-Image (außer latest) (z.B. v1.0.0)'
-        required: true
-        default: '1.5.0'
+  push:
+    tags:
+      - "*"
 
 env:
   image_name_gitea: flask-qr
@@ -18,7 +16,7 @@ env:
 
 jobs:
   release-image:
-    runs-on: ubuntu-latest
+    runs-on: build-ubuntu-latest
     steps:
       - name: Checkout
         uses: actions/checkout@v3
@@ -55,10 +53,37 @@ jobs:
           docker buildx build \
             --file ./Dockerfile \
             --platform linux/amd64,linux/386,linux/arm64,linux/arm/v7 \
-            --tag ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ github.event.inputs.image_tag }} \
-            --tag ${{ env.registry_github }}/${{ env.user }}/${{ env.image_name_github }}:${{ github.event.inputs.image_tag }} \
-            --tag ${{ env.user }}/${{ env.image_name_dockerhub }}:${{ github.event.inputs.image_tag }} \
+            --tag ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ github.ref_name }} \
+            --tag ${{ env.registry_github }}/${{ env.user }}/${{ env.image_name_github }}:${{ github.ref_name }} \
+            --tag ${{ env.user }}/${{ env.image_name_dockerhub }}:${{ github.ref_name }} \
             --tag ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:latest \
             --tag ${{ env.registry_github }}/${{ env.user }}/${{ env.image_name_github }}:latest \
             --tag ${{ env.user }}/${{ env.image_name_dockerhub }}:latest \
             --push ./
+  telegram-notify:
+    needs: release-image
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+    - name: Telegram Alert
+      run: |
+        case "${{ needs.release-image.result }}" in
+            "success")  EMOJI="✅"; MSG="OK" ;;
+            "failure")  EMOJI="❌"; MSG="WARN!" ;;
+            "cancelled") EMOJI="⏹️"; MSG="Canceled" ;;
+            *) EMOJI="❓"; MSG="Unknown-State: ${{ needs.release-image.result }}" ;;
+        esac
+        
+        curl -s -X POST "https://api.telegram.org/bot${{ secrets.TELEGRAM_BOT_TOKEN }}/sendMessage" \
+        -H 'Content-Type: application/json' \
+        -d "{
+        \"chat_id\": \"${{ secrets.TELEGRAM_CHAT_ID }}\",
+        \"parse_mode\": \"HTML\",
+        \"text\": 
+        \"$EMOJI <b>$MSG - Build ${{ env.image_name_gitea }}:${{ github.ref_name }}</b>
+        <i>$(date +"%Y-%m-%d  %T")</i>
+        Build of Image: <b><i>${{ env.image_name_gitea }}:${{ github.ref_name }}</i></b>
+        ${{ gitea.server_url }}/${{ gitea.repository }}
+        \"
+        }"
+        

.gitea/workflows/trivy_image_scan.yml

@@ -0,0 +1,95 @@
+name: trivy-scan-image
+run-name: Trivy - Scan Docker Image ${{ env.image_tag }}
+
+on:
+  workflow_dispatch: # Manuelles Auslösen des Workflows
+    inputs:
+      image_tag:
+        description: 'Tag für das zu scannende Docker-Image z.B. latest'
+        required: true
+        default: 'latest'
+  schedule:
+    - cron: '30 1 * * 5'
+
+env:
+  image_name_gitea: flask-qr
+  image_tag: ${{ github.event.inputs.image_tag || 'latest' }}
+  registry_gitea: gitea.tebarius.duckdns.org
+  user: tebarius
+
+jobs:
+  trivy_image_scan:
+    runs-on: ubuntu-latest
+    container: aquasec/trivy:latest
+    steps:
+      - name: Scan linux/amd64-image
+        run: |
+          trivy image \
+          --username ${{ env.user }} \
+          --password ${{ secrets.DOCKER_PULL_TOKEN }} \
+          --exit-code 1 \
+          --scanners vuln,misconfig,secret \
+          --severity HIGH,CRITICAL \
+          --ignore-unfixed \
+          --platform linux/amd64 \
+          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}
+      - name: Scan linux/386-image
+        run: |
+          trivy image \
+          --username ${{ env.user }} \
+          --password ${{ secrets.DOCKER_PULL_TOKEN }} \
+          --exit-code 1 \
+          --scanners vuln,misconfig,secret \
+          --severity HIGH,CRITICAL \
+          --ignore-unfixed \
+          --platform linux/386 \
+          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}
+      - name: Scan linux/arm64-image
+        run: |
+          trivy image \
+          --username ${{ env.user }} \
+          --password ${{ secrets.DOCKER_PULL_TOKEN }} \
+          --exit-code 1 \
+          --scanners vuln,misconfig,secret \
+          --severity HIGH,CRITICAL \
+          --ignore-unfixed \
+          --platform linux/arm64 \
+          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}
+      - name: Scan linux/arm/v7-image
+        run: |
+          trivy image \
+          --username ${{ env.user }} \
+          --password ${{ secrets.DOCKER_PULL_TOKEN }} \
+          --exit-code 1 \
+          --scanners vuln,misconfig,secret \
+          --severity HIGH,CRITICAL \
+          --ignore-unfixed \
+          --platform linux/arm/v7 \
+          ${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}
+
+  telegram-notify:
+    needs: trivy_image_scan
+    if: always()
+    runs-on: ubuntu-latest
+    steps:
+    - name: Telegram Alert
+      run: |
+        case "${{ needs.trivy_image_scan.result }}" in
+            "success")  EMOJI="✅"; MSG="OK" ;;
+            "failure")  EMOJI="❌"; MSG="WARN!" ;;
+            "cancelled") EMOJI="⏹️"; MSG="Canceled" ;;
+            *) EMOJI="❓"; MSG="Unknown-State: ${{ needs.trivy_image_scan.result }}" ;;
+        esac
+        
+        curl -s -X POST "https://api.telegram.org/bot${{ secrets.TELEGRAM_BOT_TOKEN }}/sendMessage" \
+        -H 'Content-Type: application/json' \
+        -d "{
+        \"chat_id\": \"${{ secrets.TELEGRAM_CHAT_ID }}\",
+        \"parse_mode\": \"HTML\",
+        \"text\": 
+        \"$EMOJI <b>$MSG - Scan ${{ env.image_name_gitea }}:${{ env.image_tag }}</b>
+        <i>$(date +"%Y-%m-%d  %T")</i>
+        Trivy-Image-Scan of: <b><i>${{ env.image_name_gitea }}:${{ env.image_tag }}</i></b>
+        ${{ gitea.server_url }}/${{ gitea.repository }}
+        \"
+        }"

.gitignore

@@ -1 +1,2 @@
 /venv/
+/.venv/

Dockerfile

@@ -1,27 +1,31 @@
-FROM python:3.13-slim
+FROM python:3.14-slim
+LABEL authors="tebarius"
+LABEL description="QR-Code-Generator-Server with Flask-App"
 
 ARG TARGETPLATFORM
 ARG BUILDPLATFORM
-
-LABEL authors="tebarius"
-LABEL version="1.5.0"
-LABEL description="QR-Code-Generator-Server with Flask-App"
-
-WORKDIR /app
-COPY ./app /app/
+ENV PYTHONDONTWRITEBYTECODE=1
+ENV PYTHONUNBUFFERED=1
+ENV HTTP_METHOD=POST
 
 RUN apt-get update && \
+    apt-get upgrade -y &&\
     if [ "$TARGETPLATFORM" = "linux/arm/v7" ] || [ "$TARGETPLATFORM" = "linux/386" ]; then \
         apt-get install -y --no-install-recommends zlib1g-dev libjpeg-dev gcc; \
     fi && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
 
-RUN python -m pip install --upgrade pip
-RUN pip install --no-cache-dir --trusted-host pypi.python.org -r requirements.txt
+WORKDIR /app
+COPY ./app /app/
+
+RUN python -m pip install --upgrade pip \
+    && pip install --no-cache-dir -r requirements.txt \
+    && useradd -m -u 1000 qr \
+    && chown -R qr:qr /app
+
+USER qr
 
 EXPOSE 8002
 
-ENV HTTP_METHOD=POST
-
 CMD ["sh", "-c", "python ${HTTP_METHOD}-Flask-QR.py"]