Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 5053791991 | |||
| 794bc5cb97 | |||
| 2a5b133ba7 | |||
| 05615dc813 |
@@ -1,4 +1,5 @@
|
|||||||
name: release-tag
|
name: build-image
|
||||||
|
run-name: build and push Docker-Image
|
||||||
|
|
||||||
on:
|
on:
|
||||||
workflow_dispatch: # Manuelles Auslösen des Workflows
|
workflow_dispatch: # Manuelles Auslösen des Workflows
|
||||||
@@ -18,7 +19,7 @@ env:
|
|||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
release-image:
|
release-image:
|
||||||
runs-on: ubuntu-latest
|
runs-on: build-ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout
|
- name: Checkout
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
|
|||||||
@@ -1,4 +1,5 @@
|
|||||||
name: release-tag
|
name: trivy-scan-image
|
||||||
|
run-name: Trivy - Scan Docker Image
|
||||||
|
|
||||||
on:
|
on:
|
||||||
workflow_dispatch: # Manuelles Auslösen des Workflows
|
workflow_dispatch: # Manuelles Auslösen des Workflows
|
||||||
@@ -7,9 +8,12 @@ on:
|
|||||||
description: 'Tag für das zu scannende Docker-Image z.B. latest'
|
description: 'Tag für das zu scannende Docker-Image z.B. latest'
|
||||||
required: true
|
required: true
|
||||||
default: 'latest'
|
default: 'latest'
|
||||||
|
schedule:
|
||||||
|
- cron: '30 1 * * 5'
|
||||||
|
|
||||||
env:
|
env:
|
||||||
image_name_gitea: flask-qr
|
image_name_gitea: flask-qr
|
||||||
|
image_tag: ${{ github.event.inputs.image_tag || 'latest' }}
|
||||||
registry_gitea: gitea.tebarius.duckdns.org
|
registry_gitea: gitea.tebarius.duckdns.org
|
||||||
user: tebarius
|
user: tebarius
|
||||||
|
|
||||||
@@ -21,8 +25,10 @@ jobs:
|
|||||||
- name: Scan image with trivy
|
- name: Scan image with trivy
|
||||||
run: |
|
run: |
|
||||||
trivy image \
|
trivy image \
|
||||||
|
--username ${{ env.user }} \
|
||||||
|
--password ${{ secrets.DOCKER_PULL_TOKEN }} \
|
||||||
--exit-code 1 \
|
--exit-code 1 \
|
||||||
--scanners vuln,misconfig,secret \
|
--scanners vuln,misconfig,secret \
|
||||||
--severity MEDIUM,HIGH,CRITICAL \
|
--severity MEDIUM,HIGH,CRITICAL \
|
||||||
--ignore-unfixed \
|
--ignore-unfixed \
|
||||||
${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ github.event.inputs.image_tag }}
|
${{ env.registry_gitea }}/${{ env.user }}/${{ env.image_name_gitea }}:${{ env.image_tag }}
|
||||||
|
|||||||
@@ -6,21 +6,20 @@ ARG TARGETPLATFORM
|
|||||||
ARG BUILDPLATFORM
|
ARG BUILDPLATFORM
|
||||||
ENV PYTHONDONTWRITEBYTECODE=1
|
ENV PYTHONDONTWRITEBYTECODE=1
|
||||||
ENV PYTHONUNBUFFERED=1
|
ENV PYTHONUNBUFFERED=1
|
||||||
ENV PATH="/qr-venv/bin:$PATH"
|
|
||||||
ENV HTTP_METHOD=POST
|
ENV HTTP_METHOD=POST
|
||||||
|
|
||||||
RUN apt-get update && \
|
RUN apt-get update && \
|
||||||
if [ "$TARGETPLATFORM" = "linux/arm/v7" ] || [ "$TARGETPLATFORM" = "linux/386" ]; then \
|
if [ "$TARGETPLATFORM" = "linux/arm/v7" ] || [ "$TARGETPLATFORM" = "linux/386" ]; then \
|
||||||
apt-get install -y --no-install-recommends zlib1g-dev libjpeg-dev gcc; \
|
apt-get install -y --no-install-recommends zlib1g-dev libjpeg-dev gcc; \
|
||||||
fi && \
|
fi && \
|
||||||
|
apt-get upgrade -y &&\
|
||||||
apt-get clean && \
|
apt-get clean && \
|
||||||
rm -rf /var/lib/apt/lists/*
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
COPY ./app /app/
|
COPY ./app /app/
|
||||||
|
|
||||||
RUN python -m venv /qr-venv \
|
RUN python -m pip install --upgrade pip \
|
||||||
&& python -m pip install --upgrade pip \
|
|
||||||
&& pip install --no-cache-dir -r requirements.txt \
|
&& pip install --no-cache-dir -r requirements.txt \
|
||||||
&& useradd -m -u 1000 qr \
|
&& useradd -m -u 1000 qr \
|
||||||
&& chown -R qr:qr /app
|
&& chown -R qr:qr /app
|
||||||
|
|||||||
Reference in New Issue
Block a user