.gitea/workflows/delpoy.yml aktualisiert
This commit is contained in:
+22
-22
@@ -5,17 +5,30 @@ on:
|
||||
branches:
|
||||
- main
|
||||
|
||||
env:
|
||||
GIT_HOST: git.jakach.ch
|
||||
GIT_REPO: jakach/jakach-login
|
||||
GIT_BRANCH: main
|
||||
|
||||
APP_NAME: auth
|
||||
APP_DOMAIN: auth.jakach.ch
|
||||
APP_PORT: 447
|
||||
|
||||
SECURITY_SCAN_ENABLED: ${{ vars.SECURITY_SCAN_ENABLED }}
|
||||
CODE_SCAN_ENABLED: ${{ vars.CODE_SCAN_ENABLED }}
|
||||
TRIVY_SEVERITY: HIGH,CRITICAL
|
||||
TRIVY_IMAGE_SCANNERS: vuln
|
||||
TRIVY_VEX: repo
|
||||
TRIVY_FS_SCANNERS: vuln,misconfig,secret
|
||||
SEMGREP_CONFIG: p/default
|
||||
|
||||
jobs:
|
||||
security_scan:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
env:
|
||||
GIT_REPO: jakach/jakach-login
|
||||
GIT_BRANCH: main
|
||||
GIT_USER: ${{ vars.GIT_USER }}
|
||||
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
|
||||
SECURITY_SCAN_ENABLED: ${{ vars.SECURITY_SCAN_ENABLED }}
|
||||
TRIVY_SEVERITY: HIGH,CRITICAL
|
||||
|
||||
steps:
|
||||
- name: Scan Docker images for vulnerabilities
|
||||
@@ -53,7 +66,6 @@ jobs:
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
fi
|
||||
|
||||
GIT_HOST="${GIT_HOST:-git.jakach.ch}"
|
||||
REPO_URL="https://${GIT_USER}:${GIT_TOKEN}@${GIT_HOST}/${GIT_REPO}"
|
||||
|
||||
git clone \
|
||||
@@ -127,6 +139,8 @@ jobs:
|
||||
|
||||
if ! trivy \
|
||||
image \
|
||||
--scanners "${TRIVY_IMAGE_SCANNERS}" \
|
||||
--vex "${TRIVY_VEX}" \
|
||||
--exit-code 1 \
|
||||
--severity "${TRIVY_SEVERITY}" \
|
||||
--ignore-unfixed \
|
||||
@@ -148,11 +162,8 @@ jobs:
|
||||
runs-on: ubuntu-latest
|
||||
|
||||
env:
|
||||
GIT_REPO: jakach/jakach-login
|
||||
GIT_BRANCH: main
|
||||
GIT_USER: ${{ vars.GIT_USER }}
|
||||
GIT_TOKEN: ${{ secrets.GIT_TOKEN }}
|
||||
CODE_SCAN_ENABLED: ${{ vars.CODE_SCAN_ENABLED }}
|
||||
|
||||
steps:
|
||||
- name: Scan source code
|
||||
@@ -197,7 +208,6 @@ jobs:
|
||||
export PATH="$HOME/.local/bin:$PATH"
|
||||
fi
|
||||
|
||||
GIT_HOST="${GIT_HOST:-git.jakach.ch}"
|
||||
REPO_URL="https://${GIT_USER}:${GIT_TOKEN}@${GIT_HOST}/${GIT_REPO}"
|
||||
|
||||
git clone \
|
||||
@@ -208,14 +218,14 @@ jobs:
|
||||
cd source
|
||||
|
||||
semgrep scan \
|
||||
--config p/default \
|
||||
--config "${SEMGREP_CONFIG}" \
|
||||
--error \
|
||||
--metrics=off
|
||||
|
||||
trivy fs \
|
||||
--scanners vuln,misconfig,secret \
|
||||
--scanners "${TRIVY_FS_SCANNERS}" \
|
||||
--exit-code 1 \
|
||||
--severity HIGH,CRITICAL \
|
||||
--severity "${TRIVY_SEVERITY}" \
|
||||
--ignore-unfixed \
|
||||
--no-progress \
|
||||
.
|
||||
@@ -226,14 +236,6 @@ jobs:
|
||||
- security_scan
|
||||
- code_scan
|
||||
|
||||
env:
|
||||
GIT_REPO: jakach/jakach-login
|
||||
GIT_BRANCH: main
|
||||
|
||||
APP_NAME: template
|
||||
APP_DOMAIN: auth.jakach.ch
|
||||
APP_PORT: 447
|
||||
|
||||
steps:
|
||||
- name: Install dependencies
|
||||
run: |
|
||||
@@ -273,8 +275,6 @@ jobs:
|
||||
: "${GIT_USER:?GIT_USER is required}"
|
||||
: "${GIT_TOKEN:?GIT_TOKEN is required}"
|
||||
|
||||
GIT_HOST="${GIT_HOST:-git.jakach.ch}"
|
||||
|
||||
REPO_NAME="$(basename "$GIT_REPO")"
|
||||
APP_DIR="/srv/systems/${REPO_NAME}"
|
||||
|
||||
|
||||
Reference in New Issue
Block a user