username/flaskpaste
1
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

containerfile: consolidate to single alpine image
Some checks failed
CI / Lint & Format (push) Successful in 22s
Details
CI / Security Scan (push) Successful in 20s
Details
CI / Advanced Security Tests (push) Successful in 17s
Details
CI / Memory Leak Check (push) Successful in 19s
Details
CI / Security Tests (push) Successful in 26s
Details
CI / Unit Tests (push) Successful in 33s
Details
CI / Build & Push Image (push) Failing after 2s
Details
CI / Harbor Vulnerability Scan (push) Has been skipped
Details
CI / SBOM Generation (push) Successful in 19s
Details
CI / Fuzz Testing (push) Successful in 26s
Details

Browse Source
This commit is contained in:
Username
2026-01-21 12:17:47 +01:00
parent 79a4d1d0ea
commit 60652e96b4
4 changed files with 27 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
.gitea/workflows/ci.yml
View File

@@ -290,7 +290,7 @@ jobs:
git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
"https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
- name: Build standard image
- name: Build image
run: |
# Use docker or podman, whichever is available
if command -v docker >/dev/null 2>&1; then
@@ -304,20 +304,8 @@ jobs:
echo "Using: $BUILD_CMD"
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
$BUILD_CMD build -f Containerfile -t flaskpaste:latest -t flaskpaste:sha-${SHORT_SHA} .
echo "Standard image built"
- name: Build slim image
run: |
if command -v docker >/dev/null 2>&1; then
BUILD_CMD="docker"
else
BUILD_CMD="podman"
fi
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
$BUILD_CMD build -f Containerfile.slim -t flaskpaste:slim -t flaskpaste:slim-sha-${SHORT_SHA} .
echo "Slim image built"
$BUILD_CMD build -t flaskpaste:latest -t flaskpaste:sha-${SHORT_SHA} .
echo "Image built"
$BUILD_CMD images | grep flaskpaste
- name: Push to Harbor
@@ -344,20 +332,13 @@ jobs:
$BUILD_CMD login "${HARBOR_REGISTRY}" \
-u "$HARBOR_USER" -p "$HARBOR_PASS"
# Push standard image
for tag in latest sha-${SHORT_SHA}; do
# Push image with multiple tags (latest, slim for backwards compat, sha)
for tag in latest slim sha-${SHORT_SHA}; do
$BUILD_CMD tag flaskpaste:latest "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
$BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
done
# Push slim image
for tag in slim slim-sha-${SHORT_SHA}; do
$BUILD_CMD tag flaskpaste:slim "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
$BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
done
vuln-scan:
name: Harbor Vulnerability Scan
runs-on: ubuntu-latest
@@ -390,18 +371,11 @@ jobs:
echo "Waiting for Harbor to index images..."
sleep 15
# Scan standard image
echo "Triggering vulnerability scan for standard image..."
echo "Triggering vulnerability scan..."
python harbor-ctl.py --url https://harbor.mymx.me \
-u "$HARBOR_USER" -p "$HARBOR_PASS" \
scan library flaskpaste -d latest --wait --timeout 180
# Scan slim image
echo "Triggering vulnerability scan for slim image..."
python harbor-ctl.py --url https://harbor.mymx.me \
-u "$HARBOR_USER" -p "$HARBOR_PASS" \
scan library flaskpaste -d slim --wait --timeout 180
- name: Check for critical vulnerabilities
env:
HARBOR_USER: ${{ secrets.HARBOR_USER }}
@@ -439,11 +413,5 @@ jobs:
return 0
}
FAILED=0
check_vulns latest || FAILED=1
check_vulns slim || FAILED=1
if [ "$FAILED" -eq 1 ]; then
exit 1
fi
echo "Vulnerability scan passed for all images"
check_vulns latest || exit 1
echo "Vulnerability scan passed"