From a206c9939cdf525234ab36814adf6244c75f191e Mon Sep 17 00:00:00 2001 From: Username Date: Mon, 19 Jan 2026 19:52:57 +0100 Subject: [PATCH] ci: build and push slim image variant --- .gitea/workflows/ci.yml | 88 +++++++++++++++++++++++++++++------------ 1 file changed, 62 insertions(+), 26 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 25889ec..98f25f7 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -264,7 +264,7 @@ jobs: git clone --depth 1 --branch "${GITHUB_REF_NAME}" \ "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" . - - name: Build image + - name: Build standard image run: | # Use docker or podman, whichever is available if command -v docker >/dev/null 2>&1; then @@ -279,6 +279,19 @@ jobs: SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) $BUILD_CMD build -f Containerfile -t flaskpaste:latest -t flaskpaste:sha-${SHORT_SHA} . + echo "Standard image built" + + - name: Build slim image + run: | + if command -v docker >/dev/null 2>&1; then + BUILD_CMD="docker" + else + BUILD_CMD="podman" + fi + + SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) + $BUILD_CMD build -f Containerfile.slim -t flaskpaste:slim -t flaskpaste:slim-sha-${SHORT_SHA} . + echo "Slim image built" $BUILD_CMD images | grep flaskpaste - name: Push to Harbor @@ -305,12 +318,20 @@ jobs: $BUILD_CMD login "${HARBOR_REGISTRY}" \ -u "$HARBOR_USER" -p "$HARBOR_PASS" + # Push standard image for tag in latest sha-${SHORT_SHA}; do $BUILD_CMD tag flaskpaste:latest "${HARBOR_REGISTRY}/library/flaskpaste:${tag}" $BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}" echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}" done + # Push slim image + for tag in slim slim-sha-${SHORT_SHA}; do + $BUILD_CMD tag flaskpaste:slim "${HARBOR_REGISTRY}/library/flaskpaste:${tag}" + $BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}" + echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}" + done + vuln-scan: name: Harbor Vulnerability Scan runs-on: ubuntu-latest @@ -339,10 +360,17 @@ jobs: exit 0 fi - echo "Triggering vulnerability scan..." + # Scan standard image + echo "Triggering vulnerability scan for standard image..." python harbor-ctl.py --url https://harbor.mymx.me \ -u "$HARBOR_USER" -p "$HARBOR_PASS" \ - scan library flaskpaste --wait --timeout 180 + scan library flaskpaste:latest --wait --timeout 180 + + # Scan slim image + echo "Triggering vulnerability scan for slim image..." + python harbor-ctl.py --url https://harbor.mymx.me \ + -u "$HARBOR_USER" -p "$HARBOR_PASS" \ + scan library flaskpaste:slim --wait --timeout 180 - name: Check for critical vulnerabilities env: @@ -351,33 +379,41 @@ jobs: run: | if [ -z "$HARBOR_USER" ]; then exit 0; fi - echo "Checking for fixable critical/high vulnerabilities..." + check_vulns() { + local tag="$1" + echo "Checking fixable critical/high vulnerabilities for :${tag}..." - # Get vulnerability report - python harbor-ctl.py --url https://harbor.mymx.me \ - -u "$HARBOR_USER" -p "$HARBOR_PASS" \ - vulns library flaskpaste -s critical -l 100 > /tmp/critical.txt 2>&1 || true + python harbor-ctl.py --url https://harbor.mymx.me \ + -u "$HARBOR_USER" -p "$HARBOR_PASS" \ + vulns library flaskpaste:${tag} -s critical -l 100 > /tmp/critical-${tag}.txt 2>&1 || true - python harbor-ctl.py --url https://harbor.mymx.me \ - -u "$HARBOR_USER" -p "$HARBOR_PASS" \ - vulns library flaskpaste -s high -l 100 > /tmp/high.txt 2>&1 || true + python harbor-ctl.py --url https://harbor.mymx.me \ + -u "$HARBOR_USER" -p "$HARBOR_PASS" \ + vulns library flaskpaste:${tag} -s high -l 100 > /tmp/high-${tag}.txt 2>&1 || true - # Check for fixable vulns (have a "Fixed" version that's not "N/A") - CRITICAL_FIXABLE=$(grep -v "N/A *$" /tmp/critical.txt | grep -c "^CVE\|^GHSA" || echo 0) - HIGH_FIXABLE=$(grep -v "N/A *$" /tmp/high.txt | grep -c "^CVE\|^GHSA" || echo 0) + CRITICAL=$(grep -v "N/A *$" /tmp/critical-${tag}.txt | grep -c "^CVE\|^GHSA" || echo 0) + HIGH=$(grep -v "N/A *$" /tmp/high-${tag}.txt | grep -c "^CVE\|^GHSA" || echo 0) - echo "Critical fixable: $CRITICAL_FIXABLE" - echo "High fixable: $HIGH_FIXABLE" + echo " :${tag} - Critical fixable: $CRITICAL, High fixable: $HIGH" - if [ "$CRITICAL_FIXABLE" -gt 0 ]; then - echo "::error::Found $CRITICAL_FIXABLE fixable critical vulnerabilities" - cat /tmp/critical.txt + if [ "$CRITICAL" -gt 0 ]; then + echo "::error::Found $CRITICAL fixable critical vulnerabilities in :${tag}" + cat /tmp/critical-${tag}.txt + return 1 + fi + + if [ "$HIGH" -gt 0 ]; then + echo "::warning::Found $HIGH fixable high vulnerabilities in :${tag}" + cat /tmp/high-${tag}.txt + fi + return 0 + } + + FAILED=0 + check_vulns latest || FAILED=1 + check_vulns slim || FAILED=1 + + if [ "$FAILED" -eq 1 ]; then exit 1 fi - - if [ "$HIGH_FIXABLE" -gt 0 ]; then - echo "::warning::Found $HIGH_FIXABLE fixable high vulnerabilities" - cat /tmp/high.txt - fi - - echo "Vulnerability scan passed" + echo "Vulnerability scan passed for all images"