ci: build and push slim image variant

2026-01-19 19:52:57 +01:00
parent fc7d3df308
commit a206c9939c
1 changed files with 62 additions and 26 deletions
--- a/.gitea/workflows/ci.yml
+++ b/.gitea/workflows/ci.yml
@@ -264,7 +264,7 @@ jobs:
          git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
            "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .

-      - name: Build image
+      - name: Build standard image
        run: |
          # Use docker or podman, whichever is available
          if command -v docker >/dev/null 2>&1; then
@@ -279,6 +279,19 @@ jobs:

          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
          $BUILD_CMD build -f Containerfile -t flaskpaste:latest -t flaskpaste:sha-${SHORT_SHA} .
+          echo "Standard image built"
+
+      - name: Build slim image
+        run: |
+          if command -v docker >/dev/null 2>&1; then
+            BUILD_CMD="docker"
+          else
+            BUILD_CMD="podman"
+          fi
+
+          SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
+          $BUILD_CMD build -f Containerfile.slim -t flaskpaste:slim -t flaskpaste:slim-sha-${SHORT_SHA} .
+          echo "Slim image built"
          $BUILD_CMD images | grep flaskpaste

      - name: Push to Harbor
@@ -305,12 +318,20 @@ jobs:
          $BUILD_CMD login "${HARBOR_REGISTRY}" \
            -u "$HARBOR_USER" -p "$HARBOR_PASS"

+          # Push standard image
          for tag in latest sha-${SHORT_SHA}; do
            $BUILD_CMD tag flaskpaste:latest "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
            $BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
            echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
          done

+          # Push slim image
+          for tag in slim slim-sha-${SHORT_SHA}; do
+            $BUILD_CMD tag flaskpaste:slim "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
+            $BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
+            echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
+          done
+
  vuln-scan:
    name: Harbor Vulnerability Scan
    runs-on: ubuntu-latest
@@ -339,10 +360,17 @@ jobs:
            exit 0
          fi

-          echo "Triggering vulnerability scan..."
+          # Scan standard image
+          echo "Triggering vulnerability scan for standard image..."
          python harbor-ctl.py --url https://harbor.mymx.me \
            -u "$HARBOR_USER" -p "$HARBOR_PASS" \
-            scan library flaskpaste --wait --timeout 180
+            scan library flaskpaste:latest --wait --timeout 180
+
+          # Scan slim image
+          echo "Triggering vulnerability scan for slim image..."
+          python harbor-ctl.py --url https://harbor.mymx.me \
+            -u "$HARBOR_USER" -p "$HARBOR_PASS" \
+            scan library flaskpaste:slim --wait --timeout 180

      - name: Check for critical vulnerabilities
        env:
@@ -351,33 +379,41 @@ jobs:
        run: |
          if [ -z "$HARBOR_USER" ]; then exit 0; fi

-          echo "Checking for fixable critical/high vulnerabilities..."
-
-          # Get vulnerability report
-          python harbor-ctl.py --url https://harbor.mymx.me \
-            -u "$HARBOR_USER" -p "$HARBOR_PASS" \
-            vulns library flaskpaste -s critical -l 100 > /tmp/critical.txt 2>&1 || true
+          check_vulns() {
+            local tag="$1"
+            echo "Checking fixable critical/high vulnerabilities for :${tag}..."

            python harbor-ctl.py --url https://harbor.mymx.me \
              -u "$HARBOR_USER" -p "$HARBOR_PASS" \
-            vulns library flaskpaste -s high -l 100 > /tmp/high.txt 2>&1 || true
+              vulns library flaskpaste:${tag} -s critical -l 100 > /tmp/critical-${tag}.txt 2>&1 || true

-          # Check for fixable vulns (have a "Fixed" version that's not "N/A")
-          CRITICAL_FIXABLE=$(grep -v "N/A *$" /tmp/critical.txt | grep -c "^CVE\|^GHSA" || echo 0)
-          HIGH_FIXABLE=$(grep -v "N/A *$" /tmp/high.txt | grep -c "^CVE\|^GHSA" || echo 0)
+            python harbor-ctl.py --url https://harbor.mymx.me \
+              -u "$HARBOR_USER" -p "$HARBOR_PASS" \
+              vulns library flaskpaste:${tag} -s high -l 100 > /tmp/high-${tag}.txt 2>&1 || true

-          echo "Critical fixable: $CRITICAL_FIXABLE"
-          echo "High fixable: $HIGH_FIXABLE"
+            CRITICAL=$(grep -v "N/A *$" /tmp/critical-${tag}.txt | grep -c "^CVE\|^GHSA" || echo 0)
+            HIGH=$(grep -v "N/A *$" /tmp/high-${tag}.txt | grep -c "^CVE\|^GHSA" || echo 0)

-          if [ "$CRITICAL_FIXABLE" -gt 0 ]; then
-            echo "::error::Found $CRITICAL_FIXABLE fixable critical vulnerabilities"
-            cat /tmp/critical.txt
+            echo "  :${tag} - Critical fixable: $CRITICAL, High fixable: $HIGH"
+
+            if [ "$CRITICAL" -gt 0 ]; then
+              echo "::error::Found $CRITICAL fixable critical vulnerabilities in :${tag}"
+              cat /tmp/critical-${tag}.txt
+              return 1
+            fi
+
+            if [ "$HIGH" -gt 0 ]; then
+              echo "::warning::Found $HIGH fixable high vulnerabilities in :${tag}"
+              cat /tmp/high-${tag}.txt
+            fi
+            return 0
+          }
+
+          FAILED=0
+          check_vulns latest || FAILED=1
+          check_vulns slim || FAILED=1
+
+          if [ "$FAILED" -eq 1 ]; then
            exit 1
          fi
-
-          if [ "$HIGH_FIXABLE" -gt 0 ]; then
-            echo "::warning::Found $HIGH_FIXABLE fixable high vulnerabilities"
-            cat /tmp/high.txt
-          fi
-
-          echo "Vulnerability scan passed"
+          echo "Vulnerability scan passed for all images"