added container config

2026-01-25 16:03:51 +00:00 · 2026-01-25 16:03:51 +00:00 · 1000464b4a
commit 1000464b4a
parent eec00e17fe
7 changed files with 242 additions and 0 deletions
--- a/.woodpecker/share-lt-build.yaml
+++ b/.woodpecker/share-lt-build.yaml
@ -0,0 +1,67 @@
+when:
+  - event: push
+    branch: dev
+steps:
+  build-local:
+    image: docker:share-lt-build
+    privileged: true
+    # environment:
+    #   DOCKER_TLS_CERTDIR: /certs
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      - echo "Pulling base images to ensure latest layers..."
+      - docker pull --quiet php:8.4-fpm-alpine3.23 || true
+      - echo "Try to pull previous image to use as cache ..."
+      - docker pull quay.io/marshyon/share-lt:latest || true
+      - echo "Building image for testing (amd64 only for CI compatibility)..."
+      - docker build --platform linux/amd64 --cache-from=quay.io/marshyon/share-lt:latest -t share-lt:test .
+      - echo "Tagging test image as quay.io/marshyon/share-lt:v0.0.2..."
+      - docker tag share-lt:test quay.io/marshyon/share-lt:v0.0.2
+      - echo "Generating SBOM..."
+      - docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/syft:latest scan quay.io/marshyon/share-lt:v0.0.2 -o cyclonedx-json > sbom.json
+  scan-vulnerabilities:
+    image: aquasec/trivy:0.67.2
+    privileged: true
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    commands:
+      - echo "Ensuring latest Trivy image is pulled..."
+      - docker pull aquasec/trivy:latest || true
+      - echo "Scanning for vulnerabilities via Docker daemon..."
+      # Scan the image present in the Docker daemon; fail on CRITICAL severities
+      - trivy image --exit-code 1 --severity CRITICAL --no-progress share-lt:test
+      # Run a full scan without failing just for logs
+      - trivy image --severity HIGH,MEDIUM,LOW --no-progress share-lt:test
+      - echo "Generating vulnerability report..."
+      - trivy image --format cyclonedx --output trivy-vuln-bom.json share-lt:test
+      - echo "Vulnerability Summary:"
+      - trivy image --format table share-lt:test | tee trivy-vuln-summary.txt
+  publish:
+    image: woodpeckerci/plugin-docker-buildx
+    privileged: true
+    settings:
+      registry: quay.io
+      repo: quay.io/marshyon/share-lt
+      # platforms: linux/amd64,linux/arm64
+      platforms: linux/amd64
+      tags:
+        - v0.0.2
+        - latest
+      username:
+        from_secret: QUAY_USERNAME
+      password:
+        from_secret: QUAY_PASSWORD
+  upload-sbom:
+    image: cgr.dev/chainguard/cosign:latest
+    privileged: true
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      COSIGN_REGISTRY_USERNAME:
+        from_secret: QUAY_USERNAME
+      COSIGN_REGISTRY_PASSWORD:
+        from_secret: QUAY_PASSWORD
+    commands:
+      - cosign attach sbom --sbom sbom.json quay.io/marshyon/share-lt:v0.0.2 || echo "SBOM attach failed"
+      - echo "Done - trivy report saved to workspace for manual review"