headshed/share-lt
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
share-lt/.woodpecker/share-lt-build.yaml
jon brookes 502ef92943 updated woodpecker
2026-01-25 16:48:00 +00:00

62 lines
No EOL
2.5 KiB
YAML
Raw Blame History

when:
- event: push
branch: dev
steps:
build-local:
image: docker:24-dind
privileged: true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
commands:
- echo "Pulling base images to ensure latest layers..."
- docker pull --quiet php:8.4-fpm-alpine3.23 || true
- echo "Try to pull previous image to use as cache ..."
- docker pull quay.io/marshyon/share-lt:latest || true
- echo "Building image for testing (amd64 only for CI compatibility)..."
- docker build --platform linux/amd64 --cache-from=quay.io/marshyon/share-lt:latest -t share-lt:test .
- echo "Tagging test image as quay.io/marshyon/share-lt:v0.0.2..."
- docker tag share-lt:test quay.io/marshyon/share-lt:v0.0.2
- echo "Generating SBOM..."
- docker run --rm -v /var/run/docker.sock:/var/run/docker.sock anchore/syft:latest scan quay.io/marshyon/share-lt:v0.0.2 -o cyclonedx-json > sbom.json
scan-vulnerabilities:
image: aquasec/trivy:0.67.2
volumes:
- /var/run/docker.sock:/var/run/docker.sock
commands:
- echo "Ensuring latest Trivy image is pulled..."
- docker pull aquasec/trivy:latest || true
- echo "Scanning for vulnerabilities via Docker daemon..."
# Scan the image present in the Docker daemon; fail on CRITICAL severities
- trivy image --exit-code 1 --severity CRITICAL --no-progress share-lt:test
# Run a full scan without failing just for logs
- trivy image --severity HIGH,MEDIUM,LOW --no-progress share-lt:test
- echo "Generating vulnerability report..."
- trivy image --format cyclonedx --output trivy-vuln-bom.json share-lt:test
- echo "Vulnerability Summary:"
- trivy image --format table share-lt:test | tee trivy-vuln-summary.txt
publish:
image: woodpeckerci/plugin-docker-buildx
settings:
registry: quay.io
repo: quay.io/marshyon/share-lt
# platforms: linux/amd64,linux/arm64
platforms: linux/amd64
tags:
- v0.0.2
- latest
username:
from_secret: QUAY_USERNAME
password:
from_secret: QUAY_PASSWORD
upload-sbom:
image: cgr.dev/chainguard/cosign:latest
volumes:
- /var/run/docker.sock:/var/run/docker.sock
environment:
COSIGN_REGISTRY_USERNAME:
from_secret: QUAY_USERNAME
COSIGN_REGISTRY_PASSWORD:
from_secret: QUAY_PASSWORD
commands:
- cosign attach sbom --sbom sbom.json quay.io/marshyon/share-lt:v0.0.2 || echo "SBOM attach failed"
- echo "Done - trivy report saved to workspace for manual review"
Reference in a new issue View git blame Copy permalink