diff --git a/.woodpecker.yml b/.woodpecker.yml index fbba877..f8b97e4 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -1,3 +1,33 @@ +--- +kind: pipeline +type: docker +name: ssh-test + +steps: + - name: security-scan + image: google/cloud-sdk:latest + entrypoint: + - bash + - -c + - | + set -euo pipefail + IMG_TAG=$(gcloud secrets versions access latest --secret=IMG_TAG --project=aptivaai-dev) + REG=us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo + + apt-get update -qq + apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io + + curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash + export PATH="$PATH:$(pwd)/bin" + + gcloud auth configure-docker us-central1-docker.pkg.dev -q + + trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server1:$IMG_TAG + trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server2:$IMG_TAG + trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/server3:$IMG_TAG + trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL $REG/nginx:$IMG_TAG + + - name: staging-deploy image: google/cloud-sdk:latest entrypoint: @@ -109,3 +139,12 @@ sudo --preserve-env=IMG_TAG,FROM_SECRETS_MANAGER,JWT_SECRET,OPENAI_API_KEY,ONET_USERNAME,ONET_PASSWORD,STRIPE_SECRET_KEY,STRIPE_PUBLISHABLE_KEY,STRIPE_WH_SECRET,STRIPE_PRICE_PREMIUM_MONTH,STRIPE_PRICE_PREMIUM_YEAR,STRIPE_PRICE_PRO_MONTH,STRIPE_PRICE_PRO_YEAR,DB_NAME,DB_HOST,DB_PORT,DB_USER,DB_PASSWORD,DB_SSL_CA,DB_SSL_CERT,DB_SSL_KEY,TWILIO_ACCOUNT_SID,TWILIO_AUTH_TOKEN,TWILIO_MESSAGING_SERVICE_SID,KMS_KEY_NAME,DEK_PATH \ docker compose up -d --force-recreate --remove-orphans; \ echo \"✅ Staging stack refreshed with tag $IMG_TAG\"' + + + secrets: + - STAGING_SSH_KEY + - STAGING_KNOWN_HOSTS + +when: + event: + - push