jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pipeline fixes
Some checks failed
ci/woodpecker/manual/woodpecker Pipeline failed
Details

Browse Source
This commit is contained in:
Josh 2025-09-12 15:29:28 +00:00
parent 4d84b7a593
commit bb14ea74f3
1 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
.woodpecker.yml
View File

@ -18,6 +18,11 @@ steps:
SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo" SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
# Hard guards so we fail *before* skopeo if anything is empty
[ -n "$IMG_TAG" ] || { echo "❌ IMG_TAG is empty"; exit 2; }
[ -n "$SRC" ] || { echo "❌ SRC is empty"; exit 2; }
[ -n "$DST" ] || { echo "❌ DST is empty"; exit 2; }
apt-get update -qq apt-get update -qq
apt-get install -y -qq skopeo apt-get install -y -qq skopeo
TOKEN="$(gcloud auth print-access-token)" TOKEN="$(gcloud auth print-access-token)"
@ -57,8 +62,9 @@ steps:
apt-get update -qq && apt-get install -y -qq skopeo apt-get update -qq && apt-get install -y -qq skopeo
TOKEN="$(gcloud auth print-access-token)" TOKEN="$(gcloud auth print-access-token)"
for s in server1 server2 server3 nginx; do for s in server1 server2 server3 nginx; do
skopeo inspect --creds "oauth2accesstoken:${TOKEN}" \ REF="docker://${DST}/${s}:${IMG_TAG}"
"docker://${DST}/${s}:${IMG_TAG}" >/dev/null echo "🔎 verify ${REF}"
skopeo inspect --creds "oauth2accesstoken:${TOKEN}" "$REF" >/dev/null
done done
echo "✅ Prod AR has all images at :$IMG_TAG" echo "✅ Prod AR has all images at :$IMG_TAG"
@ -78,18 +84,20 @@ steps:
REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
apt-get update -qq apt-get update -qq
apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io apt-get install -y -qq gnupg apt-transport-https curl ca-certificates
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
export PATH="$PATH:$(pwd)/bin" export PATH="$PATH:$(pwd)/bin"
TOKEN="$(gcloud auth print-access-token)" TOKEN="$(gcloud auth print-access-token)"
for s in server1 server2 server3 nginx; do
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG" REF="$REG/$s:$IMG_TAG"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG" echo "🛡 scan $REF"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG" trivy image --username oauth2accesstoken --password "$TOKEN" \
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG" --scanners vuln --ignore-unfixed --ignorefile .trivyignore \
--exit-code 1 --severity CRITICAL "$REF"
done
- name: prod-deploy - name: prod-deploy
depends_on: [security-scan] depends_on: [security-scan]
image: google/cloud-sdk:latest image: google/cloud-sdk:latest