jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

pipeline fixes
Some checks failed
ci/woodpecker/manual/woodpecker Pipeline failed
Details

Browse Source
This commit is contained in:
Josh 2025-09-12 15:29:28 +00:00
parent 4d84b7a593
commit bb14ea74f3
1 changed files with 17 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
.woodpecker.yml
View File

@ -18,6 +18,11 @@ steps:
SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
# Hard guards so we fail *before* skopeo if anything is empty
[ -n "$IMG_TAG" ] || { echo "❌ IMG_TAG is empty"; exit 2; }
[ -n "$SRC" ] || { echo "❌ SRC is empty"; exit 2; }
[ -n "$DST" ] || { echo "❌ DST is empty"; exit 2; }
apt-get update -qq
apt-get install -y -qq skopeo
TOKEN="$(gcloud auth print-access-token)"
@ -57,8 +62,9 @@ steps:
apt-get update -qq && apt-get install -y -qq skopeo
TOKEN="$(gcloud auth print-access-token)"
for s in server1 server2 server3 nginx; do
skopeo inspect --creds "oauth2accesstoken:${TOKEN}" \
"docker://${DST}/${s}:${IMG_TAG}" >/dev/null
REF="docker://${DST}/${s}:${IMG_TAG}"
echo "🔎 verify ${REF}"
skopeo inspect --creds "oauth2accesstoken:${TOKEN}" "$REF" >/dev/null
done
echo "✅ Prod AR has all images at :$IMG_TAG"
@ -78,17 +84,19 @@ steps:
REG="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
apt-get update -qq
apt-get install -y -qq gnupg apt-transport-https curl ca-certificates docker.io
apt-get install -y -qq gnupg apt-transport-https curl ca-certificates
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
export PATH="$PATH:$(pwd)/bin"
TOKEN="$(gcloud auth print-access-token)"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG"
for s in server1 server2 server3 nginx; do
REF="$REG/$s:$IMG_TAG"
echo "🛡 scan $REF"
trivy image --username oauth2accesstoken --password "$TOKEN" \
--scanners vuln --ignore-unfixed --ignorefile .trivyignore \
--exit-code 1 --severity CRITICAL "$REF"
done
- name: prod-deploy
depends_on: [security-scan]