jcoakley/dev1
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changed from Docker daemon/privileged: true

Browse Source
This commit is contained in:
Josh 2025-09-12 15:18:54 +00:00
parent 83c7b89fc9
commit dc63732e4c
1 changed files with 24 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
.woodpecker.yml
View File

@ -6,6 +6,7 @@ name: prod-promotion
steps:
- name: promote-tag-and-mirror
image: google/cloud-sdk:latest
privileged: true
entrypoint:
- bash
- -c
@ -18,9 +19,16 @@ steps:
SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo"
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
apt-get update -qq
apt-get install -y -qq docker.io
gcloud auth configure-docker us-central1-docker.pkg.dev -q
apt-get update -qq
apt-get install -y -qq skopeo
TOKEN="$(gcloud auth print-access-token)"
for s in server1 server2 server3 nginx; do
skopeo copy --insecure-policy \
--src-creds "oauth2accesstoken:${TOKEN}" \
--dest-creds "oauth2accesstoken:${TOKEN}" \
"docker://${SRC}/${s}:${IMG_TAG}" \
"docker://${DST}/${s}:${IMG_TAG}"
done
for svc in server1 server2 server3 nginx; do
docker pull "$SRC/$svc:$IMG_TAG"
@ -33,6 +41,7 @@ steps:
echo "🏷 Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images"
- name: verify-sync
privileged: true
depends_on: [promote-tag-and-mirror]
image: google/cloud-sdk:latest
entrypoint:
@ -47,14 +56,16 @@ steps:
echo "✅ Tag parity confirmed: $IMG_TAG"
# Ensure images truly exist in PROD AR
DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo"
apt-get update -qq && apt-get install -y -qq docker.io
gcloud auth configure-docker us-central1-docker.pkg.dev -q
for svc in server1 server2 server3 nginx; do
docker pull "$DST/$svc:$IMG_TAG" >/dev/null
apt-get update -qq && apt-get install -y -qq skopeo
TOKEN="$(gcloud auth print-access-token)"
for s in server1 server2 server3 nginx; do
skopeo inspect --creds "oauth2accesstoken:${TOKEN}" \
"docker://${DST}/${s}:${IMG_TAG}" >/dev/null
done
echo "✅ Prod AR has all images at :$IMG_TAG"
- name: security-scan
privileged: true
depends_on: [verify-sync]
image: google/cloud-sdk:latest
entrypoint:
@ -75,14 +86,15 @@ steps:
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash
export PATH="$PATH:$(pwd)/bin"
gcloud auth configure-docker us-central1-docker.pkg.dev -q
TOKEN="$(gcloud auth print-access-token)"
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG"
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG"
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG"
trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG"
trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG"
- name: prod-deploy
privileged: true
depends_on: [security-scan]
image: google/cloud-sdk:latest
entrypoint: