diff --git a/.woodpecker.yml b/.woodpecker.yml index 084a4db..47a5008 100644 --- a/.woodpecker.yml +++ b/.woodpecker.yml @@ -6,6 +6,7 @@ name: prod-promotion steps: - name: promote-tag-and-mirror image: google/cloud-sdk:latest + privileged: true entrypoint: - bash - -c @@ -18,9 +19,16 @@ steps: SRC="us-central1-docker.pkg.dev/aptivaai-dev/aptiva-repo" DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" - apt-get update -qq - apt-get install -y -qq docker.io - gcloud auth configure-docker us-central1-docker.pkg.dev -q + apt-get update -qq + apt-get install -y -qq skopeo + TOKEN="$(gcloud auth print-access-token)" + for s in server1 server2 server3 nginx; do + skopeo copy --insecure-policy \ + --src-creds "oauth2accesstoken:${TOKEN}" \ + --dest-creds "oauth2accesstoken:${TOKEN}" \ + "docker://${SRC}/${s}:${IMG_TAG}" \ + "docker://${DST}/${s}:${IMG_TAG}" + done for svc in server1 server2 server3 nginx; do docker pull "$SRC/$svc:$IMG_TAG" @@ -33,6 +41,7 @@ steps: echo "🏷 Promoted IMG_TAG=${IMG_TAG} → aptivaai-prod & mirrored images" - name: verify-sync + privileged: true depends_on: [promote-tag-and-mirror] image: google/cloud-sdk:latest entrypoint: @@ -47,14 +56,16 @@ steps: echo "✅ Tag parity confirmed: $IMG_TAG" # Ensure images truly exist in PROD AR DST="us-central1-docker.pkg.dev/aptivaai-prod/aptiva-repo" - apt-get update -qq && apt-get install -y -qq docker.io - gcloud auth configure-docker us-central1-docker.pkg.dev -q - for svc in server1 server2 server3 nginx; do - docker pull "$DST/$svc:$IMG_TAG" >/dev/null + apt-get update -qq && apt-get install -y -qq skopeo + TOKEN="$(gcloud auth print-access-token)" + for s in server1 server2 server3 nginx; do + skopeo inspect --creds "oauth2accesstoken:${TOKEN}" \ + "docker://${DST}/${s}:${IMG_TAG}" >/dev/null done echo "✅ Prod AR has all images at :$IMG_TAG" - name: security-scan + privileged: true depends_on: [verify-sync] image: google/cloud-sdk:latest entrypoint: @@ -75,14 +86,15 @@ steps: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | bash export PATH="$PATH:$(pwd)/bin" - gcloud auth configure-docker us-central1-docker.pkg.dev -q + TOKEN="$(gcloud auth print-access-token)" - trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG" - trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG" - trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG" - trivy image --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG" + trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server1:$IMG_TAG" + trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server2:$IMG_TAG" + trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/server3:$IMG_TAG" + trivy image --username oauth2accesstoken --password "$TOKEN" --scanners vuln --ignore-unfixed --ignorefile .trivyignore --exit-code 1 --severity CRITICAL "$REG/nginx:$IMG_TAG" - name: prod-deploy + privileged: true depends_on: [security-scan] image: google/cloud-sdk:latest entrypoint: