89 lines
2.6 KiB
YAML
89 lines
2.6 KiB
YAML
name: CI/CD Awesome Pipeline
|
|
|
|
on:
|
|
push:
|
|
tags:
|
|
- 'v*.*.*'
|
|
|
|
workflow_dispatch:
|
|
|
|
env:
|
|
REGISTRY_URL: ${{ vars.REGISTRY_URL || 'gitea.iswearihadsomethingforthis.net' }}
|
|
REGISTRY_USER: ${{ vars.REGISTRY_USER || 'francwa' }}
|
|
|
|
jobs:
|
|
test:
|
|
name: Test
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Build and run tests
|
|
env:
|
|
DEEPSEEK_API_KEY: ${{ secrets.DEEPSEEK_API_KEY }}
|
|
TMDB_API_KEY: ${{ secrets.TMDB_API_KEY }}
|
|
run: make _ci-run-tests
|
|
|
|
build-and-push:
|
|
name: Build & Push to Registry
|
|
runs-on: ubuntu-latest
|
|
needs: test
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Load config from Makefile
|
|
id: config
|
|
run: make -s _ci-dump-config >> $GITHUB_OUTPUT
|
|
|
|
- name: 🏷️ Docker Metadata (Tags & Labels)
|
|
id: meta
|
|
uses: docker/metadata-action@v5
|
|
with:
|
|
images: gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }}
|
|
tags: |
|
|
# Tagged (v1.2.3)
|
|
type=semver,pattern={{ version }}
|
|
# Latest
|
|
type=raw,value=latest,enable={{ is_default_branch }}
|
|
|
|
- name: Login to Gitea Registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: gitea.iswearihadsomethingforthis.net
|
|
username: ${{ gitea.actor }}
|
|
password: ${{ secrets.G1T34_TOKEN }}
|
|
|
|
- name: Build and push
|
|
id: docker_build
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
file: ./brain/Dockerfile
|
|
push: true
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
labels: ${{ steps.meta.outputs.labels }}
|
|
build-args: |
|
|
PYTHON_VERSION=${{ steps.config.outputs.python_version }}
|
|
PYTHON_VERSION_SHORT=${{ steps.config.outputs.python_version_short }}
|
|
RUNNER=${{ steps.config.outputs.runner }}
|
|
|
|
- name: 🛡️ Run Trivy Vulnerability Scanner
|
|
uses: docker://aquasec/trivy:latest
|
|
env:
|
|
TRIVY_USERNAME: ${{ gitea.actor }}
|
|
TRIVY_PASSWORD: ${{ secrets.G1T34_TOKEN }}
|
|
# Unset the fake GITHUB_TOKEN injected by Gitea
|
|
GITHUB_TOKEN: ""
|
|
with:
|
|
args: image --format table --output trivy-report.txt --exit-code 0 --ignore-unfixed --severity CRITICAL,HIGH gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }}:latest
|
|
|
|
- name: 📤 Upload Security Report
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: security-report
|
|
path: trivy-report.txt
|
|
retention-days: 7
|