infra: added trivy vulnerability scanner to CI/CD

fix: fixed typo
fix: fixed config gathering in ci.yml
2025-12-22 10:01:52 +01:00 · 2025-12-22 09:40:43 +01:00 · 2025-12-22 09:16:55 +01:00 · 2025-12-22 08:45:31 +01:00 · 2025-12-21 13:54:02 +01:00 · 2025-12-21 13:53:49 +01:00
4 changed files with 64 additions and 33 deletions
@@ -30,33 +30,54 @@ jobs:
    name: Build & Push to Registry
    runs-on: ubuntu-latest
    needs: test
    if: contains(github.ref, 'refs/tags/v')
    steps:
      - name: Debug ref
        run: |
          echo "github.ref = ${{ github.ref }}"
          echo "GITHUB_REF = $GITHUB_REF"
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Load config from Makefile
        id: config
-        run: |
+        run: make -s _ci-dump-config >> $GITHUB_OUTPUT
          eval "$(make _ci-image-name)"
          echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
-      - name: Extract version from tag
+      - name: 🏷️ Docker Metadata (Tags & Labels)
-        id: version
+        id: meta
-        run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+        uses: docker/metadata-action@v5
        with:
          images: gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }}
          tags: |
            # Case 1 - Git Tag (v1.2.3)
            type=semver,pattern={{ version }}
            # Case 2 - Push on main
            type=raw,value=latest,enable={{ is_default_branch }}
            # Both case - Commit sha
            type=sha
-      - name: Build production image
+      - name: Login to Gitea Registry
-        run: make build
+        uses: docker/login-action@v3
        with:
          registry: gitea.iswearihadsomethingforthis.net
          username: ${{ gitea.actor }}
          password: ${{ secrets.G1T34_TOKEN }}
-      - name: Tag and push to registry
+      - name: Build and push
-        run: |
+        id: docker_build
-          docker tag ${{ steps.config.outputs.image_name }}:latest ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:${{ steps.version.outputs.version }}
+        uses: docker/build-push-action@v5
-          docker tag ${{ steps.config.outputs.image_name }}:latest ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:latest
+        with:
-          echo "${{ secrets.GITEA_TOKEN }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ env.REGISTRY_USER }} --password-stdin
+          context: .
-          docker push ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:${{ steps.version.outputs.version }}
+          file: ./brain/Dockerfile
-          docker push ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:latest
+          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            PYTHON_VERSION=${{ steps.config.outputs.python_version }}
            PYTHON_VERSION_SHORT=${{ steps.config.outputs.python_version_short }}
            RUNNER=${{ steps.config.outputs.runner }}
      - name: 🛡️ Run Trivy Vulnerability Scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.meta.outputs.tags }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITAL, HIGH'
@@ -3,20 +3,18 @@
 .DEFAULT_GOAL := help
 # --- SETTINGS ---
 CORE_DIR = brain
 IMAGE_NAME = agent_media
 PYTHON_VERSION = 3.12.7
 PYTHON_VERSION_SHORT = $(shell echo $(PYTHON_VERSION) | cut -d. -f1,2)
 # Change to 'uv' when ready.
 RUNNER ?= poetry
 SERVICE_NAME = agent_media
 export IMAGE_NAME
 export PYTHON_VERSION
 export PYTHON_VERSION_SHORT
 export RUNNER
 export IMAGE_NAME
 # --- VARIABLES ---
 CORE_DIR     = brain
 SERVICE_NAME = agent_media
 IMAGE_NAME   = agent_media
 # --- ADAPTERS ---
 # UV uses "sync", Poetry uses "install". Both install DEV deps by default.
@@ -46,7 +44,7 @@ T = \033[36m
 R = \033[0m
 # --- TARGETS ---
-.PHONY: add build build-test check-docker check-runner clean coverage down format help init-dotenv install install-hooks lint logs major minor patch prune ps restart run shell test up update _check_branch _ci-image-name _ci-run-tests
+.PHONY: add build build-test check-docker check-runner clean coverage down format help init-dotenv install install-hooks lint logs major minor patch prune ps restart run shell test up update _check_branch _ci-dump-config _ci-run-tests _push_tag
 # Catch-all for args
 %:
@@ -134,7 +132,7 @@ help:
 	@echo "  $(T)update       		$(R)  Update dependencies."
 	@echo ""
 	@echo "$(G)Versioning:$(R)"
-	@echo "  $(T)major/minor/patch	$(R)  Bump version."
+	@echo "  $(T)major/minor/patch	$(R)  Bump version and push tag (triggers CI/CD)."
 init-dotenv:
 	@echo "$(T)🔑 Initializing .env file...$(R)"
@@ -187,14 +185,17 @@ logs: check-docker
 major: _check_branch
 	@echo "$(T)💥 Bumping major...$(R)"
 	SKIP=all $(BUMP_CMD) major
 	@$(MAKE) -s _push_tag
 minor: _check_branch
 	@echo "$(T)✨ Bumping minor...$(R)"
 	SKIP=all $(BUMP_CMD) minor
 	@$(MAKE) -s _push_tag
 patch: _check_branch
 	@echo "$(T)🚀 Bumping patch...$(R)"
 	SKIP=all $(BUMP_CMD) patch
 	@$(MAKE) -s _push_tag
 prune: check-docker
 	@echo "$(T)🗑️  Pruning Docker resources...$(R)"
@@ -237,8 +238,12 @@ _check_branch:
 	   echo "❌ Error: not on the main branch"; exit 1; \
 	fi
-_ci-image-name:
+_ci-dump-config:
-	@echo "IMAGE_NAME=$(IMAGE_NAME)"
+	@echo "image_name=$(IMAGE_NAME)"
 	@echo "python_version=$(PYTHON_VERSION)"
 	@echo "python_version_short=$(PYTHON_VERSION_SHORT)"
 	@echo "runner=$(RUNNER)"
 	@echo "service_name=$(SERVICE_NAME)"
 _ci-run-tests: build-test
 	@echo "$(T)🧪 Running tests in Docker...$(R)"
@@ -247,3 +252,8 @@ _ci-run-tests: build-test
 		-e TMDB_API_KEY \
 		$(IMAGE_NAME):test pytest
 	@echo "✅ Tests passed."
 _push_tag:
 	@echo "$(T)📦 Pushing tag...$(R)"
 	git push --tags
 	@echo "✅ Tag pushed. Check CI for build status."
@@ -1,5 +1,5 @@
 [tool.bumpversion]
-current_version = "0.1.4"
+current_version = "0.1.6"
 parse = "(?P<major>\\d+)\\.(?P<minor>\\d+)\\.(?P<patch>\\d+)"
 serialize = ["{major}.{minor}.{patch}"]
 search = "{current_version}"
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "agent-media"
-version = "0.1.4"
+version = "0.1.6"
 description = "AI agent for managing a local media library"
 authors = ["Francwa <francois.hodiaumont@gmail.com>"]
 readme = "README.md"
Author	SHA1	Message	Date
francwa	56a3c1257d	infra: added trivy vulnerability scanner to CI/CD CI/CD Awesome Pipeline / Test (push) Successful in 1m36s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 7m10s Details	2025-12-22 10:01:52 +01:00
francwa	79d23f936a	fix: fixed typo	2025-12-22 09:40:43 +01:00
francwa	f02e916d33	fix: fixed config gathering in ci.yml CI/CD Awesome Pipeline / Test (push) Successful in 1m34s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 14m19s Details	2025-12-22 09:16:55 +01:00
francwa	4e64c83c4b	fix: updated build and push CI/CD configuration CI/CD Awesome Pipeline / Test (push) Successful in 1m4s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 2m32s Details	2025-12-22 08:45:31 +01:00
francwa	07cae9abd1	chore: bump version 0.1.5 → 0.1.6 CI/CD Awesome Pipeline / Test (push) Successful in 1m23s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Successful in 1m4s Details	2025-12-21 13:54:02 +01:00
francwa	21b2dffc37	fix: added gitea token	2025-12-21 13:53:49 +01:00
francwa	2d1055cccf	chore: bump version 0.1.4 → 0.1.5 CI/CD Awesome Pipeline / Test (push) Successful in 40s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 20s Details	2025-12-21 13:01:37 +01:00
francwa	fdb2447862	debug: tired	2025-12-21 13:01:23 +01:00