infra: added trivy vulnerability scanner to CI/CD

fix: fixed typo
fix: fixed config gathering in ci.yml
2025-12-22 10:01:52 +01:00 · 2025-12-22 09:40:43 +01:00 · 2025-12-22 09:16:55 +01:00 · 2025-12-22 08:45:31 +01:00
2 changed files with 53 additions and 31 deletions
@@ -30,34 +30,54 @@ jobs:
    name: Build & Push to Registry
    runs-on: ubuntu-latest
    needs: test
-    if: startsWith(github.ref, 'refs/tags/')
-    steps:
-      - name: Debug ref
-        run: |
-          echo "github.ref = ${{ github.ref }}"
-          echo "GITHUB_REF = $GITHUB_REF"
-          echo "This should only run on tags!"

+    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Load config from Makefile
        id: config
-        run: |
-          eval "$(make _ci-image-name)"
-          echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
+        run: make -s _ci-dump-config >> $GITHUB_OUTPUT

-      - name: Extract version from tag
-        id: version
-        run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+      - name: 🏷️ Docker Metadata (Tags & Labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }}
+          tags: |
+            # Case 1 - Git Tag (v1.2.3)
+            type=semver,pattern={{ version }}
+            # Case 2 - Push on main
+            type=raw,value=latest,enable={{ is_default_branch }}
+            # Both case - Commit sha
+            type=sha

-      - name: Build production image
-        run: make build
+      - name: Login to Gitea Registry
+        uses: docker/login-action@v3
+        with:
+          registry: gitea.iswearihadsomethingforthis.net
+          username: ${{ gitea.actor }}
+          password: ${{ secrets.G1T34_TOKEN }}

-      - name: Tag and push to registry
-        run: |
-          docker tag ${{ steps.config.outputs.image_name }}:latest ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:${{ steps.version.outputs.version }}
-          docker tag ${{ steps.config.outputs.image_name }}:latest ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:latest
-          echo "${{ secrets.G1T34_TOKEN }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ env.REGISTRY_USER }} --password-stdin
-          docker push ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:${{ steps.version.outputs.version }}
-          docker push ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:latest
+      - name: Build and push
+        id: docker_build
+        uses: docker/build-push-action@v5
+        with:
+          context: .
+          file: ./brain/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          build-args: |
+            PYTHON_VERSION=${{ steps.config.outputs.python_version }}
+            PYTHON_VERSION_SHORT=${{ steps.config.outputs.python_version_short }}
+            RUNNER=${{ steps.config.outputs.runner }}
+
+      - name: 🛡️ Run Trivy Vulnerability Scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ steps.meta.outputs.tags }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          severity: 'CRITAL, HIGH'
@@ -3,20 +3,18 @@
 .DEFAULT_GOAL := help

 # --- SETTINGS ---
+CORE_DIR = brain
+IMAGE_NAME = agent_media
 PYTHON_VERSION = 3.12.7
 PYTHON_VERSION_SHORT = $(shell echo $(PYTHON_VERSION) | cut -d. -f1,2)
 # Change to 'uv' when ready.
 RUNNER ?= poetry
+SERVICE_NAME = agent_media

+export IMAGE_NAME
 export PYTHON_VERSION
 export PYTHON_VERSION_SHORT
 export RUNNER
-export IMAGE_NAME
-
-# --- VARIABLES ---
-CORE_DIR     = brain
-SERVICE_NAME = agent_media
-IMAGE_NAME   = agent_media

 # --- ADAPTERS ---
 # UV uses "sync", Poetry uses "install". Both install DEV deps by default.
@@ -46,7 +44,7 @@ T = \033[36m
 R = \033[0m

 # --- TARGETS ---
-.PHONY: add build build-test check-docker check-runner clean coverage down format help init-dotenv install install-hooks lint logs major minor patch prune ps restart run shell test up update _check_branch _ci-image-name _ci-run-tests _push_tag
+.PHONY: add build build-test check-docker check-runner clean coverage down format help init-dotenv install install-hooks lint logs major minor patch prune ps restart run shell test up update _check_branch _ci-dump-config _ci-run-tests _push_tag

 # Catch-all for args
 %:
@@ -240,8 +238,12 @@ _check_branch:
 	   echo "❌ Error: not on the main branch"; exit 1; \
 	fi

-_ci-image-name:
-	@echo "IMAGE_NAME=$(IMAGE_NAME)"
+_ci-dump-config:
+	@echo "image_name=$(IMAGE_NAME)"
+	@echo "python_version=$(PYTHON_VERSION)"
+	@echo "python_version_short=$(PYTHON_VERSION_SHORT)"
+	@echo "runner=$(RUNNER)"
+	@echo "service_name=$(SERVICE_NAME)"

 _ci-run-tests: build-test
 	@echo "$(T)🧪 Running tests in Docker...$(R)"
Author	SHA1	Message	Date
francwa	56a3c1257d	infra: added trivy vulnerability scanner to CI/CD CI/CD Awesome Pipeline / Test (push) Successful in 1m36s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 7m10s Details	2025-12-22 10:01:52 +01:00
francwa	79d23f936a	fix: fixed typo	2025-12-22 09:40:43 +01:00
francwa	f02e916d33	fix: fixed config gathering in ci.yml CI/CD Awesome Pipeline / Test (push) Successful in 1m34s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 14m19s Details	2025-12-22 09:16:55 +01:00
francwa	4e64c83c4b	fix: updated build and push CI/CD configuration CI/CD Awesome Pipeline / Test (push) Successful in 1m4s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 2m32s Details	2025-12-22 08:45:31 +01:00