infra: added trivy vulnerability scanner to CI/CD

fix: fixed typo
fix: fixed config gathering in ci.yml
2025-12-22 10:01:52 +01:00 · 2025-12-22 09:40:43 +01:00 · 2025-12-22 09:16:55 +01:00 · 2025-12-22 08:45:31 +01:00
2 changed files with 53 additions and 31 deletions
@@ -30,34 +30,54 @@ jobs:
    name: Build & Push to Registry
    runs-on: ubuntu-latest
    needs: test
    if: startsWith(github.ref, 'refs/tags/')
    steps:
      - name: Debug ref
        run: |
          echo "github.ref = ${{ github.ref }}"
          echo "GITHUB_REF = $GITHUB_REF"
          echo "This should only run on tags!"
    steps:
      - name: Checkout code
        uses: actions/checkout@v4
      - name: Load config from Makefile
        id: config
-        run: |
+        run: make -s _ci-dump-config >> $GITHUB_OUTPUT
          eval "$(make _ci-image-name)"
          echo "image_name=${IMAGE_NAME}" >> $GITHUB_OUTPUT
-      - name: Extract version from tag
+      - name: 🏷️ Docker Metadata (Tags & Labels)
-        id: version
+        id: meta
-        run: echo "version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT
+        uses: docker/metadata-action@v5
        with:
          images: gitea.iswearihadsomethingforthis.net/francwa/${{ steps.config.outputs.image_name }}
          tags: |
            # Case 1 - Git Tag (v1.2.3)
            type=semver,pattern={{ version }}
            # Case 2 - Push on main
            type=raw,value=latest,enable={{ is_default_branch }}
            # Both case - Commit sha
            type=sha
-      - name: Build production image
+      - name: Login to Gitea Registry
-        run: make build
+        uses: docker/login-action@v3
        with:
          registry: gitea.iswearihadsomethingforthis.net
          username: ${{ gitea.actor }}
          password: ${{ secrets.G1T34_TOKEN }}
-      - name: Tag and push to registry
+      - name: Build and push
-        run: |
+        id: docker_build
-          docker tag ${{ steps.config.outputs.image_name }}:latest ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:${{ steps.version.outputs.version }}
+        uses: docker/build-push-action@v5
-          docker tag ${{ steps.config.outputs.image_name }}:latest ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:latest
+        with:
-          echo "${{ secrets.G1T34_TOKEN }}" | docker login ${{ env.REGISTRY_URL }} -u ${{ env.REGISTRY_USER }} --password-stdin
+          context: .
-          docker push ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:${{ steps.version.outputs.version }}
+          file: ./brain/Dockerfile
-          docker push ${{ env.REGISTRY_URL }}/${{ env.REGISTRY_USER }}/${{ steps.config.outputs.image_name }}:latest
+          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          build-args: |
            PYTHON_VERSION=${{ steps.config.outputs.python_version }}
            PYTHON_VERSION_SHORT=${{ steps.config.outputs.python_version_short }}
            RUNNER=${{ steps.config.outputs.runner }}
      - name: 🛡️ Run Trivy Vulnerability Scanner
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.meta.outputs.tags }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          severity: 'CRITAL, HIGH'
@@ -3,20 +3,18 @@
 .DEFAULT_GOAL := help
 # --- SETTINGS ---
 CORE_DIR = brain
 IMAGE_NAME = agent_media
 PYTHON_VERSION = 3.12.7
 PYTHON_VERSION_SHORT = $(shell echo $(PYTHON_VERSION) | cut -d. -f1,2)
 # Change to 'uv' when ready.
 RUNNER ?= poetry
 SERVICE_NAME = agent_media
 export IMAGE_NAME
 export PYTHON_VERSION
 export PYTHON_VERSION_SHORT
 export RUNNER
 export IMAGE_NAME
 # --- VARIABLES ---
 CORE_DIR     = brain
 SERVICE_NAME = agent_media
 IMAGE_NAME   = agent_media
 # --- ADAPTERS ---
 # UV uses "sync", Poetry uses "install". Both install DEV deps by default.
@@ -46,7 +44,7 @@ T = \033[36m
 R = \033[0m
 # --- TARGETS ---
-.PHONY: add build build-test check-docker check-runner clean coverage down format help init-dotenv install install-hooks lint logs major minor patch prune ps restart run shell test up update _check_branch _ci-image-name _ci-run-tests _push_tag
+.PHONY: add build build-test check-docker check-runner clean coverage down format help init-dotenv install install-hooks lint logs major minor patch prune ps restart run shell test up update _check_branch _ci-dump-config _ci-run-tests _push_tag
 # Catch-all for args
 %:
@@ -240,8 +238,12 @@ _check_branch:
 	   echo "❌ Error: not on the main branch"; exit 1; \
 	fi
-_ci-image-name:
+_ci-dump-config:
-	@echo "IMAGE_NAME=$(IMAGE_NAME)"
+	@echo "image_name=$(IMAGE_NAME)"
 	@echo "python_version=$(PYTHON_VERSION)"
 	@echo "python_version_short=$(PYTHON_VERSION_SHORT)"
 	@echo "runner=$(RUNNER)"
 	@echo "service_name=$(SERVICE_NAME)"
 _ci-run-tests: build-test
 	@echo "$(T)🧪 Running tests in Docker...$(R)"
Author	SHA1	Message	Date
francwa	56a3c1257d	infra: added trivy vulnerability scanner to CI/CD CI/CD Awesome Pipeline / Test (push) Successful in 1m36s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 7m10s Details	2025-12-22 10:01:52 +01:00
francwa	79d23f936a	fix: fixed typo	2025-12-22 09:40:43 +01:00
francwa	f02e916d33	fix: fixed config gathering in ci.yml CI/CD Awesome Pipeline / Test (push) Successful in 1m34s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 14m19s Details	2025-12-22 09:16:55 +01:00
francwa	4e64c83c4b	fix: updated build and push CI/CD configuration CI/CD Awesome Pipeline / Test (push) Successful in 1m4s Details CI/CD Awesome Pipeline / Build & Push to Registry (push) Failing after 2m32s Details	2025-12-22 08:45:31 +01:00