gitea/devops
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 1 Wiki Activity

refactor cicd pipeline
Some checks failed
Build and Deploy Demo App / test (push) Successful in 11s
Details
Build and Deploy Demo App / build (push) Successful in 20s
Details
Build and Deploy Demo App / scan (push) Failing after 8s
Details
Build and Deploy Demo App / deploy (push) Has been skipped
Details

Browse Source
This commit is contained in:
gitea
2025-11-26 13:03:25 +03:30
parent 340d3ed95c
commit c473ffbd16
1 changed files with 34 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

63
.gitea/workflows/cicd.yaml
View File

@@ -6,7 +6,7 @@ on:
- main - main
jobs: jobs:
# 1) Run tests first # ------------------ TEST ------------------
test: test:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
@@ -23,48 +23,53 @@ jobs:
- name: Run tests - name: Run tests
env: env:
DB_USER: '' # Empty to force SQLite fallback DB_USER: '' # force SQLite fallback
DB_PASS: '' DB_PASS: ''
DB_NAME: '' DB_NAME: ''
run: pytest run: pytest
# 2) Build image, scan it, and deploy (all on the same runner) # ------------------ BUILD ------------------
build_scan_deploy: build:
needs: test needs: test
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ hashFiles('Dockerfile', 'requirements.txt') }}
restore-keys: ${{ runner.os }}-buildx-
- name: Build Docker image - name: Build Docker image
uses: docker/build-push-action@v6 run: docker build -t demo-app:latest .
with:
load: true # load image into local Docker
tags: demo-app:latest
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max
# --- Security scan happens on the same runner as the build --- # ------------------ SCAN ------------------
scan:
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
# Rebuild image in this job so it's available locally
- name: Build Docker image for scan
run: docker build -t demo-app:latest .
# Use Trivy via Docker, no GitHub-specific action
- name: Scan image with Trivy - name: Scan image with Trivy
uses: aquasecurity/trivy-action@master run: |
with: docker run --rm \
image-ref: demo-app:latest -v /var/run/docker.sock:/var/run/docker.sock \
format: table aquasecurity/trivy:latest \
exit-code: 1 image --exit-code 1 --severity CRITICAL,HIGH demo-app:latest
severity: CRITICAL,HIGH
# If Trivy finds HIGH/CRITICAL vulns, the step above fails and # ------------------ DEPLOY ------------------
# nothing below (including deploy) will run. deploy:
needs: [build, scan]
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
# Rebuild image for deployment
- name: Build Docker image for deploy
run: docker build -t demo-app:latest .
- name: Save Docker image to tar - name: Save Docker image to tar
run: docker save demo-app:latest > demo-app.tar run: docker save demo-app:latest > demo-app.tar