Merge pull request 'ci(deploy): login and pull images before Trivy scan' (#140) from fix/deploy-scan-pull-images into main
Merge pull request #140: ci(deploy): login and pull images before Trivy scan
This commit was merged in pull request #140.
This commit is contained in:
@@ -70,6 +70,13 @@ jobs:
|
||||
needs: build-and-push
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Login to Gitea Container Registry
|
||||
uses: docker/login-action@v3
|
||||
with:
|
||||
registry: git.codeanddice.ru
|
||||
username: toutsu
|
||||
password: ${{ secrets.GIT_TOKEN }}
|
||||
|
||||
- name: Install Trivy
|
||||
run: |
|
||||
# Install Trivy from the official Docker image instead of the
|
||||
@@ -78,7 +85,7 @@ jobs:
|
||||
# GitHub releases API; when a release is unpublished or
|
||||
# yanked, the script fails with
|
||||
# `unable to find '<tag>' - use 'latest' or see ...`
|
||||
# even when the release once existed. We hit this with
|
||||
# when the release once existed. We hit this with
|
||||
# v0.71.0.
|
||||
# 2. Docker Hub tags are content-addressed and rarely
|
||||
# removed, so a pinned image tag is much more stable.
|
||||
@@ -94,6 +101,12 @@ jobs:
|
||||
chmod +x /usr/local/bin/trivy
|
||||
trivy --version
|
||||
|
||||
- name: Pull images for scan
|
||||
run: |
|
||||
docker pull git.codeanddice.ru/toutsu/gmrelay-bot:${{ env.VERSION }}
|
||||
docker pull git.codeanddice.ru/toutsu/gmrelay-discord-bot:${{ env.VERSION }}
|
||||
docker pull git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }}
|
||||
|
||||
- name: Scan Bot image
|
||||
run: |
|
||||
trivy image \
|
||||
|
||||
Reference in New Issue
Block a user