From b952be23eb0099b1502952006c0cec73c825d494 Mon Sep 17 00:00:00 2001 From: Toutsu Date: Sat, 13 Jun 2026 19:29:47 +0300 Subject: [PATCH] ci(deploy): login and pull images before Trivy scan The scan-images job runs on a fresh runner that does not have the images built by the build-and-push job. Login to the registry and pull the images before scanning, otherwise Trivy cannot find them. --- .gitea/workflows/deploy.yml | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 0419e23..6979482 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -70,6 +70,13 @@ jobs: needs: build-and-push runs-on: ubuntu-latest steps: + - name: Login to Gitea Container Registry + uses: docker/login-action@v3 + with: + registry: git.codeanddice.ru + username: toutsu + password: ${{ secrets.GIT_TOKEN }} + - name: Install Trivy run: | # Install Trivy from the official Docker image instead of the @@ -78,7 +85,7 @@ jobs: # GitHub releases API; when a release is unpublished or # yanked, the script fails with # `unable to find '' - use 'latest' or see ...` - # even when the release once existed. We hit this with + # when the release once existed. We hit this with # v0.71.0. # 2. Docker Hub tags are content-addressed and rarely # removed, so a pinned image tag is much more stable. @@ -94,6 +101,12 @@ jobs: chmod +x /usr/local/bin/trivy trivy --version + - name: Pull images for scan + run: | + docker pull git.codeanddice.ru/toutsu/gmrelay-bot:${{ env.VERSION }} + docker pull git.codeanddice.ru/toutsu/gmrelay-discord-bot:${{ env.VERSION }} + docker pull git.codeanddice.ru/toutsu/gmrelay-web:${{ env.VERSION }} + - name: Scan Bot image run: | trivy image \