playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docker-claude/.forgejo/workflows/docker-build.yml
docker-claude a79aad9fc8
Some checks failed
Build images / check-docker (push) Successful in 1s
Details
Build images / scan (push) Failing after 50s
Details
Build images / build-and-push (push) Has been skipped
Details
fix(security): remove MCP credentials from managed-settings.json; bump Trivy to 0.70.0 
settings.json is COPY-ed into the image at build time. Putting MCP server
config with credential env references there risks baking tokens into the
image if placeholders are ever replaced with real values. Move MCP server
config to ~/.claude/settings.json (runtime volume mount) instead.
Managed settings now contains policy only: models, permissions, telemetry.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-20 16:00:37 +02:00

151 lines
4.8 KiB
YAML
Raw Blame History

name: Build images
on:
push:
branches:
- main
env:
# Set this to the public IP or hostname of your registry,
# whichever you use to reach it from your desktop/laptop
FORGEJO_HOST: code.zeidler.dev
HELM_EXPERIMENTAL_OCI: 1
TRIVY_IMAGE: registry.zeidler.dev/docker-hub/aquasec/trivy:0.70.0
jobs:
check-docker:
runs-on: docker-cli
services:
docker:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
options: --privileged
container:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
steps:
- name: Wait for Docker daemon
run: |
timeout=300 # Set a timeout value in seconds
until docker info; do
echo "Waiting for Docker daemon to start..."
sleep 5
timeout=$((timeout-5))
if [ $timeout -le 0 ]; then
echo "Timeout waiting for Docker daemon to start."
exit 1
fi
done
scan:
needs: check-docker
runs-on: docker-cli
services:
docker:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
options: --privileged
container:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
steps:
- name: Checkout the repo
uses: actions/checkout@v4
- name: Build proxy image for scanning
run: docker build -t scan/proxy:latest ./proxy
- name: Generate proxy SBOM
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD":/output \
${{ env.TRIVY_IMAGE }} \
image --exit-code 0 --vuln-type os,library \
--format cyclonedx --output /output/sbom-proxy.cdx.json \
scan/proxy:latest
- name: Scan proxy image
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
${{ env.TRIVY_IMAGE }} \
image --exit-code 1 --severity HIGH,CRITICAL \
--ignore-unfixed --vuln-type os,library \
--format table \
scan/proxy:latest
- name: Build claude image for scanning
run: docker build -t scan/claude:latest ./claude
- name: Generate claude SBOM
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD":/output \
${{ env.TRIVY_IMAGE }} \
image --exit-code 0 --vuln-type os,library \
--format cyclonedx --output /output/sbom-claude.cdx.json \
scan/claude:latest
- name: Scan claude image
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
${{ env.TRIVY_IMAGE }} \
image --exit-code 1 --severity HIGH,CRITICAL \
--ignore-unfixed --vuln-type os,library \
--format table \
scan/claude:latest
- name: Upload SBOMs
if: always()
uses: actions/upload-artifact@v4
with:
name: sboms-${{ env.GITHUB_RUN_NUMBER }}
path: |
sbom-proxy.cdx.json
sbom-claude.cdx.json
retention-days: 90
build-and-push:
needs: scan
runs-on: docker-cli
services:
docker:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
options: --privileged
environment: deploy
container:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
steps:
- name: Checkout the repo
uses: actions/checkout@v4
- name: Login to the registry
uses: docker/login-action@v3
with:
registry: ${{ vars.REGISTRY_URL }}
username: ${{ vars.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver: docker-container
- name: Docker publish proxy
uses: docker/build-push-action@v6
with:
context: proxy
push: true
sbom: true
provenance: true
platforms: linux/amd64, linux/arm64
tags: |
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:0.1.${{ env.GITHUB_RUN_NUMBER }}
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:latest
- name: Docker publish claude
uses: docker/build-push-action@v6
with:
context: claude
push: true
sbom: true
provenance: true
platforms: linux/amd64, linux/arm64
tags: |
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:0.1.${{ env.GITHUB_RUN_NUMBER }}
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:latest
Reference in a new issue View git blame Copy permalink