playground/docker-claude
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
docker-claude/.forgejo/workflows/docker-build.yml
docker-claude 530def213b
Some checks failed
Build images / check-docker (push) Successful in 3s
Details
Build images / scan (push) Failing after 1m28s
Details
Build images / build-and-push (push) Has been skipped
Details
feat(ci): add Trivy container security scanning before push 
Add a scan job between check-docker and build-and-push. Builds each image
locally (no push, current platform only), runs Trivy v0.35.0 against it,
and fails on unfixed HIGH/CRITICAL CVEs. build-and-push only runs if both
scans pass.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-16 11:53:16 +02:00

111 lines
3.5 KiB
YAML
Raw Blame History

name: Build images
on:
push:
branches:
- main
env:
# Set this to the public IP or hostname of your registry,
# whichever you use to reach it from your desktop/laptop
FORGEJO_HOST: code.zeidler.dev
HELM_EXPERIMENTAL_OCI: 1
jobs:
check-docker:
runs-on: docker-cli
services:
docker:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
options: --privileged
container:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
steps:
- name: Wait for Docker daemon
run: |
timeout=300 # Set a timeout value in seconds
until docker info; do
echo "Waiting for Docker daemon to start..."
sleep 5
timeout=$((timeout-5))
if [ $timeout -le 0 ]; then
echo "Timeout waiting for Docker daemon to start."
exit 1
fi
done
scan:
needs: check-docker
runs-on: docker-cli
services:
docker:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
options: --privileged
container:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
steps:
- name: Checkout the repo
uses: actions/checkout@v4
- name: Build proxy image for scanning
run: docker build -t scan/proxy:latest ./proxy
- name: Scan proxy image
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: scan/proxy:latest
format: table
exit-code: '1'
severity: HIGH,CRITICAL
ignore-unfixed: true
vuln-type: os,library
- name: Build claude image for scanning
run: docker build -t scan/claude:latest ./claude
- name: Scan claude image
uses: aquasecurity/trivy-action@v0.35.0
with:
image-ref: scan/claude:latest
format: table
exit-code: '1'
severity: HIGH,CRITICAL
ignore-unfixed: true
vuln-type: os,library
build-and-push:
needs: scan
runs-on: docker-cli
services:
docker:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
options: --privileged
environment: deploy
container:
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
steps:
- name: Checkout the repo
uses: actions/checkout@v4
- name: Login to the registry
uses: docker/login-action@v3
with:
registry: ${{ vars.REGISTRY_URL }}
username: ${{ vars.REGISTRY_USER }}
password: ${{ secrets.REGISTRY_PASSWORD }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver: docker-container
- name: Docker publish proxy
uses: docker/build-push-action@v6
with:
context: proxy
push: true
platforms: linux/amd64, linux/arm64
tags: |
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:0.1.${{ env.GITHUB_RUN_NUMBER }}
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:latest
- name: Docker publish claude
uses: docker/build-push-action@v6
with:
context: claude
push: true
platforms: linux/amd64, linux/arm64
tags: |
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:0.1.${{ env.GITHUB_RUN_NUMBER }}
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:latest
Reference in a new issue View git blame Copy permalink