From a6f3dc92b8b4c1c957a86607026ba95a1e7f6c29 Mon Sep 17 00:00:00 2001 From: Lennart Kloock Date: Mon, 21 Aug 2023 00:23:13 +0200 Subject: [PATCH] fix: ci - Replaces old trivy orb with new one - Moves filters from the docker-push action to the docker-push-approve action - Replaces :latest tag with an explicit hash for the build image --- .circleci/config.yml | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/.circleci/config.yml b/.circleci/config.yml index fdd18b4c3..f64d1cbd5 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -1,7 +1,7 @@ version: 2.1 orbs: - trivy: signavio/trivy@1.3.0 + trivy: fifteen5/trivy-orb@1.0.0 docker: circleci/docker@2.2.0 terraform: circleci/terraform@3.2.1 codecov: codecov/codecov@3.2.5 @@ -29,44 +29,43 @@ commands: name: Install Dependencies command: apk add --no-cache curl jq wget tar gzip ca-certificates - - trivy/vulnerability-scan-report: - docker-image: ghcr.io/scuffletv/api:$(git rev-parse HEAD) + - trivy/scan: + args: image ghcr.io/scuffletv/api:$(git rev-parse HEAD) - run: name: Build Edge Image command: docker build -f ./docker/edge.Dockerfile -t ghcr.io/scuffletv/edge:$(git rev-parse HEAD) . - - trivy/vulnerability-scan-report: - docker-image: ghcr.io/scuffletv/edge:$(git rev-parse HEAD) + - trivy/scan: + args: image ghcr.io/scuffletv/edge:$(git rev-parse HEAD) - run: name: Build Ingest Image command: docker build -f ./docker/ingest.Dockerfile -t ghcr.io/scuffletv/ingest:$(git rev-parse HEAD) . - - trivy/vulnerability-scan-report: - docker-image: ghcr.io/scuffletv/ingest:$(git rev-parse HEAD) + - trivy/scan: + args: image ghcr.io/scuffletv/ingest:$(git rev-parse HEAD) - run: name: Build Transcoder Image command: docker build -f ./docker/transcoder.Dockerfile -t ghcr.io/scuffletv/transcoder:$(git rev-parse HEAD) . - - trivy/vulnerability-scan-report: - docker-image: ghcr.io/scuffletv/transcoder:$(git rev-parse HEAD) - severity: CRITICAL,HIGH + - trivy/scan: + args: image --severity CRITICAL,HIGH ghcr.io/scuffletv/transcoder:$(git rev-parse HEAD) - run: name: Build Website Image command: docker build -f ./docker/website.Dockerfile -t ghcr.io/scuffletv/website:$(git rev-parse HEAD) . - - trivy/vulnerability-scan-report: - docker-image: ghcr.io/scuffletv/website:$(git rev-parse HEAD) + - trivy/scan: + args: image ghcr.io/scuffletv/website:$(git rev-parse HEAD) jobs: lint-test: resource_class: large docker: - - image: ghcr.io/scuffletv/build:latest + - image: ghcr.io/scuffletv/build:c8a76333b9cd45d77aceff358322a0e6a5e4023f environment: DATABASE_URL: postgres://root@localhost:26257/scuffle RMQ_URL: amqp://rabbitmq:rabbitmq@localhost:5672/scuffle @@ -171,7 +170,7 @@ jobs: resource_class: large docker: - - image: ghcr.io/scuffletv/build:latest + - image: ghcr.io/scuffletv/build:c8a76333b9cd45d77aceff358322a0e6a5e4023f environment: CARGO_INCREMENTAL: 1 @@ -385,15 +384,15 @@ workflows: type: approval requires: - build - - - docker-push: - requires: - - docker-push-approve filters: branches: only: - main - /^feature\/.*$/ + - docker-push: + requires: + - docker-push-approve + context: - ghcr