Andriy Oblivantsev
8e99fe7614
- Add Trivy vulnerability scan step to CI (HIGH/CRITICAL, warn-only) - Add Container Registry section to README with pull examples - Update architecture doc and HLD with crane + Trivy details Co-authored-by: Cursor <cursoragent@cursor.com>
187 lines
6.9 KiB
YAML
187 lines
6.9 KiB
YAML
# FleetDM Stack - Gitea Actions
|
|
# CI: lint on every push (skips docs-only changes)
|
|
# Semantic Release: auto-bump version on push to main/master
|
|
# - merge from feature/* branch → major bump
|
|
# - any other commit (fix, chore, etc.) → patch bump
|
|
# Release: package Helm chart and publish to Gitea Releases
|
|
|
|
name: Helm Chart CI & Release
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
- master
|
|
paths-ignore:
|
|
- 'docs/**'
|
|
- 'README.md'
|
|
- 'STATUS.md'
|
|
- 'AGENTS.md'
|
|
- 'TASKS.md'
|
|
- '.gitignore'
|
|
- 'djinni-*/**'
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
- master
|
|
|
|
jobs:
|
|
lint:
|
|
name: Lint Helm Chart
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
run: |
|
|
git clone --depth=1 https://${{ gitea.actor }}:${{ gitea.token }}@git.produktor.io/${{ gitea.repository }}.git .
|
|
git checkout ${{ gitea.sha }}
|
|
|
|
- name: Install Helm
|
|
run: |
|
|
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
|
|
helm version
|
|
|
|
- name: Lint chart
|
|
run: |
|
|
helm dependency update fleetdm-stack/
|
|
helm lint fleetdm-stack/
|
|
helm template fleetdm-stack fleetdm-stack/ --namespace fleetdm > /dev/null
|
|
|
|
semantic-release:
|
|
name: Semantic Release
|
|
runs-on: ubuntu-latest
|
|
needs: lint
|
|
if: gitea.event_name == 'push'
|
|
permissions:
|
|
contents: write
|
|
steps:
|
|
- name: Checkout (full history for tags)
|
|
run: |
|
|
git clone https://${{ gitea.actor }}:${{ gitea.token }}@git.produktor.io/${{ gitea.repository }}.git .
|
|
git fetch --tags
|
|
|
|
- name: Determine version bump
|
|
id: version
|
|
run: |
|
|
LATEST_TAG=$(git tag -l 'v*' --sort=-v:refname | head -1)
|
|
if [ -z "$LATEST_TAG" ]; then
|
|
LATEST_TAG="v0.0.0"
|
|
fi
|
|
echo "Latest tag: $LATEST_TAG"
|
|
|
|
VER="${LATEST_TAG#v}"
|
|
MAJOR=$(echo "$VER" | cut -d. -f1)
|
|
MINOR=$(echo "$VER" | cut -d. -f2)
|
|
PATCH=$(echo "$VER" | cut -d. -f3)
|
|
|
|
COMMIT_MSG=$(git log -1 --format='%s' ${{ gitea.sha }})
|
|
echo "Commit message: $COMMIT_MSG"
|
|
|
|
IS_FEATURE="false"
|
|
if echo "$COMMIT_MSG" | grep -qiE "^Merge.*feature/"; then
|
|
IS_FEATURE="true"
|
|
fi
|
|
if git log -1 --format='%P' ${{ gitea.sha }} | grep -q ' '; then
|
|
MERGE_BRANCH=$(git log -1 --format='%s' ${{ gitea.sha }} | grep -oE "feature/[^ '\"]*" || true)
|
|
if [ -n "$MERGE_BRANCH" ]; then
|
|
IS_FEATURE="true"
|
|
fi
|
|
fi
|
|
|
|
if [ "$IS_FEATURE" = "true" ]; then
|
|
MAJOR=$((MAJOR + 1))
|
|
MINOR=0
|
|
PATCH=0
|
|
BUMP="major"
|
|
else
|
|
PATCH=$((PATCH + 1))
|
|
BUMP="patch"
|
|
fi
|
|
|
|
NEW_VER="${MAJOR}.${MINOR}.${PATCH}"
|
|
echo "Bump: $BUMP → v${NEW_VER}"
|
|
echo "new_version=${NEW_VER}" >> "$GITHUB_OUTPUT"
|
|
echo "new_tag=v${NEW_VER}" >> "$GITHUB_OUTPUT"
|
|
echo "bump_type=${BUMP}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Install Helm
|
|
run: |
|
|
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash
|
|
|
|
- name: Update Chart.yaml version
|
|
run: |
|
|
sed -i "s/^version: .*/version: ${{ steps.version.outputs.new_version }}/" fleetdm-stack/Chart.yaml
|
|
echo "Chart.yaml version set to ${{ steps.version.outputs.new_version }}"
|
|
grep '^version:' fleetdm-stack/Chart.yaml
|
|
|
|
- name: Package chart
|
|
run: |
|
|
helm dependency update fleetdm-stack/
|
|
helm package fleetdm-stack/
|
|
mkdir -p .tmp
|
|
mv fleetdm-stack-*.tgz .tmp/
|
|
ls -la .tmp/
|
|
|
|
- name: Mirror FleetDM image to Gitea registry
|
|
run: |
|
|
CRANE_VER="v0.20.3"
|
|
curl -fsSL "https://github.com/google/go-containerregistry/releases/download/${CRANE_VER}/go-containerregistry_Linux_x86_64.tar.gz" \
|
|
| tar -xz -C /usr/local/bin crane
|
|
|
|
APP_VER=$(grep '^appVersion:' fleetdm-stack/Chart.yaml | awk '{print $2}' | tr -d '"')
|
|
CHART_TAG="${{ steps.version.outputs.new_tag }}"
|
|
SRC="docker.io/fleetdm/fleet:v${APP_VER}"
|
|
OWNER=$(echo "${{ gitea.repository_owner }}" | tr '[:upper:]' '[:lower:]')
|
|
DST="git.produktor.io/${OWNER}/flamingo-tech-test"
|
|
|
|
crane auth login git.produktor.io -u "${{ gitea.actor }}" -p "${{ secrets.REPO_TOKEN }}"
|
|
crane copy "${SRC}" "${DST}:${APP_VER}"
|
|
crane tag "${DST}:${APP_VER}" "${CHART_TAG}"
|
|
crane tag "${DST}:${APP_VER}" "latest"
|
|
echo "Mirrored ${SRC} → ${DST}:{${APP_VER},${CHART_TAG},latest}"
|
|
|
|
- name: Trivy vulnerability scan
|
|
run: |
|
|
TRIVY_VER="0.58.2"
|
|
curl -fsSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VER}/trivy_${TRIVY_VER}_Linux-64bit.tar.gz" \
|
|
| tar -xz -C /usr/local/bin trivy
|
|
|
|
APP_VER=$(grep '^appVersion:' fleetdm-stack/Chart.yaml | awk '{print $2}' | tr -d '"')
|
|
OWNER=$(echo "${{ gitea.repository_owner }}" | tr '[:upper:]' '[:lower:]')
|
|
IMAGE="git.produktor.io/${OWNER}/flamingo-tech-test:${APP_VER}"
|
|
|
|
export TRIVY_USERNAME="${{ gitea.actor }}"
|
|
export TRIVY_PASSWORD="${{ secrets.REPO_TOKEN }}"
|
|
|
|
echo "Scanning ${IMAGE} for vulnerabilities..."
|
|
trivy image --severity HIGH,CRITICAL --exit-code 0 "${IMAGE}"
|
|
|
|
- name: Create tag
|
|
run: |
|
|
git config user.name "Gitea Actions"
|
|
git config user.email "actions@git.produktor.io"
|
|
git tag -a "${{ steps.version.outputs.new_tag }}" -m "Release ${{ steps.version.outputs.new_tag }} (${{ steps.version.outputs.bump_type }})"
|
|
git push https://${{ gitea.actor }}:${{ gitea.token }}@git.produktor.io/${{ gitea.repository }}.git "${{ steps.version.outputs.new_tag }}"
|
|
|
|
- name: Create Gitea Release
|
|
run: |
|
|
TAG="${{ steps.version.outputs.new_tag }}"
|
|
BUMP="${{ steps.version.outputs.bump_type }}"
|
|
API="https://git.produktor.io/api/v1/repos/${{ gitea.repository }}/releases"
|
|
TOKEN="${{ gitea.token }}"
|
|
|
|
RELEASE=$(curl -sf -X POST "$API" \
|
|
-H "Authorization: token $TOKEN" \
|
|
-H "Content-Type: application/json" \
|
|
-d "{\"tag_name\":\"$TAG\",\"name\":\"FleetDM Stack $TAG\",\"body\":\"**${BUMP}** release — \`${TAG}\`\n\nHelm chart for FleetDM Server with MySQL and Redis.\"}")
|
|
RELEASE_ID=$(echo "$RELEASE" | grep -o '"id":[0-9]*' | head -1 | cut -d: -f2)
|
|
echo "Created release ID: $RELEASE_ID"
|
|
|
|
for f in .tmp/*.tgz; do
|
|
FNAME=$(basename "$f")
|
|
curl -sf -X POST "$API/$RELEASE_ID/assets?name=$FNAME" \
|
|
-H "Authorization: token $TOKEN" \
|
|
-H "Content-Type: application/octet-stream" \
|
|
--data-binary "@$f"
|
|
echo "Uploaded: $FNAME"
|
|
done
|