diff --git a/.drone.yml b/.drone.yml index 8224cbe..dcb6a18 100644 --- a/.drone.yml +++ b/.drone.yml @@ -43,29 +43,6 @@ steps: depends_on: - clean-up-images -- name: trivy-scan - image: docker:dind - volumes: - - name: dockersock - path: /var/run/docker.sock - commands: - - export TRIVY_VERSION=$(wget -qO - "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"v([^"]+)".*/\1/') - - echo "$TRIVY_VERSION" - - export TRIVY_URL=$(printf "https://github.com/aquasecurity/trivy/releases/download/v%s/trivy_%s_Linux-64bit.tar.gz" "$TRIVY_VERSION" "$TRIVY_VERSION") - - echo "$TRIVY_URL" - - wget --no-verbose "$TRIVY_URL" -O - | tar -zxvf - - - docker build -t "scm.project42.io/elia/blog:${DRONE_COMMIT_SHA:0:8}" . - - ./trivy image --exit-code 0 "scm.project42.io/elia/blog:${DRONE_COMMIT_SHA:0:8}" - - ./trivy image --exit-code 1 --severity CRITICAL "scm.project42.io/elia/blog:${DRONE_COMMIT_SHA:0:8}" - - docker rmi "scm.project42.io/elia/blog:${DRONE_COMMIT_SHA:0:8}" - depends_on: - - test-build-container - -volumes: -- name: dockersock - host: - path: /var/run/docker.sock - - name: build-container image: plugins/docker settings: @@ -78,8 +55,28 @@ volumes: dry_run: false squash: true tags: - - latest - "${DRONE_COMMIT_SHA:0:8}" + depends_on: + - test-build-container + +- name: trivy-scan + image: scm.project42.io/elia/tricks:latest + commands: + - trivy image --image-src remote "scm.project42.io/elia/blog:${DRONE_COMMIT_SHA:0:8}" + depends_on: + - build-container + +- name: promote-container + image: scm.project42.io/elia/tricks:latest + environment: + REGISTRY_USERNAME: + from_secret: registry_username + REGISTRY_PASSWORD: + from_secret: registry_password + commands: + - oras cp --from-username "$REGISTRY_USERNAME" --from-password "$REGISTRY_PASSWORD" --to-username "$REGISTRY_USERNAME" --to-password "$REGISTRY_PASSWORD" "scm.project42.io/elia/blog:${DRONE_COMMIT_SHA:0:8}" scm.project42.io/elia/blog:latest + depends_on: + - trivy-scan when: event: - promote