From cd5f00f5415aa68eda1644399b86c75b580cfd57 Mon Sep 17 00:00:00 2001
From: Astound <kirito@disroot.org>
Date: Tue, 16 Jul 2024 12:22:32 +0800
Subject: Add trivy scan

---
 .gitea/workflows/release.yaml | 28 ++++++++++++++++++++++++++--
 1 file changed, 26 insertions(+), 2 deletions(-)

(limited to '.gitea/workflows')

diff --git a/.gitea/workflows/release.yaml b/.gitea/workflows/release.yaml
index 7770b5a..60112a1 100644
--- a/.gitea/workflows/release.yaml
+++ b/.gitea/workflows/release.yaml
@@ -30,7 +30,8 @@ jobs:
           username: ${{ secrets.DOCKER_REGISTRY_USER }}
           password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}
 
-      - name: Build and push
+      - name: Build Docker image
+        id: build-image
         uses: docker/build-push-action@v6
         with:
           context: gitolite-cgit
@@ -38,7 +39,30 @@ jobs:
           platforms: |
             linux/amd64
             linux/386
-          push: true
+          push: false
           no-cache: true
           tags: |
             rusian/gitolite-cgit:latest
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: rusian/gitolite-cgit:latest
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os'
+          severity: 'CRITICAL,HIGH'
+
+      - name: Push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: gitolite-cgit
+          file: gitolite-cgit/Dockerfile
+          platforms: |
+            linux/amd64
+            linux/386
+          push: true
+          no-cache: false
+          tags: |
+            rusian/gitolite-cgit:latest
-- 
cgit v1.2.3