diff options
| author | Astounds <kirito@disroot.org> | 2026-05-30 00:34:34 -0500 |
|---|---|---|
| committer | Astounds <kirito@disroot.org> | 2026-05-30 00:34:34 -0500 |
| commit | 4e54a34d87056067c0110c00282f6a3248dc5f6f (patch) | |
| tree | d85617414cb083447523238803ba88146a0dc543 /.forgejo/workflows/schedule.yaml | |
| parent | ed2af5e3d7a3fcd5a1f383003b6723f5d419f634 (diff) | |
| download | yt-local-master.tar.lz yt-local-master.tar.xz yt-local-master.zip | |
Use pip-compile --generate-hashes in the Docker build stage so that
the runtime stage installs pinned dependencies with verified integrity,
ensuring fully reproducible container builds.
- Add Docker section to README
- Fix Python badge (3.7+ → 3.11+) and outdated docs links
- Upgrade pip, setuptools, and wheel in Dockerfile to fix grype findings
Diffstat (limited to '.forgejo/workflows/schedule.yaml')
| -rw-r--r-- | .forgejo/workflows/schedule.yaml | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/.forgejo/workflows/schedule.yaml b/.forgejo/workflows/schedule.yaml new file mode 100644 index 0000000..37d3e6f --- /dev/null +++ b/.forgejo/workflows/schedule.yaml @@ -0,0 +1,70 @@ +name: Weekly rebuild + +on: + schedule: + - cron: '0 4 * * 1' + workflow_dispatch: + +env: + IMAGE_NAME: rusian/yt-local + GRYPE_VERSION: "0.112.0" + PLATFORMS: linux/amd64,linux/arm64 + +jobs: + docker: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Set up QEMU + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 + + - name: Set up Buildx + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + + - name: Login to Docker Hub + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + username: ${{ secrets.DOCKER_REGISTRY_USER }} + password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: ${{ env.IMAGE_NAME }} + tags: | + type=sha,prefix= + type=raw,value=latest + + - name: Build image for scan (amd64 only) + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: . + load: true + tags: ${{ env.IMAGE_NAME }}:scan + + - name: Install Grype + run: | + tarball="grype_${GRYPE_VERSION}_linux_amd64.tar.gz" + base="https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}" + curl -sSfL -o "$tarball" "$base/$tarball" + curl -sSfL -o checksums.txt "$base/grype_${GRYPE_VERSION}_checksums.txt" + grep " $tarball\$" checksums.txt | sha256sum --check --strict - + tar -xzf "$tarball" -C /usr/local/bin grype + grype version + + - name: Scan image for vulnerabilities + run: | + grype "${IMAGE_NAME}:scan" --output table + grype "${IMAGE_NAME}:scan" --only-fixed --fail-on critical -q + + - name: Build and push (multi-platform) + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: . + platforms: ${{ env.PLATFORMS }} + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} |