From f7f266b994a1b7d0e3b54e49e640be35b8078bf0 Mon Sep 17 00:00:00 2001 From: Astounds Date: Fri, 29 May 2026 21:28:22 -0500 Subject: Add hardened Docker support and multi-arch CI Multi-stage Dockerfile (non-root, Tor-ready), compose file, and entrypoints. Forgejo CI builds linux/amd64+arm64, scans with checksum-verified Grype, and pins all actions to commit SHA. Makefile gains venv bootstrap and docker targets; server.py gains a --bind flag. --- .forgejo/workflows/ci.yaml | 90 ++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 90 insertions(+) create mode 100644 .forgejo/workflows/ci.yaml (limited to '.forgejo/workflows/ci.yaml') diff --git a/.forgejo/workflows/ci.yaml b/.forgejo/workflows/ci.yaml new file mode 100644 index 0000000..c19e1fc --- /dev/null +++ b/.forgejo/workflows/ci.yaml @@ -0,0 +1,90 @@ +name: CI + +on: + push: + branches: [master] + pull_request: + branches: [master] + +env: + IMAGE_NAME: rusian/yt-local + GRYPE_VERSION: "0.112.0" + PLATFORMS: linux/amd64,linux/arm64 + +jobs: + test: + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Set up Python + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: "3.11" + + - name: Install dependencies + run: | + pip install --upgrade pip + pip install -r requirements-dev.txt + + - name: Run tests + run: pytest -v + + docker: + needs: test + runs-on: ubuntu-latest + if: github.event_name == 'push' && github.ref == 'refs/heads/master' + steps: + - name: Checkout code + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Set up QEMU + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 + + - name: Set up Buildx + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 + + - name: Login to Docker Hub + uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0 + with: + username: ${{ secrets.DOCKER_REGISTRY_USER }} + password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} + + - name: Extract metadata + id: meta + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 + with: + images: ${{ env.IMAGE_NAME }} + tags: | + type=sha,prefix= + type=raw,value=latest + + - name: Build image for scan (amd64 only) + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: . + load: true + tags: ${{ env.IMAGE_NAME }}:scan + + - name: Install Grype + run: | + curl -sSfL -o grype.tar.gz \ + "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_linux_amd64.tar.gz" + curl -sSfL -o checksums.txt \ + "https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}/grype_${GRYPE_VERSION}_checksums.txt" + sha256sum --check --ignore-missing checksums.txt + tar -xzf grype.tar.gz -C /usr/local/bin grype + grype version + + - name: Scan image for vulnerabilities + run: grype ${{ env.IMAGE_NAME }}:scan --fail-on critical --output table + + - name: Build and push (multi-platform) + uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0 + with: + context: . + platforms: ${{ env.PLATFORMS }} + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} -- cgit v1.2.3