aboutsummaryrefslogtreecommitdiffstats
path: root/.forgejo/workflows/schedule.yaml
blob: 37d3e6fb44d149e3a71aef45724ff248de43d06b (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

name: Weekly rebuild

on:
  schedule:
    - cron: '0 4 * * 1'
  workflow_dispatch:

env:
  IMAGE_NAME: rusian/yt-local
  GRYPE_VERSION: "0.112.0"
  PLATFORMS: linux/amd64,linux/arm64

jobs:
  docker:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

      - name: Set up QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0

      - name: Set up Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Login to Docker Hub
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        with:
          username: ${{ secrets.DOCKER_REGISTRY_USER }}
          password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }}

      - name: Extract metadata
        id: meta
        uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
        with:
          images: ${{ env.IMAGE_NAME }}
          tags: |
            type=sha,prefix=
            type=raw,value=latest

      - name: Build image for scan (amd64 only)
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          load: true
          tags: ${{ env.IMAGE_NAME }}:scan

      - name: Install Grype
        run: |
          tarball="grype_${GRYPE_VERSION}_linux_amd64.tar.gz"
          base="https://github.com/anchore/grype/releases/download/v${GRYPE_VERSION}"
          curl -sSfL -o "$tarball" "$base/$tarball"
          curl -sSfL -o checksums.txt "$base/grype_${GRYPE_VERSION}_checksums.txt"
          grep " $tarball\$" checksums.txt | sha256sum --check --strict -
          tar -xzf "$tarball" -C /usr/local/bin grype
          grype version

      - name: Scan image for vulnerabilities
        run: |
          grype "${IMAGE_NAME}:scan" --output table
          grype "${IMAGE_NAME}:scan" --only-fixed --fail-on critical -q

      - name: Build and push (multi-platform)
        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
        with:
          context: .
          platforms: ${{ env.PLATFORMS }}
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-01 19:04:39 +0000