Initial commit

2025-09-12 09:39:37 +02:00
commit 22522a6607
5 changed files with 350 additions and 0 deletions
--- a/.woodpecker/build.yml
+++ b/.woodpecker/build.yml
@@ -0,0 +1,98 @@
+variables:
+  - &file Containerfile
+  - &repo dev.shielddagger.com/opensource/talk-recording
+
+when:
+  - event: [push, pull_request, cron]
+
+steps:
+  - name: dryrun
+    image: woodpeckerci/plugin-docker-buildx:5
+    backend_options:
+      kubernetes:
+        securityContext:
+          privileged: true
+    settings:
+      dockerfile: *file
+      platforms: linux/arm64,linux/amd64
+      cache_from: type=registry,ref=dev.shielddagger.com/opensource/talk-recording
+      cache_to: type=inline
+      dry_run: true
+      repo: *repo
+      tags: latest
+      registry: dev.shielddagger.com
+      username:
+        from_secret: registry_username
+      password:
+        from_secret: registry_password
+    when:
+      - event: pull_request
+  - name: publish
+    image: woodpeckerci/plugin-docker-buildx:5
+    backend_options:
+      kubernetes:
+        securityContext:
+          privileged: true
+    settings:
+      dockerfile: *file
+      platforms: linux/arm64,linux/amd64
+      cache_from: type=registry,ref=dev.shielddagger.com/opensource/talk-recording
+      cache_to: type=inline
+      repo: *repo
+      auto_tag: true
+      tags: ${CI_COMMIT_SHA:0:8}
+      registry: dev.shielddagger.com
+      username:
+        from_secret: registry_username
+      password:
+        from_secret: registry_password
+    when:
+      - event: push
+        branch: main
+  - name: gather-digests
+    image: quay.io/skopeo/stable:latest
+    environment:
+      DOCKER_USER:
+        from_secret: registry_username
+      DOCKER_PASS:
+        from_secret: registry_password
+      DOCKER_REPO: *repo
+    when:
+      - event: [push, cron]
+        branch: main
+        cron: "security-scan"
+    commands:
+      - dnf install -y jq
+      - skopeo login dev.shielddagger.com --username $DOCKER_USER --password $DOCKER_PASS
+      - skopeo inspect --raw docker://$DOCKER_REPO:latest | jq -r .'manifests[] | select(.platform.architecture=="arm64").digest' > digest-arm64
+      - skopeo inspect --raw docker://$DOCKER_REPO:latest | jq -r .'manifests[] | select(.platform.architecture=="amd64").digest' > digest-amd64
+  - name: image-scan
+    image: aquasec/trivy
+    environment:
+      TRIVY_USER:
+        from_secret: registry_username
+      TRIVY_PASSWORD:
+        from_secret: registry_password
+      TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
+      TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
+      TRIVY_CHECKS_BUNDLE_REPOSITORY: public.ecr.aws/aquasecurity/trivy-checks
+      DOCKER_REPO: *repo
+    commands:
+      - export ARM64_DIGEST=$(cat digest-arm64)
+      - trivy image --platform linux/arm64 --debug ${DOCKER_REPO}@$ARM64_DIGEST --exit-code 1 --username $TRIVY_USER --severity HIGH,CRITICAL
+    when:
+      - event: [push, cron]
+        branch: main
+        cron: "security-scan"
+  - name: notify
+    image: dev.shielddagger.com/opensource/discord-notifier
+    failure: ignore
+    settings:
+      webhook_url:
+        from_secret: discord_webhook
+      woodpecker_url: https://ci.shielddagger.com/api
+      woodpecker_token:
+        from_secret: woodpecker_token
+      icon_url: https://discord.com/api/webhooks/1231848304694919270/1ApQzOPMfNosxhQ62HbYScBT5s94m0bIUn1IFGQlT6d8Ru2ImcHHjjkFA_SaonBNU3yz
+    when:
+      - status: [success, failure]