fix(ci): run trivy via SSH on web (docker not in Gitea runner) (#2)
All checks were successful
deploy / deploy (push) Successful in 1m3s

This commit was merged in pull request #2.
This commit is contained in:
2026-05-21 15:31:52 +03:00
parent ffb3f94a57
commit d2bd3647d4

View File

@@ -25,24 +25,7 @@ jobs:
printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
chmod 644 ~/.ssh/known_hosts
- name: Build image for security scan
run: |
docker build -t pushkinohistory-ru-v2:scan .
- name: Trivy image scan (HIGH+CRITICAL, warning only)
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD":/workspace \
ghcr.io/aquasecurity/trivy:latest \
image \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--no-progress \
--exit-code 0 \
pushkinohistory-ru-v2:scan
- name: Deploy to web.hhivp.com
- name: Deploy + Trivy scan to web.hhivp.com
run: |
ssh -i ~/.ssh/id_deploy striker@web.hhivp.com bash -s <<'REMOTE'
set -euo pipefail
@@ -63,6 +46,22 @@ jobs:
cd "$DEPLOY_PATH"
mkdir -p data
docker compose build
# Trivy scan свежесобранного образа на хосте (docker есть здесь).
# ghcr.io вместо docker.io — обход rate limit. HIGH/CRITICAL warning-only.
echo "=== Trivy scan: pushkinohistory-ru-v2:latest ==="
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /tmp/trivy-cache:/root/.cache/ \
ghcr.io/aquasecurity/trivy:latest image \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--no-progress \
--exit-code 0 \
--timeout 5m \
pushkinohistory-ru-v2:latest || true
echo "=== Trivy scan done ==="
docker compose up -d
sleep 5
docker compose ps