diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 350d1ad..59d627e 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -25,24 +25,7 @@ jobs: printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts - - name: Build image for security scan - run: | - docker build -t pushkinohistory-ru-v2:scan . - - - name: Trivy image scan (HIGH+CRITICAL, warning only) - run: | - docker run --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$PWD":/workspace \ - ghcr.io/aquasecurity/trivy:latest \ - image \ - --severity HIGH,CRITICAL \ - --ignore-unfixed \ - --no-progress \ - --exit-code 0 \ - pushkinohistory-ru-v2:scan - - - name: Deploy to web.hhivp.com + - name: Deploy + Trivy scan to web.hhivp.com run: | ssh -i ~/.ssh/id_deploy striker@web.hhivp.com bash -s <<'REMOTE' set -euo pipefail @@ -63,6 +46,22 @@ jobs: cd "$DEPLOY_PATH" mkdir -p data docker compose build + + # Trivy scan свежесобранного образа на хосте (docker есть здесь). + # ghcr.io вместо docker.io — обход rate limit. HIGH/CRITICAL warning-only. + echo "=== Trivy scan: pushkinohistory-ru-v2:latest ===" + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /tmp/trivy-cache:/root/.cache/ \ + ghcr.io/aquasecurity/trivy:latest image \ + --severity HIGH,CRITICAL \ + --ignore-unfixed \ + --no-progress \ + --exit-code 0 \ + --timeout 5m \ + pushkinohistory-ru-v2:latest || true + echo "=== Trivy scan done ===" + docker compose up -d sleep 5 docker compose ps