From 1028bc9b87314a3535466501d4c1a992ccb7e643 Mon Sep 17 00:00:00 2001 From: striker Date: Thu, 21 May 2026 14:52:32 +0300 Subject: [PATCH] fix(ci): run trivy via SSH on web.hhivp.com (docker not in Gitea runner) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Original workflow ran 'docker build + docker run trivy' inside the Gitea Actions runner — but that container has no docker CLI ('docker: command not found'). Move both build and scan into the same SSH session as deploy, where docker is available natively. Mirrors how anotherreflections-website-v2 does it (single SSH session with build → scan → up -d → health → prune). --- .gitea/workflows/deploy.yml | 35 +++++++++++++++++------------------ 1 file changed, 17 insertions(+), 18 deletions(-) diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml index 350d1ad..59d627e 100644 --- a/.gitea/workflows/deploy.yml +++ b/.gitea/workflows/deploy.yml @@ -25,24 +25,7 @@ jobs: printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts - - name: Build image for security scan - run: | - docker build -t pushkinohistory-ru-v2:scan . - - - name: Trivy image scan (HIGH+CRITICAL, warning only) - run: | - docker run --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v "$PWD":/workspace \ - ghcr.io/aquasecurity/trivy:latest \ - image \ - --severity HIGH,CRITICAL \ - --ignore-unfixed \ - --no-progress \ - --exit-code 0 \ - pushkinohistory-ru-v2:scan - - - name: Deploy to web.hhivp.com + - name: Deploy + Trivy scan to web.hhivp.com run: | ssh -i ~/.ssh/id_deploy striker@web.hhivp.com bash -s <<'REMOTE' set -euo pipefail @@ -63,6 +46,22 @@ jobs: cd "$DEPLOY_PATH" mkdir -p data docker compose build + + # Trivy scan свежесобранного образа на хосте (docker есть здесь). + # ghcr.io вместо docker.io — обход rate limit. HIGH/CRITICAL warning-only. + echo "=== Trivy scan: pushkinohistory-ru-v2:latest ===" + docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v /tmp/trivy-cache:/root/.cache/ \ + ghcr.io/aquasecurity/trivy:latest image \ + --severity HIGH,CRITICAL \ + --ignore-unfixed \ + --no-progress \ + --exit-code 0 \ + --timeout 5m \ + pushkinohistory-ru-v2:latest || true + echo "=== Trivy scan done ===" + docker compose up -d sleep 5 docker compose ps -- 2.49.1