fix(ci): run trivy via SSH on web (docker not in Gitea runner) #2

Merged
striker merged 1 commits from fix/trivy-via-ssh into main 2026-05-21 15:31:53 +03:00
Showing only changes of commit 1028bc9b87 - Show all commits

View File

@@ -25,24 +25,7 @@ jobs:
printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts printf '%s\n' "${{ secrets.SSH_KNOWN_HOSTS }}" > ~/.ssh/known_hosts
chmod 644 ~/.ssh/known_hosts chmod 644 ~/.ssh/known_hosts
- name: Build image for security scan - name: Deploy + Trivy scan to web.hhivp.com
run: |
docker build -t pushkinohistory-ru-v2:scan .
- name: Trivy image scan (HIGH+CRITICAL, warning only)
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v "$PWD":/workspace \
ghcr.io/aquasecurity/trivy:latest \
image \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--no-progress \
--exit-code 0 \
pushkinohistory-ru-v2:scan
- name: Deploy to web.hhivp.com
run: | run: |
ssh -i ~/.ssh/id_deploy striker@web.hhivp.com bash -s <<'REMOTE' ssh -i ~/.ssh/id_deploy striker@web.hhivp.com bash -s <<'REMOTE'
set -euo pipefail set -euo pipefail
@@ -63,6 +46,22 @@ jobs:
cd "$DEPLOY_PATH" cd "$DEPLOY_PATH"
mkdir -p data mkdir -p data
docker compose build docker compose build
# Trivy scan свежесобранного образа на хосте (docker есть здесь).
# ghcr.io вместо docker.io — обход rate limit. HIGH/CRITICAL warning-only.
echo "=== Trivy scan: pushkinohistory-ru-v2:latest ==="
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v /tmp/trivy-cache:/root/.cache/ \
ghcr.io/aquasecurity/trivy:latest image \
--severity HIGH,CRITICAL \
--ignore-unfixed \
--no-progress \
--exit-code 0 \
--timeout 5m \
pushkinohistory-ru-v2:latest || true
echo "=== Trivy scan done ==="
docker compose up -d docker compose up -d
sleep 5 sleep 5
docker compose ps docker compose ps