ci: harden release pipeline and pin tooling
Un-neuter grype CVE gate (was || echo, now fails on critical). Add .grype.yaml with ignore for CVE-2026-41589 (wish SCP — unreachable, we only import wish/bubbletea). Pin: grype v0.114.0, git-cliff v2.13.1, govulncheck v1.1.4. Tag `latest` only on tag push, not workflow_dispatch. Build path ./cmd/uptop (survives a main.go split). Add dist/ and uptop to .dockerignore.
This commit is contained in:
@@ -31,6 +31,13 @@ jobs:
|
||||
fi
|
||||
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
|
||||
|
||||
TAGS="lerkolabs/uptop:${TAG}"
|
||||
TAGS="${TAGS},lerkolabs/uptop:sha-${SHORT_SHA}"
|
||||
if [ "${{ github.ref_type }}" = "tag" ]; then
|
||||
TAGS="${TAGS},lerkolabs/uptop:latest"
|
||||
fi
|
||||
echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
|
||||
@@ -51,10 +58,7 @@ jobs:
|
||||
platforms: linux/amd64,linux/arm64
|
||||
sbom: true
|
||||
provenance: mode=max
|
||||
tags: |
|
||||
lerkolabs/uptop:${{ steps.meta.outputs.tag }}
|
||||
lerkolabs/uptop:latest
|
||||
lerkolabs/uptop:sha-${{ steps.meta.outputs.short_sha }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
build-args: |
|
||||
VERSION=${{ steps.meta.outputs.tag }}
|
||||
COMMIT=${{ github.sha }}
|
||||
@@ -62,8 +66,8 @@ jobs:
|
||||
|
||||
- name: Scan image for CVEs
|
||||
run: |
|
||||
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
|
||||
grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table || echo "::warning::CVE scan found critical issues — review output above"
|
||||
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.114.0
|
||||
grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table
|
||||
|
||||
- name: Update Docker Hub description
|
||||
uses: peter-evans/dockerhub-description@v4
|
||||
|
||||
Reference in New Issue
Block a user