ci: harden release pipeline + swap to pure-Go SQLite #104
@@ -10,3 +10,5 @@ vendor/
|
||||
*.local
|
||||
.env
|
||||
.github/
|
||||
dist/
|
||||
uptop
|
||||
|
||||
@@ -65,7 +65,7 @@ jobs:
|
||||
go-version: "1.26"
|
||||
|
||||
- name: Install govulncheck
|
||||
run: go install golang.org/x/vuln/cmd/govulncheck@latest
|
||||
run: go install golang.org/x/vuln/cmd/govulncheck@v1.1.4
|
||||
|
||||
- name: Run govulncheck
|
||||
run: govulncheck ./...
|
||||
|
||||
@@ -33,8 +33,8 @@ jobs:
|
||||
|
||||
- name: Install git-cliff
|
||||
run: |
|
||||
apk add --no-cache curl jq
|
||||
VERSION=$(curl -sS https://api.github.com/repos/orhun/git-cliff/releases/latest | jq -r '.tag_name' | sed 's/^v//')
|
||||
apk add --no-cache curl
|
||||
VERSION=2.13.1
|
||||
curl -sSL "https://github.com/orhun/git-cliff/releases/download/v${VERSION}/git-cliff-${VERSION}-x86_64-unknown-linux-musl.tar.gz" | tar xz -C /tmp
|
||||
mv /tmp/git-cliff-*/git-cliff /usr/local/bin/
|
||||
git-cliff --version
|
||||
|
||||
@@ -31,6 +31,13 @@ jobs:
|
||||
fi
|
||||
echo "tag=$TAG" >> "$GITHUB_OUTPUT"
|
||||
|
||||
TAGS="lerkolabs/uptop:${TAG}"
|
||||
TAGS="${TAGS},lerkolabs/uptop:sha-${SHORT_SHA}"
|
||||
if [ "${{ github.ref_type }}" = "tag" ]; then
|
||||
TAGS="${TAGS},lerkolabs/uptop:latest"
|
||||
fi
|
||||
echo "tags=$TAGS" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Set up QEMU
|
||||
uses: docker/setup-qemu-action@v3
|
||||
|
||||
@@ -51,10 +58,7 @@ jobs:
|
||||
platforms: linux/amd64,linux/arm64
|
||||
sbom: true
|
||||
provenance: mode=max
|
||||
tags: |
|
||||
lerkolabs/uptop:${{ steps.meta.outputs.tag }}
|
||||
lerkolabs/uptop:latest
|
||||
lerkolabs/uptop:sha-${{ steps.meta.outputs.short_sha }}
|
||||
tags: ${{ steps.meta.outputs.tags }}
|
||||
build-args: |
|
||||
VERSION=${{ steps.meta.outputs.tag }}
|
||||
COMMIT=${{ github.sha }}
|
||||
@@ -62,8 +66,8 @@ jobs:
|
||||
|
||||
- name: Scan image for CVEs
|
||||
run: |
|
||||
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
|
||||
grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table || echo "::warning::CVE scan found critical issues — review output above"
|
||||
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin v0.114.0
|
||||
grype lerkolabs/uptop:${{ steps.meta.outputs.tag }} --fail-on critical --output table
|
||||
|
||||
- name: Update Docker Hub description
|
||||
uses: peter-evans/dockerhub-description@v4
|
||||
|
||||
+1
-1
@@ -10,7 +10,7 @@ release:
|
||||
name: uptop
|
||||
|
||||
builds:
|
||||
- main: ./cmd/uptop/main.go
|
||||
- main: ./cmd/uptop
|
||||
binary: uptop
|
||||
env:
|
||||
- CGO_ENABLED=1
|
||||
|
||||
@@ -0,0 +1,6 @@
|
||||
ignore:
|
||||
# CVE-2026-41589: SCP path traversal in charmbracelet/wish.
|
||||
# We only import wish/bubbletea for the SSH TUI server — the vulnerable
|
||||
# scp.Middleware / scp.NewFileSystemHandler symbols are never compiled in.
|
||||
# No fix available for wish v1; v2 (charm.land/wish/v2) patched in 2.0.1.
|
||||
- vulnerability: CVE-2026-41589
|
||||
+1
-1
@@ -12,7 +12,7 @@ ARG COMMIT=none
|
||||
ARG BUILD_DATE=unknown
|
||||
RUN --mount=type=cache,target=/go/pkg/mod \
|
||||
--mount=type=cache,target=/root/.cache/go-build \
|
||||
go build -trimpath -ldflags="-s -w -X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=${BUILD_DATE}" -o uptop ./cmd/uptop/main.go
|
||||
go build -trimpath -ldflags="-s -w -X main.version=${VERSION} -X main.commit=${COMMIT} -X main.date=${BUILD_DATE}" -o uptop ./cmd/uptop
|
||||
|
||||
# --- Stage 2: Runner ---
|
||||
FROM alpine:3.23@sha256:5b10f432ef3da1b8d4c7eb6c487f2f5a8f096bc91145e68878dd4a5019afde11
|
||||
|
||||
Reference in New Issue
Block a user