TehRiehlDeal/movieloop-frontend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
9a26b935a884909e2d62a0f4bc1afe5970a8588e
movieloop-frontend/.gitea/workflows/ci.yml
T
TehRiehlDeal 9a26b935a8
frontend-ci / lint (push) Successful in 15s
Details
frontend-ci / typecheck (push) Successful in 13s
Details
frontend-ci / secrets-scan (push) Successful in 4s
Details
frontend-ci / sast (push) Successful in 7s
Details
frontend-ci / fs-scan (push) Failing after 11s
Details
frontend-ci / build (push) Has been cancelled
Details
frontend-ci / image-scan (push) Has been cancelled
Details
frontend-ci / push (push) Has been cancelled
Details
fix(ci): bump Trivy to v0.70.0 (v0.58.1 was never released) 
The previous pin to v0.58.1 returned a 404 — that tag doesn't exist in
the trivy releases. Latest is v0.70.0; pinning to that. Verified the
asset naming convention (trivy_X.Y.Z_Linux-64bit.tar.gz) is unchanged.
2026-05-08 18:05:58 -07:00

136 lines
4.0 KiB
YAML
Raw Blame History

name: frontend-ci
on:
push:
branches: ["**"]
tags: ["v*"]
pull_request:
env:
IMAGE: ${{ secrets.HARBOR_HOST }}/movieloop/frontend
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
cache-dependency-path: package-lock.json
- run: npm ci
- run: npx eslint .
typecheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: actions/setup-node@v4
with:
node-version: 22
cache: npm
- run: npm ci
- run: npx tsc -b
secrets-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Install and run gitleaks
run: |
GL_VERSION=8.18.4
curl -sSL "https://github.com/gitleaks/gitleaks/releases/download/v${GL_VERSION}/gitleaks_${GL_VERSION}_linux_x64.tar.gz" \
| tar xz -C /tmp gitleaks
/tmp/gitleaks detect --redact --no-banner --verbose --source .
sast:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: returntocorp/semgrep-action@v1
with:
config: "p/auto"
fs-scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install and run Trivy (filesystem)
run: |
TRIVY_VERSION=0.70.0
curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
| tar xz -C /tmp trivy
/tmp/trivy fs --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress .
build:
runs-on: ubuntu-latest
needs: [lint, typecheck]
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile
target: production
tags: movieloop-frontend:ci-${{ github.sha }}
load: true
cache-from: type=gha
cache-to: type=gha,mode=max
image-scan:
runs-on: ubuntu-latest
needs: [build]
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile
target: production
tags: movieloop-frontend:ci-${{ github.sha }}
load: true
cache-from: type=gha
- name: Install and run Trivy (image)
run: |
TRIVY_VERSION=0.70.0
curl -sSL "https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz" \
| tar xz -C /tmp trivy
/tmp/trivy image --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed --no-progress \
movieloop-frontend:ci-${{ github.sha }}
push:
runs-on: ubuntu-latest
needs: [build, image-scan, secrets-scan, sast, fs-scan]
if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
steps:
- uses: actions/checkout@v4
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ${{ secrets.HARBOR_HOST }}
username: ${{ secrets.MOVIELOOP_USERNAME }}
password: ${{ secrets.MOVIELOOP_PASSWORD }}
- uses: docker/metadata-action@v5
id: meta
with:
images: ${{ env.IMAGE }}
tags: |
type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }}
type=sha,format=long
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=semver,pattern={{major}}
- uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile
target: production
push: true
tags: ${{ steps.meta.outputs.tags }}
cache-from: type=gha
Reference in New Issue View Git Blame Copy Permalink