a3f25456e4
Some checks failed
ci/woodpecker/push/woodpecker Pipeline failed
- .woodpecker.yaml: build+push agent and dispatcher images to Harbor on mainline/tag - k8s/argocd-app.yaml: ArgoCD Application syncing k8s/ from mainline - k8s/externalsecrets/: ExternalSecret manifests for all 19 agent AppRole creds + dispatcher - ArgoCD app applied to cluster, Woodpecker repo enabled with harbor secrets
75 lines
2.5 KiB
YAML
75 lines
2.5 KiB
YAML
---
|
|
# AutoJanet CI Pipeline
|
|
# Builds and pushes two images to Harbor:
|
|
# - registry.ctz.fyi/autojanet/agent:latest (+ git SHA tag)
|
|
# - registry.ctz.fyi/autojanet/dispatcher:latest (+ git SHA tag)
|
|
# Triggered on push to mainline or semver tags.
|
|
|
|
when:
|
|
- event: push
|
|
branch: mainline
|
|
- event: tag
|
|
ref: refs/tags/v*
|
|
|
|
steps:
|
|
# ── Agent image ─────────────────────────────────────────────────────────────
|
|
- name: build-agent
|
|
image: woodpeckerci/plugin-docker-buildx
|
|
settings:
|
|
registry: registry.ctz.fyi
|
|
repo: registry.ctz.fyi/autojanet/agent
|
|
dockerfile: container/Dockerfile
|
|
context: .
|
|
username:
|
|
from_secret: harbor_user
|
|
password:
|
|
from_secret: harbor_password
|
|
tags:
|
|
- latest
|
|
- "${CI_COMMIT_SHA:0:12}"
|
|
cache_from: registry.ctz.fyi/autojanet/agent:latest
|
|
platforms: linux/amd64
|
|
when:
|
|
- event: push
|
|
branch: mainline
|
|
- event: tag
|
|
|
|
# ── Dispatcher image ─────────────────────────────────────────────────────────
|
|
- name: build-dispatcher
|
|
image: woodpeckerci/plugin-docker-buildx
|
|
settings:
|
|
registry: registry.ctz.fyi
|
|
repo: registry.ctz.fyi/autojanet/dispatcher
|
|
dockerfile: container/Dockerfile.dispatcher
|
|
context: .
|
|
username:
|
|
from_secret: harbor_user
|
|
password:
|
|
from_secret: harbor_password
|
|
tags:
|
|
- latest
|
|
- "${CI_COMMIT_SHA:0:12}"
|
|
cache_from: registry.ctz.fyi/autojanet/dispatcher:latest
|
|
platforms: linux/amd64
|
|
when:
|
|
- event: push
|
|
branch: mainline
|
|
- event: tag
|
|
|
|
# ── Trivy scan agent image ───────────────────────────────────────────────────
|
|
- name: trivy-agent
|
|
image: aquasec/trivy:latest
|
|
commands:
|
|
- trivy image --exit-code 1 --severity HIGH,CRITICAL
|
|
--ignore-unfixed
|
|
registry.ctz.fyi/autojanet/agent:${CI_COMMIT_SHA:0:12}
|
|
environment:
|
|
TRIVY_USERNAME:
|
|
from_secret: harbor_user
|
|
TRIVY_PASSWORD:
|
|
from_secret: harbor_password
|
|
when:
|
|
- event: push
|
|
branch: mainline
|
|
- event: tag
|
|
failure: ignore # warn only — don't block on upstream CVEs in base image
|