ci: migrate container build to buildx (#53)

owncloud-ops · Nov 3, 2023 · 3c84179 · 3c84179
1 parent 8d7a684
commit 3c84179
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 21 deletions.
diff --git a/.drone.yml b/.drone.yml
@@ -1,33 +1,37 @@
 ---
 kind: pipeline
+type: docker
 name: container
 
 platform:
   os: linux
   arch: amd64
 
 steps:
-  - name: tags
-    image: quay.io/thegeeklab/docker-autotag
-    environment:
-      DOCKER_AUTOTAG_FORCE_LATEST: True
-      DOCKER_AUTOTAG_IGNORE_PRERELEASE: True
-      DOCKER_AUTOTAG_OUTPUT_FILE: .tags
-      DOCKER_AUTOTAG_VERSION: ${DRONE_TAG}
-
-  - name: dryrun
-    image: docker.io/plugins/docker
+  - name: security-build
+    image: docker.io/owncloudci/drone-docker-buildx:1
     settings:
       build_args:
         - ELASTICSEARCH_PLUGINS=repository-s3 ingest-attachment
       dockerfile: Dockerfile
-      dry_run: true
+      output: type=oci,dest=oci/${DRONE_REPO_NAME},tar=false
       repo: owncloudops/${DRONE_REPO_NAME}
-    when:
-      ref:
-        - refs/pull/**
+
+  - name: security-scan
+    image: ghcr.io/aquasecurity/trivy
+    commands:
+      - trivy -v
+      - trivy image --input oci/${DRONE_REPO_NAME}
+    environment:
+      TRIVY_EXIT_CODE: 1
+      TRIVY_IGNORE_UNFIXED: True
+      TRIVY_NO_PROGRESS: True
+      TRIVY_SEVERITY: HIGH,CRITICAL
+      TRIVY_TIMEOUT: 1m
+      TRIVY_SKIP_FILES: /usr/local/bin/gomplate
+      TRIVY_SKIP_DIRS: /usr/share/elasticsearch
     depends_on:
-      - tags
+      - security-build
 
   - name: changelog
     image: quay.io/thegeeklab/git-chglog
@@ -36,10 +40,10 @@ steps:
       - git-chglog --no-color --no-emoji ${DRONE_TAG:---next-tag unreleased unreleased}
       - git-chglog --no-color --no-emoji -o CHANGELOG.md ${DRONE_TAG:---next-tag unreleased unreleased}
     depends_on:
-      - dryrun
+      - security-scan
 
   - name: publish-dockerhub
-    image: docker.io/plugins/docker
+    image: docker.io/owncloudci/drone-docker-buildx:1
     settings:
       build_args:
         - ELASTICSEARCH_PLUGINS=repository-s3 ingest-attachment
@@ -57,7 +61,7 @@ steps:
       - changelog
 
   - name: publish-quay
-    image: docker.io/plugins/docker
+    image: docker.io/owncloudci/drone-docker-buildx:1
     settings:
       build_args:
         - ELASTICSEARCH_PLUGINS=repository-s3 ingest-attachment
@@ -98,6 +102,7 @@ trigger:
 
 ---
 kind: pipeline
+type: docker
 name: notifications
 
 platform:
@@ -150,5 +155,3 @@ trigger:
 
 depends_on:
   - container
-
-...
diff --git a/.prettierignore b/.prettierignore
@@ -1 +1,2 @@
-.drone.yml
+*.tpl.md
+LICENSE