grabowski/Northern-Thailand-Ping-River-Monitor
5
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases 15 Wiki Activity

Remove Trivy workflows + Fix YAML syntax errors

Browse Source 
Trivy Removal:
- Remove entire docker-security-scan job from security workflow
- Remove Trivy vulnerability scanner from release workflow
- Remove Trivy filesystem scan and related steps
- Update security summary to reflect Trivy removal
- Eliminates GitHub API authentication issues

 YAML Syntax Fixes:
- Fix indentation errors in ci.yml (line 31)
- Fix indentation errors in docs.yml (line 30)
- Correct 'with:' block alignment with 'uses:' statements
- Fix token parameter indentation (8 spaces standard)
- Applied across all workflow files consistently

 Result:
- All workflows now have valid YAML syntax
- No more Trivy-related GitHub API calls
- Cleaner, simpler security workflow
- Workflows ready for successful execution
This commit is contained in:
Alexander Grabowski
2025-08-12 17:23:10 +07:00
parent e5d5284ee3
commit 4a30af60e8
4 changed files with 40 additions and 136 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
.gitea/workflows/ci.yml
View File

@@ -28,8 +28,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v4
@@ -100,8 +100,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v4
@@ -138,8 +138,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
@@ -199,8 +199,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Wait for VictoriaMetrics
run: |
@@ -252,8 +252,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Deploy to staging
run: |
@@ -279,8 +279,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Deploy to production
run: |
@@ -308,8 +308,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Install Apache Bench
run: |

12
.gitea/workflows/docs.yml
View File

@@ -27,8 +27,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v4
@@ -129,8 +129,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v4
@@ -228,8 +228,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v4

16
.gitea/workflows/release.yml
View File

@@ -161,21 +161,7 @@ jobs:
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }}
format: 'sarif'
output: 'trivy-results.sarif'
github-token: ${{ secrets.GH_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
- name: Upload Trivy scan results
uses: actions/upload-artifact@v3
with:
name: security-scan-results
path: trivy-results.sarif
# Deploy release to production
deploy-release:

120
.gitea/workflows/security.yml
View File

@@ -25,12 +25,12 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v4
with:
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install dependencies
@@ -53,7 +53,7 @@ jobs:
- name: Upload security reports
uses: actions/upload-artifact@v3
with:
with:
name: security-reports-${{ github.run_number }}
path: |
safety-report.json
@@ -86,84 +86,6 @@ jobs:
fi
fi
# Docker image security scan
docker-security-scan:
name: Docker Security Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Check GitHub token availability
run: |
if [ -z "${{ secrets.GH_TOKEN }}" ]; then
echo "⚠️ GH_TOKEN not configured. Trivy scans may fail due to rate limits."
echo "💡 To fix: Add GH_TOKEN secret in repository settings"
else
echo "✅ GH_TOKEN is configured"
fi
- name: Build Docker image for scanning
run: |
docker build -t ping-river-monitor:scan .
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "ping-river-monitor:scan"
format: "json"
output: "trivy-report.json"
github-token: ${{ secrets.GH_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
continue-on-error: true
- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "json"
output: "trivy-fs-report.json"
github-token: ${{ secrets.GH_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
continue-on-error: true
- name: Upload Trivy reports
uses: actions/upload-artifact@v3
if: always()
with:
name: trivy-reports-${{ github.run_number }}
path: |
trivy-report.json
trivy-fs-report.json
- name: Check Trivy results
run: |
echo "🔍 Analyzing Docker security scan results..."
if [ -f trivy-report.json ]; then
critical_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL") | length' trivy-report.json 2>/dev/null | wc -l)
high_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH") | length' trivy-report.json 2>/dev/null | wc -l)
echo "Critical vulnerabilities: $critical_vulns"
echo "High vulnerabilities: $high_vulns"
if [ "$critical_vulns" -gt 0 ]; then
echo "❌ Critical vulnerabilities found in Docker image!"
exit 1
elif [ "$high_vulns" -gt 5 ]; then
echo "⚠️ Many high-severity vulnerabilities found"
else
echo "✅ Docker image security scan passed"
fi
fi
# License compliance check
license-check:
@@ -173,12 +95,12 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v4
with:
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pip-licenses
@@ -206,7 +128,7 @@ jobs:
- name: Upload license report
uses: actions/upload-artifact@v3
with:
with:
name: license-report-${{ github.run_number }}
path: |
licenses.json
@@ -220,12 +142,12 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v4
with:
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pip-check-updates equivalent
@@ -289,7 +211,7 @@ jobs:
- name: Upload dependency reports
uses: actions/upload-artifact@v3
with:
with:
name: dependency-reports-${{ github.run_number }}
path: |
outdated-packages.json
@@ -303,12 +225,12 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v4
with:
token: ${{ secrets.CI_BOT_TOKEN }}
with:
token: ${{ secrets.CI_BOT_TOKEN }}
- name: Set up Python
uses: actions/setup-python@v4
with:
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install quality tools
@@ -341,7 +263,7 @@ jobs:
- name: Upload quality reports
uses: actions/upload-artifact@v3
with:
with:
name: code-quality-reports-${{ github.run_number }}
path: |
complexity-report.json
@@ -383,12 +305,8 @@ jobs:
echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md
fi
# Docker scan results
if [ -f trivy-reports-*/trivy-report.json ]; then
echo "- ✅ **Docker Scan**: Completed" >> security-summary.md
else
echo "- ❓ **Docker Scan**: Results not available" >> security-summary.md
fi
# Docker scan results (removed Trivy)
echo "- ⏭️ **Docker Scan**: Skipped (Trivy removed)" >> security-summary.md
# License check results
if [ -f license-report-*/licenses.json ]; then
@@ -413,6 +331,6 @@ jobs:
- name: Upload security summary
uses: actions/upload-artifact@v3
with:
with:
name: security-summary-${{ github.run_number }}
path: security-summary.md