From 4a30af60e8d2db8fb85216f463c1d729a348f91e Mon Sep 17 00:00:00 2001 From: grabowski Date: Tue, 12 Aug 2025 17:23:10 +0700 Subject: [PATCH] Remove Trivy workflows + Fix YAML syntax errors Trivy Removal: - Remove entire docker-security-scan job from security workflow - Remove Trivy vulnerability scanner from release workflow - Remove Trivy filesystem scan and related steps - Update security summary to reflect Trivy removal - Eliminates GitHub API authentication issues YAML Syntax Fixes: - Fix indentation errors in ci.yml (line 31) - Fix indentation errors in docs.yml (line 30) - Correct 'with:' block alignment with 'uses:' statements - Fix token parameter indentation (8 spaces standard) - Applied across all workflow files consistently Result: - All workflows now have valid YAML syntax - No more Trivy-related GitHub API calls - Cleaner, simpler security workflow - Workflows ready for successful execution --- .gitea/workflows/ci.yml | 28 ++++---- .gitea/workflows/docs.yml | 12 ++-- .gitea/workflows/release.yml | 16 +---- .gitea/workflows/security.yml | 120 ++++++---------------------------- 4 files changed, 40 insertions(+), 136 deletions(-) diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index f531e7e..fc0fc50 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -28,8 +28,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Python ${{ matrix.python-version }} uses: actions/setup-python@v4 @@ -100,8 +100,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Python uses: actions/setup-python@v4 @@ -138,8 +138,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -199,8 +199,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Wait for VictoriaMetrics run: | @@ -252,8 +252,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Deploy to staging run: | @@ -279,8 +279,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Deploy to production run: | @@ -308,8 +308,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Install Apache Bench run: | diff --git a/.gitea/workflows/docs.yml b/.gitea/workflows/docs.yml index 5861e5f..de6574f 100644 --- a/.gitea/workflows/docs.yml +++ b/.gitea/workflows/docs.yml @@ -27,8 +27,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Python uses: actions/setup-python@v4 @@ -129,8 +129,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Python uses: actions/setup-python@v4 @@ -228,8 +228,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Python uses: actions/setup-python@v4 diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml index 178af60..bb378d5 100644 --- a/.gitea/workflows/release.yml +++ b/.gitea/workflows/release.yml @@ -161,21 +161,7 @@ jobs: with: token: ${{ secrets.CI_BOT_TOKEN }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }} - format: 'sarif' - output: 'trivy-results.sarif' - github-token: ${{ secrets.GH_TOKEN }} - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - - - name: Upload Trivy scan results - uses: actions/upload-artifact@v3 - with: - name: security-scan-results - path: trivy-results.sarif + # Deploy release to production deploy-release: diff --git a/.gitea/workflows/security.yml b/.gitea/workflows/security.yml index 9f930b5..c738754 100644 --- a/.gitea/workflows/security.yml +++ b/.gitea/workflows/security.yml @@ -25,12 +25,12 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Python uses: actions/setup-python@v4 - with: + with: python-version: ${{ env.PYTHON_VERSION }} - name: Install dependencies @@ -53,7 +53,7 @@ jobs: - name: Upload security reports uses: actions/upload-artifact@v3 - with: + with: name: security-reports-${{ github.run_number }} path: | safety-report.json @@ -86,84 +86,6 @@ jobs: fi fi - # Docker image security scan - docker-security-scan: - name: Docker Security Scan - runs-on: ubuntu-latest - - steps: - - name: Checkout code - uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} - - - name: Check GitHub token availability - run: | - if [ -z "${{ secrets.GH_TOKEN }}" ]; then - echo "⚠️ GH_TOKEN not configured. Trivy scans may fail due to rate limits." - echo "💡 To fix: Add GH_TOKEN secret in repository settings" - else - echo "✅ GH_TOKEN is configured" - fi - - - name: Build Docker image for scanning - run: | - docker build -t ping-river-monitor:scan . - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: "ping-river-monitor:scan" - format: "json" - output: "trivy-report.json" - github-token: ${{ secrets.GH_TOKEN }} - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - continue-on-error: true - - - name: Run Trivy filesystem scan - uses: aquasecurity/trivy-action@master - with: - scan-type: "fs" - scan-ref: "." - format: "json" - output: "trivy-fs-report.json" - github-token: ${{ secrets.GH_TOKEN }} - env: - GITHUB_TOKEN: ${{ secrets.GH_TOKEN }} - continue-on-error: true - - - name: Upload Trivy reports - uses: actions/upload-artifact@v3 - if: always() - with: - name: trivy-reports-${{ github.run_number }} - path: | - trivy-report.json - trivy-fs-report.json - - - name: Check Trivy results - run: | - echo "🔍 Analyzing Docker security scan results..." - - if [ -f trivy-report.json ]; then - critical_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL") | length' trivy-report.json 2>/dev/null | wc -l) - high_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH") | length' trivy-report.json 2>/dev/null | wc -l) - - echo "Critical vulnerabilities: $critical_vulns" - echo "High vulnerabilities: $high_vulns" - - if [ "$critical_vulns" -gt 0 ]; then - echo "❌ Critical vulnerabilities found in Docker image!" - exit 1 - elif [ "$high_vulns" -gt 5 ]; then - echo "⚠️ Many high-severity vulnerabilities found" - else - echo "✅ Docker image security scan passed" - fi - fi # License compliance check license-check: @@ -173,12 +95,12 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Python uses: actions/setup-python@v4 - with: + with: python-version: ${{ env.PYTHON_VERSION }} - name: Install pip-licenses @@ -206,7 +128,7 @@ jobs: - name: Upload license report uses: actions/upload-artifact@v3 - with: + with: name: license-report-${{ github.run_number }} path: | licenses.json @@ -220,12 +142,12 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Python uses: actions/setup-python@v4 - with: + with: python-version: ${{ env.PYTHON_VERSION }} - name: Install pip-check-updates equivalent @@ -289,7 +211,7 @@ jobs: - name: Upload dependency reports uses: actions/upload-artifact@v3 - with: + with: name: dependency-reports-${{ github.run_number }} path: | outdated-packages.json @@ -303,12 +225,12 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 - with: - token: ${{ secrets.CI_BOT_TOKEN }} + with: + token: ${{ secrets.CI_BOT_TOKEN }} - name: Set up Python uses: actions/setup-python@v4 - with: + with: python-version: ${{ env.PYTHON_VERSION }} - name: Install quality tools @@ -341,7 +263,7 @@ jobs: - name: Upload quality reports uses: actions/upload-artifact@v3 - with: + with: name: code-quality-reports-${{ github.run_number }} path: | complexity-report.json @@ -383,12 +305,8 @@ jobs: echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md fi - # Docker scan results - if [ -f trivy-reports-*/trivy-report.json ]; then - echo "- ✅ **Docker Scan**: Completed" >> security-summary.md - else - echo "- ❓ **Docker Scan**: Results not available" >> security-summary.md - fi + # Docker scan results (removed Trivy) + echo "- ⏭️ **Docker Scan**: Skipped (Trivy removed)" >> security-summary.md # License check results if [ -f license-report-*/licenses.json ]; then @@ -413,6 +331,6 @@ jobs: - name: Upload security summary uses: actions/upload-artifact@v3 - with: + with: name: security-summary-${{ github.run_number }} path: security-summary.md