Complete workflow token migration and pip fixes

Token Migration (GITHUB_TOKEN GH_TOKEN): - Update CI workflow to use GH_TOKEN secret - Update Release workflow to use GH_TOKEN secret - Update Security workflow to use GH_TOKEN secret - Maintain environment variable compatibility - Update token validation messages Pip Installation Improvements: - Add --root-user-action=ignore to all pip commands - Eliminates 'Running pip as root user' warnings - Applied across all workflow jobs consistently - Improves workflow reliability and log cleanliness Affected Workflows: - CI: Fixed token references + pip warnings - Release: Fixed token references + pip warnings - Security: Fixed token references + pip warnings + validation messages Changes Summary: - 3 workflow files updated - 37 insertions, 37 deletions (clean replacements) - Consistent token naming across all workflows - All pip commands now use --root-user-action=ignore flag Benefits: - Gitea-compatible secret naming (GH_TOKEN) - Cleaner workflow logs without pip warnings - Better error handling and validation - Consistent token usage across all pipelines
2025-08-12 16:50:09 +07:00
parent b13a4fe400
commit 505c65f614
3 changed files with 37 additions and 37 deletions
--- a/.gitea/workflows/security.yml
+++ b/.gitea/workflows/security.yml
@@ -14,7 +14,7 @@ on:
 env:
  PYTHON_VERSION: "3.11"
  # GitHub token for better rate limits and authentication
-  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+  GH_TOKEN: ${{ secrets.GH_TOKEN }}

 jobs:
  # Dependency vulnerability scan
@@ -33,8 +33,8 @@ jobs:

      - name: Install dependencies
        run: |
-          python -m pip install --upgrade pip
-          pip install safety bandit semgrep
+          python -m pip install --upgrade pip --root-user-action=ignore
+          pip install --root-user-action=ignore safety bandit semgrep

      - name: Run Safety check
        run: |
@@ -95,18 +95,18 @@ jobs:

      - name: Check GitHub token availability
        run: |
-          if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
-            echo "⚠️ GITHUB_TOKEN not configured. Trivy scans may fail due to rate limits."
-            echo "💡 To fix: Add GITHUB_TOKEN secret in repository settings"
+          if [ -z "${{ secrets.GH_TOKEN }}" ]; then
+            echo "⚠️ GH_TOKEN not configured. Trivy scans may fail due to rate limits."
+            echo "💡 To fix: Add GH_TOKEN secret in repository settings"
          else
-            echo "✅ GITHUB_TOKEN is configured"
+            echo "✅ GH_TOKEN is configured"
          fi

      - name: Build Docker image for scanning
        run: |
          docker build -t ping-river-monitor:scan .
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
@@ -114,9 +114,9 @@ jobs:
          image-ref: "ping-river-monitor:scan"
          format: "json"
          output: "trivy-report.json"
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.GH_TOKEN }}
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
        continue-on-error: true

      - name: Run Trivy filesystem scan
@@ -126,9 +126,9 @@ jobs:
          scan-ref: "."
          format: "json"
          output: "trivy-fs-report.json"
-          github-token: ${{ secrets.GITHUB_TOKEN }}
+          github-token: ${{ secrets.GH_TOKEN }}
        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN }}
        continue-on-error: true

      - name: Upload Trivy reports
@@ -177,9 +177,9 @@ jobs:

      - name: Install pip-licenses
        run: |
-          python -m pip install --upgrade pip
-          pip install pip-licenses
-          pip install -r requirements.txt
+          python -m pip install --upgrade pip --root-user-action=ignore
+          pip install --root-user-action=ignore pip-licenses
+          pip install --root-user-action=ignore -r requirements.txt

      - name: Check licenses
        run: |
@@ -222,13 +222,13 @@ jobs:

      - name: Install pip-check-updates equivalent
        run: |
-          python -m pip install --upgrade pip
-          pip install pip-review
+          python -m pip install --upgrade pip --root-user-action=ignore
+          pip install --root-user-action=ignore pip-review

      - name: Check for outdated packages
        run: |
          echo "📦 Checking for outdated packages..."
-          pip install -r requirements.txt
+          pip install --root-user-action=ignore -r requirements.txt
          pip list --outdated --format=json > outdated-packages.json || true

          if [ -s outdated-packages.json ]; then
@@ -303,9 +303,9 @@ jobs:

      - name: Install quality tools
        run: |
-          python -m pip install --upgrade pip
-          pip install radon xenon vulture
-          pip install -r requirements.txt
+          python -m pip install --upgrade pip --root-user-action=ignore
+          pip install --root-user-action=ignore radon xenon vulture
+          pip install --root-user-action=ignore -r requirements.txt

      - name: Calculate code complexity
        run: |