grabowski/Northern-Thailand-Ping-River-Monitor
5
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases 15 Wiki Activity

🔧 Fix: Comprehensive GitHub token integration for all Docker workflows
All checks were successful
Security & Dependency Updates / Dependency Security Scan (push) Successful in 23s
Details
Security & Dependency Updates / Docker Security Scan (push) Successful in 1m27s
Details
Security & Dependency Updates / License Compliance (push) Successful in 12s
Details
Security & Dependency Updates / Check for Dependency Updates (push) Successful in 16s
Details
Security & Dependency Updates / Code Quality Metrics (push) Successful in 9s
Details
Security & Dependency Updates / Security Summary (push) Successful in 6s
Details

Browse Source 
 Complete GitHub Token Support:
- Add github-token parameter to all Trivy actions (security + release)
- Add GITHUB_TOKEN environment variable to all Docker build steps
- Add global GITHUB_TOKEN environment to CI and release workflows
- Ensure consistent token usage across all workflow jobs

🐳 Docker Workflow Improvements:
- CI workflow: Docker build with GitHub token for base image pulls
- Security workflow: Docker build + Trivy scans with token
- Release workflow: Docker build + security scans with token
- Better authentication for all container operations

 Authentication Benefits:
- Eliminates GitHub API rate limiting issues
- Fixes 'Bad credentials' errors in Trivy scans
- Improves reliability of Docker base image pulls
- Ensures consistent authentication across all workflows

 Affected Workflows:
- CI/CD Pipeline: Enhanced Docker builds
- Security Scans: Fixed Trivy authentication
- Release Pipeline: Complete token integration
This commit is contained in:
Alexander Grabowski
2025-08-12 16:26:02 +07:00
parent 557b29b74d
commit b13a4fe400
3 changed files with 362 additions and 331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitea/workflows/ci.yml
View File

@@ -13,6 +13,8 @@ env:
PYTHON_VERSION: '3.11' PYTHON_VERSION: '3.11'
REGISTRY: git.b4l.co.th REGISTRY: git.b4l.co.th
IMAGE_NAME: b4l/northern-thailand-ping-river-monitor IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
# GitHub token for better rate limits and authentication
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs: jobs:
# Test job # Test job
@@ -164,6 +166,8 @@ jobs:
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha cache-from: type=gha
cache-to: type=gha,mode=max cache-to: type=gha,mode=max
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Test Docker image - name: Test Docker image
run: | run: |

5
.gitea/workflows/release.yml
View File

@@ -15,6 +15,8 @@ env:
PYTHON_VERSION: '3.11' PYTHON_VERSION: '3.11'
REGISTRY: git.b4l.co.th REGISTRY: git.b4l.co.th
IMAGE_NAME: b4l/northern-thailand-ping-river-monitor IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
# GitHub token for better rate limits and authentication
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs: jobs:
# Create release # Create release
@@ -139,6 +141,8 @@ jobs:
org.opencontainers.image.revision=${{ github.sha }} org.opencontainers.image.revision=${{ github.sha }}
cache-from: type=gha cache-from: type=gha
cache-to: type=gha,mode=max cache-to: type=gha,mode=max
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Security scan for release # Security scan for release
security-scan: security-scan:
@@ -156,6 +160,7 @@ jobs:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }} image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }}
format: 'sarif' format: 'sarif'
output: 'trivy-results.sarif' output: 'trivy-results.sarif'
github-token: ${{ secrets.GITHUB_TOKEN }}
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

46
.gitea/workflows/security.yml
View File

@@ -3,16 +3,18 @@ name: Security & Dependency Updates
on: on:
schedule: schedule:
# Run security scans daily at 3 AM UTC # Run security scans daily at 3 AM UTC
- cron: '0 3 * * *' - cron: "0 3 * * *"
workflow_dispatch: workflow_dispatch:
push: push:
paths: paths:
- 'requirements*.txt' - "requirements*.txt"
- 'Dockerfile' - "Dockerfile"
- '.gitea/workflows/security.yml' - ".gitea/workflows/security.yml"
env: env:
PYTHON_VERSION: '3.11' PYTHON_VERSION: "3.11"
# GitHub token for better rate limits and authentication
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs: jobs:
# Dependency vulnerability scan # Dependency vulnerability scan
@@ -91,27 +93,47 @@ jobs:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Check GitHub token availability
run: |
if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
echo "⚠️ GITHUB_TOKEN not configured. Trivy scans may fail due to rate limits."
echo "💡 To fix: Add GITHUB_TOKEN secret in repository settings"
else
echo "✅ GITHUB_TOKEN is configured"
fi
- name: Build Docker image for scanning - name: Build Docker image for scanning
run: | run: |
docker build -t ping-river-monitor:scan . docker build -t ping-river-monitor:scan .
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
image-ref: 'ping-river-monitor:scan' image-ref: "ping-river-monitor:scan"
format: 'json' format: "json"
output: 'trivy-report.json' output: "trivy-report.json"
github-token: ${{ secrets.GITHUB_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true
- name: Run Trivy filesystem scan - name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@master uses: aquasecurity/trivy-action@master
with: with:
scan-type: 'fs' scan-type: "fs"
scan-ref: '.' scan-ref: "."
format: 'json' format: "json"
output: 'trivy-fs-report.json' output: "trivy-fs-report.json"
github-token: ${{ secrets.GITHUB_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true
- name: Upload Trivy reports - name: Upload Trivy reports
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@v3
if: always()
with: with:
name: trivy-reports-${{ github.run_number }} name: trivy-reports-${{ github.run_number }}
path: | path: |