🔧 Fix: Comprehensive GitHub token integration for all Docker workflows
All checks were successful
Security & Dependency Updates / Dependency Security Scan (push) Successful in 23s
Security & Dependency Updates / Docker Security Scan (push) Successful in 1m27s
Security & Dependency Updates / License Compliance (push) Successful in 12s
Security & Dependency Updates / Check for Dependency Updates (push) Successful in 16s
Security & Dependency Updates / Code Quality Metrics (push) Successful in 9s
Security & Dependency Updates / Security Summary (push) Successful in 6s
All checks were successful
Security & Dependency Updates / Dependency Security Scan (push) Successful in 23s
Security & Dependency Updates / Docker Security Scan (push) Successful in 1m27s
Security & Dependency Updates / License Compliance (push) Successful in 12s
Security & Dependency Updates / Check for Dependency Updates (push) Successful in 16s
Security & Dependency Updates / Code Quality Metrics (push) Successful in 9s
Security & Dependency Updates / Security Summary (push) Successful in 6s
✨ Complete GitHub Token Support: - Add github-token parameter to all Trivy actions (security + release) - Add GITHUB_TOKEN environment variable to all Docker build steps - Add global GITHUB_TOKEN environment to CI and release workflows - Ensure consistent token usage across all workflow jobs 🐳 Docker Workflow Improvements: - CI workflow: Docker build with GitHub token for base image pulls - Security workflow: Docker build + Trivy scans with token - Release workflow: Docker build + security scans with token - Better authentication for all container operations Authentication Benefits: - Eliminates GitHub API rate limiting issues - Fixes 'Bad credentials' errors in Trivy scans - Improves reliability of Docker base image pulls - Ensures consistent authentication across all workflows Affected Workflows: - CI/CD Pipeline: Enhanced Docker builds - Security Scans: Fixed Trivy authentication - Release Pipeline: Complete token integration
This commit is contained in:
@@ -13,6 +13,8 @@ env:
|
||||
PYTHON_VERSION: '3.11'
|
||||
REGISTRY: git.b4l.co.th
|
||||
IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
|
||||
# GitHub token for better rate limits and authentication
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
jobs:
|
||||
# Test job
|
||||
@@ -164,6 +166,8 @@ jobs:
|
||||
labels: ${{ steps.meta.outputs.labels }}
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Test Docker image
|
||||
run: |
|
||||
|
||||
@@ -15,6 +15,8 @@ env:
|
||||
PYTHON_VERSION: '3.11'
|
||||
REGISTRY: git.b4l.co.th
|
||||
IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
|
||||
# GitHub token for better rate limits and authentication
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
jobs:
|
||||
# Create release
|
||||
@@ -139,6 +141,8 @@ jobs:
|
||||
org.opencontainers.image.revision=${{ github.sha }}
|
||||
cache-from: type=gha
|
||||
cache-to: type=gha,mode=max
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
# Security scan for release
|
||||
security-scan:
|
||||
@@ -156,6 +160,7 @@ jobs:
|
||||
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }}
|
||||
format: 'sarif'
|
||||
output: 'trivy-results.sarif'
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
|
||||
@@ -3,16 +3,18 @@ name: Security & Dependency Updates
|
||||
on:
|
||||
schedule:
|
||||
# Run security scans daily at 3 AM UTC
|
||||
- cron: '0 3 * * *'
|
||||
- cron: "0 3 * * *"
|
||||
workflow_dispatch:
|
||||
push:
|
||||
paths:
|
||||
- 'requirements*.txt'
|
||||
- 'Dockerfile'
|
||||
- '.gitea/workflows/security.yml'
|
||||
- "requirements*.txt"
|
||||
- "Dockerfile"
|
||||
- ".gitea/workflows/security.yml"
|
||||
|
||||
env:
|
||||
PYTHON_VERSION: '3.11'
|
||||
PYTHON_VERSION: "3.11"
|
||||
# GitHub token for better rate limits and authentication
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
jobs:
|
||||
# Dependency vulnerability scan
|
||||
@@ -91,27 +93,47 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Check GitHub token availability
|
||||
run: |
|
||||
if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
|
||||
echo "⚠️ GITHUB_TOKEN not configured. Trivy scans may fail due to rate limits."
|
||||
echo "💡 To fix: Add GITHUB_TOKEN secret in repository settings"
|
||||
else
|
||||
echo "✅ GITHUB_TOKEN is configured"
|
||||
fi
|
||||
|
||||
- name: Build Docker image for scanning
|
||||
run: |
|
||||
docker build -t ping-river-monitor:scan .
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'ping-river-monitor:scan'
|
||||
format: 'json'
|
||||
output: 'trivy-report.json'
|
||||
image-ref: "ping-river-monitor:scan"
|
||||
format: "json"
|
||||
output: "trivy-report.json"
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
continue-on-error: true
|
||||
|
||||
- name: Run Trivy filesystem scan
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
scan-type: 'fs'
|
||||
scan-ref: '.'
|
||||
format: 'json'
|
||||
output: 'trivy-fs-report.json'
|
||||
scan-type: "fs"
|
||||
scan-ref: "."
|
||||
format: "json"
|
||||
output: "trivy-fs-report.json"
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
env:
|
||||
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
|
||||
continue-on-error: true
|
||||
|
||||
- name: Upload Trivy reports
|
||||
uses: actions/upload-artifact@v3
|
||||
if: always()
|
||||
with:
|
||||
name: trivy-reports-${{ github.run_number }}
|
||||
path: |
|
||||
|
||||
Reference in New Issue
Block a user