grabowski/Northern-Thailand-Ping-River-Monitor
5
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases 15 Wiki Activity

🔧 Fix: Comprehensive GitHub token integration for all Docker workflows
All checks were successful
Security & Dependency Updates / Dependency Security Scan (push) Successful in 23s
Details
Security & Dependency Updates / Docker Security Scan (push) Successful in 1m27s
Details
Security & Dependency Updates / License Compliance (push) Successful in 12s
Details
Security & Dependency Updates / Check for Dependency Updates (push) Successful in 16s
Details
Security & Dependency Updates / Code Quality Metrics (push) Successful in 9s
Details
Security & Dependency Updates / Security Summary (push) Successful in 6s
Details

Browse Source 
 Complete GitHub Token Support:
- Add github-token parameter to all Trivy actions (security + release)
- Add GITHUB_TOKEN environment variable to all Docker build steps
- Add global GITHUB_TOKEN environment to CI and release workflows
- Ensure consistent token usage across all workflow jobs

🐳 Docker Workflow Improvements:
- CI workflow: Docker build with GitHub token for base image pulls
- Security workflow: Docker build + Trivy scans with token
- Release workflow: Docker build + security scans with token
- Better authentication for all container operations

 Authentication Benefits:
- Eliminates GitHub API rate limiting issues
- Fixes 'Bad credentials' errors in Trivy scans
- Improves reliability of Docker base image pulls
- Ensures consistent authentication across all workflows

 Affected Workflows:
- CI/CD Pipeline: Enhanced Docker builds
- Security Scans: Fixed Trivy authentication
- Release Pipeline: Complete token integration
This commit is contained in:
Alexander Grabowski
2025-08-12 16:26:02 +07:00
parent 557b29b74d
commit b13a4fe400
3 changed files with 362 additions and 331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
.gitea/workflows/ci.yml
View File

@@ -13,6 +13,8 @@ env:
PYTHON_VERSION: '3.11'
REGISTRY: git.b4l.co.th
IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
# GitHub token for better rate limits and authentication
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
# Test job
@@ -164,6 +166,8 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Test Docker image
run: |

5
.gitea/workflows/release.yml
View File

@@ -15,6 +15,8 @@ env:
PYTHON_VERSION: '3.11'
REGISTRY: git.b4l.co.th
IMAGE_NAME: b4l/northern-thailand-ping-river-monitor
# GitHub token for better rate limits and authentication
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
# Create release
@@ -139,6 +141,8 @@ jobs:
org.opencontainers.image.revision=${{ github.sha }}
cache-from: type=gha
cache-to: type=gha,mode=max
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# Security scan for release
security-scan:
@@ -156,6 +160,7 @@ jobs:
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ needs.create-release.outputs.version }}
format: 'sarif'
output: 'trivy-results.sarif'
github-token: ${{ secrets.GITHUB_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

570
.gitea/workflows/security.yml
View File

@@ -3,16 +3,18 @@ name: Security & Dependency Updates
on:
schedule:
# Run security scans daily at 3 AM UTC
- cron: '0 3 * * *'
- cron: "0 3 * * *"
workflow_dispatch:
push:
paths:
- 'requirements*.txt'
- 'Dockerfile'
- '.gitea/workflows/security.yml'
- "requirements*.txt"
- "Dockerfile"
- ".gitea/workflows/security.yml"
env:
PYTHON_VERSION: '3.11'
PYTHON_VERSION: "3.11"
# GitHub token for better rate limits and authentication
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
jobs:
# Dependency vulnerability scan
@@ -21,66 +23,66 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install safety bandit semgrep
- name: Install dependencies
run: |
python -m pip install --upgrade pip
pip install safety bandit semgrep
- name: Run Safety check
run: |
safety check -r requirements.txt --json --output safety-report.json || true
safety check -r requirements-dev.txt --json --output safety-dev-report.json || true
- name: Run Safety check
run: |
safety check -r requirements.txt --json --output safety-report.json || true
safety check -r requirements-dev.txt --json --output safety-dev-report.json || true
- name: Run Bandit security scan
run: |
bandit -r src/ -f json -o bandit-report.json || true
- name: Run Bandit security scan
run: |
bandit -r src/ -f json -o bandit-report.json || true
- name: Run Semgrep security scan
run: |
semgrep --config=auto src/ --json --output=semgrep-report.json || true
- name: Run Semgrep security scan
run: |
semgrep --config=auto src/ --json --output=semgrep-report.json || true
- name: Upload security reports
uses: actions/upload-artifact@v3
with:
name: security-reports-${{ github.run_number }}
path: |
safety-report.json
safety-dev-report.json
bandit-report.json
semgrep-report.json
- name: Upload security reports
uses: actions/upload-artifact@v3
with:
name: security-reports-${{ github.run_number }}
path: |
safety-report.json
safety-dev-report.json
bandit-report.json
semgrep-report.json
- name: Check for critical vulnerabilities
run: |
echo "🔍 Checking for critical vulnerabilities..."
- name: Check for critical vulnerabilities
run: |
echo "🔍 Checking for critical vulnerabilities..."
# Check Safety results
if [ -f safety-report.json ]; then
critical_count=$(jq '.vulnerabilities | length' safety-report.json 2>/dev/null || echo "0")
if [ "$critical_count" -gt 0 ]; then
echo "⚠️ Found $critical_count dependency vulnerabilities"
jq '.vulnerabilities[] | "- \(.package_name) \(.installed_version): \(.vulnerability_id)"' safety-report.json
else
echo "✅ No dependency vulnerabilities found"
# Check Safety results
if [ -f safety-report.json ]; then
critical_count=$(jq '.vulnerabilities | length' safety-report.json 2>/dev/null || echo "0")
if [ "$critical_count" -gt 0 ]; then
echo "⚠️ Found $critical_count dependency vulnerabilities"
jq '.vulnerabilities[] | "- \(.package_name) \(.installed_version): \(.vulnerability_id)"' safety-report.json
else
echo "✅ No dependency vulnerabilities found"
fi
fi
fi
# Check Bandit results
if [ -f bandit-report.json ]; then
high_severity=$(jq '.results[] | select(.issue_severity == "HIGH") | length' bandit-report.json 2>/dev/null | wc -l)
if [ "$high_severity" -gt 0 ]; then
echo "⚠️ Found $high_severity high-severity security issues"
else
echo "✅ No high-severity security issues found"
# Check Bandit results
if [ -f bandit-report.json ]; then
high_severity=$(jq '.results[] | select(.issue_severity == "HIGH") | length' bandit-report.json 2>/dev/null | wc -l)
if [ "$high_severity" -gt 0 ]; then
echo "⚠️ Found $high_severity high-severity security issues"
else
echo "✅ No high-severity security issues found"
fi
fi
fi
# Docker image security scan
docker-security-scan:
@@ -88,56 +90,76 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@v4
- name: Build Docker image for scanning
run: |
docker build -t ping-river-monitor:scan .
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ping-river-monitor:scan'
format: 'json'
output: 'trivy-report.json'
- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
scan-ref: '.'
format: 'json'
output: 'trivy-fs-report.json'
- name: Upload Trivy reports
uses: actions/upload-artifact@v3
with:
name: trivy-reports-${{ github.run_number }}
path: |
trivy-report.json
trivy-fs-report.json
- name: Check Trivy results
run: |
echo "🔍 Analyzing Docker security scan results..."
if [ -f trivy-report.json ]; then
critical_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL") | length' trivy-report.json 2>/dev/null | wc -l)
high_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH") | length' trivy-report.json 2>/dev/null | wc -l)
echo "Critical vulnerabilities: $critical_vulns"
echo "High vulnerabilities: $high_vulns"
if [ "$critical_vulns" -gt 0 ]; then
echo "❌ Critical vulnerabilities found in Docker image!"
exit 1
elif [ "$high_vulns" -gt 5 ]; then
echo "⚠️ Many high-severity vulnerabilities found"
- name: Check GitHub token availability
run: |
if [ -z "${{ secrets.GITHUB_TOKEN }}" ]; then
echo "⚠️ GITHUB_TOKEN not configured. Trivy scans may fail due to rate limits."
echo "💡 To fix: Add GITHUB_TOKEN secret in repository settings"
else
echo "✅ Docker image security scan passed"
echo "✅ GITHUB_TOKEN is configured"
fi
- name: Build Docker image for scanning
run: |
docker build -t ping-river-monitor:scan .
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: "ping-river-monitor:scan"
format: "json"
output: "trivy-report.json"
github-token: ${{ secrets.GITHUB_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true
- name: Run Trivy filesystem scan
uses: aquasecurity/trivy-action@master
with:
scan-type: "fs"
scan-ref: "."
format: "json"
output: "trivy-fs-report.json"
github-token: ${{ secrets.GITHUB_TOKEN }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
continue-on-error: true
- name: Upload Trivy reports
uses: actions/upload-artifact@v3
if: always()
with:
name: trivy-reports-${{ github.run_number }}
path: |
trivy-report.json
trivy-fs-report.json
- name: Check Trivy results
run: |
echo "🔍 Analyzing Docker security scan results..."
if [ -f trivy-report.json ]; then
critical_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "CRITICAL") | length' trivy-report.json 2>/dev/null | wc -l)
high_vulns=$(jq '.Results[]?.Vulnerabilities[]? | select(.Severity == "HIGH") | length' trivy-report.json 2>/dev/null | wc -l)
echo "Critical vulnerabilities: $critical_vulns"
echo "High vulnerabilities: $high_vulns"
if [ "$critical_vulns" -gt 0 ]; then
echo "❌ Critical vulnerabilities found in Docker image!"
exit 1
elif [ "$high_vulns" -gt 5 ]; then
echo "⚠️ Many high-severity vulnerabilities found"
else
echo "✅ Docker image security scan passed"
fi
fi
fi
# License compliance check
license-check:
@@ -145,44 +167,44 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pip-licenses
run: |
python -m pip install --upgrade pip
pip install pip-licenses
pip install -r requirements.txt
- name: Install pip-licenses
run: |
python -m pip install --upgrade pip
pip install pip-licenses
pip install -r requirements.txt
- name: Check licenses
run: |
echo "📄 Checking dependency licenses..."
pip-licenses --format=json --output-file=licenses.json
pip-licenses --format=markdown --output-file=licenses.md
- name: Check licenses
run: |
echo "📄 Checking dependency licenses..."
pip-licenses --format=json --output-file=licenses.json
pip-licenses --format=markdown --output-file=licenses.md
# Check for problematic licenses
problematic_licenses=("GPL" "AGPL" "LGPL")
# Check for problematic licenses
problematic_licenses=("GPL" "AGPL" "LGPL")
for license in "${problematic_licenses[@]}"; do
if grep -i "$license" licenses.json; then
echo "⚠️ Found potentially problematic license: $license"
fi
done
for license in "${problematic_licenses[@]}"; do
if grep -i "$license" licenses.json; then
echo "⚠️ Found potentially problematic license: $license"
fi
done
echo "✅ License check completed"
echo "✅ License check completed"
- name: Upload license report
uses: actions/upload-artifact@v3
with:
name: license-report-${{ github.run_number }}
path: |
licenses.json
licenses.md
- name: Upload license report
uses: actions/upload-artifact@v3
with:
name: license-report-${{ github.run_number }}
path: |
licenses.json
licenses.md
# Dependency update check
dependency-update:
@@ -190,80 +212,80 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install pip-check-updates equivalent
run: |
python -m pip install --upgrade pip
pip install pip-review
- name: Install pip-check-updates equivalent
run: |
python -m pip install --upgrade pip
pip install pip-review
- name: Check for outdated packages
run: |
echo "📦 Checking for outdated packages..."
pip install -r requirements.txt
pip list --outdated --format=json > outdated-packages.json || true
- name: Check for outdated packages
run: |
echo "📦 Checking for outdated packages..."
pip install -r requirements.txt
pip list --outdated --format=json > outdated-packages.json || true
if [ -s outdated-packages.json ]; then
echo "📋 Outdated packages found:"
cat outdated-packages.json | jq -r '.[] | "- \(.name): \(.version) -> \(.latest_version)"'
else
echo "✅ All packages are up to date"
fi
if [ -s outdated-packages.json ]; then
echo "📋 Outdated packages found:"
cat outdated-packages.json | jq -r '.[] | "- \(.name): \(.version) -> \(.latest_version)"'
else
echo "✅ All packages are up to date"
fi
- name: Create dependency update issue
if: github.event_name == 'schedule'
run: |
if [ -s outdated-packages.json ] && [ "$(cat outdated-packages.json)" != "[]" ]; then
echo "📝 Creating dependency update issue..."
- name: Create dependency update issue
if: github.event_name == 'schedule'
run: |
if [ -s outdated-packages.json ] && [ "$(cat outdated-packages.json)" != "[]" ]; then
echo "📝 Creating dependency update issue..."
# Create issue body
cat > issue-body.md << 'EOF'
## 📦 Dependency Updates Available
# Create issue body
cat > issue-body.md << 'EOF'
## 📦 Dependency Updates Available
The following packages have updates available:
The following packages have updates available:
EOF
EOF
cat outdated-packages.json | jq -r '.[] | "- **\(.name)**: \(.version) → \(.latest_version)"' >> issue-body.md
cat outdated-packages.json | jq -r '.[] | "- **\(.name)**: \(.version) → \(.latest_version)"' >> issue-body.md
cat >> issue-body.md << 'EOF'
cat >> issue-body.md << 'EOF'
## 🔍 Security Impact
## 🔍 Security Impact
Please review each update for:
- Security fixes
- Breaking changes
- Compatibility issues
Please review each update for:
- Security fixes
- Breaking changes
- Compatibility issues
## ✅ Action Items
## ✅ Action Items
- [ ] Review changelog for each package
- [ ] Test updates in development environment
- [ ] Update requirements.txt
- [ ] Run full test suite
- [ ] Deploy to staging for validation
- [ ] Review changelog for each package
- [ ] Test updates in development environment
- [ ] Update requirements.txt
- [ ] Run full test suite
- [ ] Deploy to staging for validation
---
*This issue was automatically created by the security workflow.*
EOF
---
*This issue was automatically created by the security workflow.*
EOF
echo "Issue body created. In a real implementation, you would create a Gitea issue here."
cat issue-body.md
fi
echo "Issue body created. In a real implementation, you would create a Gitea issue here."
cat issue-body.md
fi
- name: Upload dependency reports
uses: actions/upload-artifact@v3
with:
name: dependency-reports-${{ github.run_number }}
path: |
outdated-packages.json
issue-body.md
- name: Upload dependency reports
uses: actions/upload-artifact@v3
with:
name: dependency-reports-${{ github.run_number }}
path: |
outdated-packages.json
issue-body.md
# Code quality metrics
code-quality:
@@ -271,50 +293,50 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Set up Python
uses: actions/setup-python@v4
with:
python-version: ${{ env.PYTHON_VERSION }}
- name: Install quality tools
run: |
python -m pip install --upgrade pip
pip install radon xenon vulture
pip install -r requirements.txt
- name: Install quality tools
run: |
python -m pip install --upgrade pip
pip install radon xenon vulture
pip install -r requirements.txt
- name: Calculate code complexity
run: |
echo "📊 Calculating code complexity..."
radon cc src/ --json > complexity-report.json
radon mi src/ --json > maintainability-report.json
- name: Calculate code complexity
run: |
echo "📊 Calculating code complexity..."
radon cc src/ --json > complexity-report.json
radon mi src/ --json > maintainability-report.json
echo "🔍 Complexity Summary:"
radon cc src/ --average
echo "🔍 Complexity Summary:"
radon cc src/ --average
echo "🔧 Maintainability Summary:"
radon mi src/
echo "🔧 Maintainability Summary:"
radon mi src/
- name: Find dead code
run: |
echo "🧹 Checking for dead code..."
vulture src/ --json > dead-code-report.json || true
- name: Find dead code
run: |
echo "🧹 Checking for dead code..."
vulture src/ --json > dead-code-report.json || true
- name: Check for code smells
run: |
echo "👃 Checking for code smells..."
xenon --max-absolute B --max-modules A --max-average A src/ || true
- name: Check for code smells
run: |
echo "👃 Checking for code smells..."
xenon --max-absolute B --max-modules A --max-average A src/ || true
- name: Upload quality reports
uses: actions/upload-artifact@v3
with:
name: code-quality-reports-${{ github.run_number }}
path: |
complexity-report.json
maintainability-report.json
dead-code-report.json
- name: Upload quality reports
uses: actions/upload-artifact@v3
with:
name: code-quality-reports-${{ github.run_number }}
path: |
complexity-report.json
maintainability-report.json
dead-code-report.json
# Security summary
security-summary:
@@ -324,63 +346,63 @@ jobs:
if: always()
steps:
- name: Download all artifacts
uses: actions/download-artifact@v3
- name: Download all artifacts
uses: actions/download-artifact@v3
- name: Generate security summary
run: |
echo "# 🔒 Security Scan Summary" > security-summary.md
echo "" >> security-summary.md
echo "**Scan Date:** $(date -u)" >> security-summary.md
echo "**Repository:** ${{ github.repository }}" >> security-summary.md
echo "**Commit:** ${{ github.sha }}" >> security-summary.md
echo "" >> security-summary.md
- name: Generate security summary
run: |
echo "# 🔒 Security Scan Summary" > security-summary.md
echo "" >> security-summary.md
echo "**Scan Date:** $(date -u)" >> security-summary.md
echo "**Repository:** ${{ github.repository }}" >> security-summary.md
echo "**Commit:** ${{ github.sha }}" >> security-summary.md
echo "" >> security-summary.md
echo "## 📊 Results" >> security-summary.md
echo "" >> security-summary.md
echo "## 📊 Results" >> security-summary.md
echo "" >> security-summary.md
# Dependency scan results
if [ -f security-reports-*/safety-report.json ]; then
vuln_count=$(jq '.vulnerabilities | length' security-reports-*/safety-report.json 2>/dev/null || echo "0")
if [ "$vuln_count" -eq 0 ]; then
echo "- ✅ **Dependency Scan**: No vulnerabilities found" >> security-summary.md
# Dependency scan results
if [ -f security-reports-*/safety-report.json ]; then
vuln_count=$(jq '.vulnerabilities | length' security-reports-*/safety-report.json 2>/dev/null || echo "0")
if [ "$vuln_count" -eq 0 ]; then
echo "- ✅ **Dependency Scan**: No vulnerabilities found" >> security-summary.md
else
echo "- ⚠️ **Dependency Scan**: $vuln_count vulnerabilities found" >> security-summary.md
fi
else
echo "- ⚠️ **Dependency Scan**: $vuln_count vulnerabilities found" >> security-summary.md
echo "- **Dependency Scan**: Results not available" >> security-summary.md
fi
else
echo "- ❓ **Dependency Scan**: Results not available" >> security-summary.md
fi
# Docker scan results
if [ -f trivy-reports-*/trivy-report.json ]; then
echo "- ✅ **Docker Scan**: Completed" >> security-summary.md
else
echo "- ❓ **Docker Scan**: Results not available" >> security-summary.md
fi
# Docker scan results
if [ -f trivy-reports-*/trivy-report.json ]; then
echo "- ✅ **Docker Scan**: Completed" >> security-summary.md
else
echo "- ❓ **Docker Scan**: Results not available" >> security-summary.md
fi
# License check results
if [ -f license-report-*/licenses.json ]; then
echo "- ✅ **License Check**: Completed" >> security-summary.md
else
echo "- ❓ **License Check**: Results not available" >> security-summary.md
fi
# License check results
if [ -f license-report-*/licenses.json ]; then
echo "- ✅ **License Check**: Completed" >> security-summary.md
else
echo "- ❓ **License Check**: Results not available" >> security-summary.md
fi
# Code quality results
if [ -f code-quality-reports-*/complexity-report.json ]; then
echo "- ✅ **Code Quality**: Analyzed" >> security-summary.md
else
echo "- ❓ **Code Quality**: Results not available" >> security-summary.md
fi
# Code quality results
if [ -f code-quality-reports-*/complexity-report.json ]; then
echo "- ✅ **Code Quality**: Analyzed" >> security-summary.md
else
echo "- ❓ **Code Quality**: Results not available" >> security-summary.md
fi
echo "" >> security-summary.md
echo "## 🔗 Detailed Reports" >> security-summary.md
echo "" >> security-summary.md
echo "Detailed reports are available in the workflow artifacts." >> security-summary.md
echo "" >> security-summary.md
echo "## 🔗 Detailed Reports" >> security-summary.md
echo "" >> security-summary.md
echo "Detailed reports are available in the workflow artifacts." >> security-summary.md
cat security-summary.md
cat security-summary.md
- name: Upload security summary
uses: actions/upload-artifact@v3
with:
name: security-summary-${{ github.run_number }}
path: security-summary.md
- name: Upload security summary
uses: actions/upload-artifact@v3
with:
name: security-summary-${{ github.run_number }}
path: security-summary.md