coryHawkvelt/gatehouse-api
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

ci: install versioned trivy+gitleak
Push -> develop / Build Docker images (push) Successful in 47s
Details
Push -> develop / Rolling deploy (push) Failing after 3s
Details
Push -> develop / Notify on result (push) Successful in 0s
Details

Browse Source
This commit is contained in:
sangnn
2026-06-23 01:27:55 +00:00
parent 35730d14a6
commit 47a8501885
3 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/pr-security-check.yml
+4
View File
@@ -23,6 +23,10 @@ jobs:
- name: Install Gitleaks
run: |
if command -v gitleaks >/dev/null 2>&1; then
echo "gitleaks already installed: $(gitleaks version)"
exit 0
fi
curl -sSfL \
"https://github.com/gitleaks/gitleaks/releases/download/v${GITLEAKS_VERSION}/gitleaks_${GITLEAKS_VERSION}_linux_x64.tar.gz" \
| tar xz gitleaks
deploy/ansible/group_vars/all.yml
+6
View File
@@ -18,6 +18,12 @@ act_runner_download_url: "https://gitea.com/gitea/runner/releases/download/v{{ a
# fails with "Cannot find: node in PATH". Bump this to change versions.
node_major_version: "26"
# Security scanners pre-installed on the host so workflow steps use the local
# binary instead of writing to /usr/local/bin as the runner user ("Permission
# denied"). gitleaks_version must match GITLEAKS_VERSION in pr-security-check.yml.
trivy_version: "0.71.2"
gitleaks_version: "8.30.1"
# Registration tokens come from env vars named by each project's `token_env`
# (e.g. RUNNER_TOKEN_GATEHOUSE_API). Export them on the control node before running.
# Mint from: Gitea repo → Settings → Actions → Runners → Create new runner token.
deploy/ansible/install-runner.yml
+34
View File
@@ -50,6 +50,40 @@
state: present
update_cache: true
# Security scanners used by the CI workflows. Pre-installing them (as root)
# means the workflow steps find them on PATH and skip their runtime install,
# which would otherwise fail writing to /usr/local/bin as the runner user.
- name: Check installed Trivy version
ansible.builtin.command: trivy --version
register: trivy_check
changed_when: false
failed_when: false
- name: Install Trivy {{ trivy_version }}
ansible.builtin.shell: |
set -o pipefail
curl -sSfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
| sh -s -- -b /usr/local/bin v{{ trivy_version }}
args:
executable: /bin/bash
when: trivy_version not in (trivy_check.stdout | default(''))
- name: Check installed Gitleaks version
ansible.builtin.command: gitleaks version
register: gitleaks_check
changed_when: false
failed_when: false
- name: Install Gitleaks {{ gitleaks_version }}
ansible.builtin.unarchive:
src: "https://github.com/gitleaks/gitleaks/releases/download/v{{ gitleaks_version }}/gitleaks_{{ gitleaks_version }}_linux_x64.tar.gz"
dest: /usr/local/bin
remote_src: true
include:
- gitleaks
mode: "0755"
when: gitleaks_version not in (gitleaks_check.stdout | default(''))
- name: Install runners for each project
ansible.builtin.include_tasks: tasks/install_project.yml
loop: "{{ runners }}"