From 0eabc954affee4f520adcb2faf410a8e04fa6b6a Mon Sep 17 00:00:00 2001 From: Johannes Date: Mon, 22 Jun 2026 18:39:17 -0400 Subject: [PATCH] =?UTF-8?q?ci:=20rewrite=20cd-main.yml=20=E2=80=94=20produ?= =?UTF-8?q?ction=20runner,=20pre-installed=20toolchain,=20no=20deploy=20st?= =?UTF-8?q?ep?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .gitea/workflows/cd-main.yml | 27 +++++++-------------------- 1 file changed, 7 insertions(+), 20 deletions(-) diff --git a/.gitea/workflows/cd-main.yml b/.gitea/workflows/cd-main.yml index 3d0d108..b5d9825 100644 --- a/.gitea/workflows/cd-main.yml +++ b/.gitea/workflows/cd-main.yml @@ -7,7 +7,7 @@ on: jobs: build-and-deploy: - runs-on: ubuntu-latest + runs-on: production env: GIT_SSL_NO_VERIFY: "true" MAVEN_OPTS: "-Dmaven.wagon.http.ssl.insecure=true -Dmaven.wagon.http.ssl.allowall=true" @@ -16,20 +16,12 @@ jobs: - name: Checkout uses: actions/checkout@v4 + - name: Verify toolchain + run: java -version && mvn -version && trivy --version + - name: Clean runner disk run: docker system prune -f 2>/dev/null || true - - name: Install Java 21 and Maven - run: | - apt-get update -qq - apt-get install -y -qq wget apt-transport-https gnupg - wget -qO - https://packages.adoptium.net/artifactory/api/gpg/key/public | gpg --dearmor -o /usr/share/keyrings/adoptium.gpg - echo "deb [signed-by=/usr/share/keyrings/adoptium.gpg] https://packages.adoptium.net/artifactory/deb $(. /etc/os-release && echo $VERSION_CODENAME) main" | tee /etc/apt/sources.list.d/adoptium.list - apt-get update -qq - apt-get install -y -qq temurin-21-jdk maven - java -version - mvn -version - - name: Configure Maven settings run: | mkdir -p ~/.m2 @@ -73,9 +65,6 @@ jobs: - name: Build JAR run: mvn clean package -DskipTests -B - - name: Install Trivy - run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin - - name: Trivy vulnerability scan run: | trivy fs \ @@ -83,6 +72,7 @@ jobs: --severity HIGH,CRITICAL \ --ignore-unfixed \ --scanners vuln \ + --skip-db-update \ --format table \ target/ @@ -98,15 +88,12 @@ jobs: -DautoUpdate=false \ -DdataDirectory=/tmp/owasp-data \ -DsuppressionFile=deployment/owasp-suppressions.xml \ + -DassemblyAnalyzerEnabled=false \ -Dformats=HTML,JSON \ -B - name: Build and push Docker image run: | - if ! command -v docker &> /dev/null; then - apt-get update -qq && apt-get install -y -qq docker.io - fi - DOCKER_BUILDKIT=0 docker system prune -f 2>/dev/null || true export DOCKER_BUILDKIT=0 echo "${{ secrets.REGISTRY_PASSWORD }}" | \ docker login ${{ secrets.REGISTRY_URL }} \ @@ -127,4 +114,4 @@ jobs: RUN_URL="https://hiveiq-gitea.directlx.dev/hiveiq-src/hiveops-aria/actions/runs/${{ github.run_id }}" curl -s -X POST "${{ secrets.SLACK_PROD_WEBHOOK_URL }}" \ -H "Content-Type: application/json" \ - -d "{\"attachments\":[{\"color\":\"$COLOR\",\"text\":\"*<$RUN_URL|hiveops-aria CD Production — $STATUS>*\n${{ github.ref_name }} · $SHORT_SHA · ${{ github.actor }}\",\"mrkdwn_in\":[\"text\"],\"footer\":\"Gitea Actions\"}]}" + -d "{\"attachments\":[{\"color\":\"$COLOR\",\"text\":\"*<$RUN_URL|hiveops-aria CD Production — $STATUS>*\\n${{ github.ref_name }} · $SHORT_SHA · ${{ github.actor }}\",\"mrkdwn_in\":[\"text\"],\"footer\":\"Gitea Actions\"}]}"