From 105efc9a477cb89b1efa3a9e5bec2ccf508b1bf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= Date: Sat, 15 Nov 2025 17:19:28 +0100 Subject: [PATCH] chore: remove GitHub workflows in favor of Gitea Actions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove .github directory as we're now using .gitea/workflows for Gitea Actions. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .github/DOCKER_SETUP.md | 261 ------------------ .github/workflows/README.md | 344 ------------------------ .github/workflows/cleanup-images.yml | 42 --- .github/workflows/docker-build-push.yml | 116 -------- .github/workflows/docker-scan.yml | 71 ----- 5 files changed, 834 deletions(-) delete mode 100644 .github/DOCKER_SETUP.md delete mode 100644 .github/workflows/README.md delete mode 100644 .github/workflows/cleanup-images.yml delete mode 100644 .github/workflows/docker-build-push.yml delete mode 100644 .github/workflows/docker-scan.yml diff --git a/.github/DOCKER_SETUP.md b/.github/DOCKER_SETUP.md deleted file mode 100644 index 1a54f87..0000000 --- a/.github/DOCKER_SETUP.md +++ /dev/null @@ -1,261 +0,0 @@ -# Docker & CI/CD Setup Summary - -This document summarizes all Docker and CI/CD files created for sexy.pivoine.art. - -## Files Created - -### Docker Files - -1. **`Dockerfile`** (root) - - Multi-stage build (base → builder → runner) - - Rust toolchain installation for WASM builds - - Optimized layer caching - - Non-root user for security - - Health checks included - -2. **`.dockerignore`** (root) - - Excludes unnecessary files from build context - - Optimizes build performance - -3. **`docker-compose.production.yml`** (root) - - Production orchestration - - Pre-configured to use GHCR images - - Resource limits and health checks - - Environment variable management - -4. **`.env.production.example`** (root) - - Template for all environment variables - - Documented with examples - -### Build Scripts - -5. **`build.sh`** (root) - - Convenience script for building images - - Supports tags, platforms, and pushing - - Executable (`chmod +x`) - -### Documentation - -6. **`DOCKER.md`** (root) - - Comprehensive Docker deployment guide - - Building, running, troubleshooting - - Production best practices - - Updated with GHCR information - -7. **`QUICKSTART.md`** (root) - - 5-minute quick start guide - - Docker Run and Docker Compose examples - - Common commands reference - -8. **`README.md`** (root) - **UPDATED** - - Added Docker quick start - - Added CI/CD badges - - Added documentation links - -9. **`CLAUDE.md`** (root) - **UPDATED** - - Added Docker deployment section - - Referenced DOCKER.md - -### GitHub Actions Workflows - -10. **`.github/workflows/docker-build-push.yml`** - - Builds and pushes to `ghcr.io/valknarxxx/sexy` - - Multi-platform (AMD64 + ARM64) - - Smart tagging (latest, semver, branch, SHA) - - Triggers: push to main/develop, tags, PRs, manual - - BuildKit cache for faster builds - -11. **`.github/workflows/docker-scan.yml`** - - Daily security scans with Trivy - - Reports to GitHub Security tab - - Scans CRITICAL and HIGH vulnerabilities - - Triggers: schedule, push to main, tags, manual - -12. **`.github/workflows/cleanup-images.yml`** - - Weekly cleanup of old images - - Keeps last 10 versions (configurable) - - Deletes untagged images - - Triggers: schedule, manual - -13. **`.github/workflows/README.md`** - - Comprehensive workflow documentation - - Setup requirements - - Usage examples - - Troubleshooting guide - -14. **`.github/DOCKER_SETUP.md`** (this file) - - Summary of all Docker/CI files - - Quick reference - -## Quick Reference - -### Image Registry - -- **Registry:** GitHub Container Registry (GHCR) -- **Image Name:** `ghcr.io/valknarxxx/sexy` -- **Tags:** - - `latest` - Latest from main branch - - `v1.0.0` - Semantic versions - - `develop` - Latest from develop branch - - `main-abc123` - Commit-specific - -### Pull & Run - -```bash -# Pull latest -docker pull ghcr.io/valknarxxx/sexy:latest - -# Run -docker run -d -p 3000:3000 --env-file .env.production ghcr.io/valknarxxx/sexy:latest - -# Or use docker-compose -docker-compose -f docker-compose.production.yml up -d -``` - -### Build Locally - -```bash -# Using script -./build.sh - -# Manual -docker build -t sexy.pivoine.art:latest . - -# Multi-platform -docker buildx build --platform linux/amd64,linux/arm64 -t sexy.pivoine.art:latest . -``` - -### Trigger CI/CD - -```bash -# Build and push 'latest' -git push origin main - -# Build and push version tags -git tag v1.0.0 -git push origin v1.0.0 - -# PR builds (test only, doesn't push) -git push origin feature/branch -# Create PR on GitHub -``` - -## Key Features - -### Security -- ✅ Non-root user in container -- ✅ Minimal base image (node:20.19.1-slim) -- ✅ Daily vulnerability scans -- ✅ Security reports in GitHub Security tab - -### Performance -- ✅ Multi-stage builds for smaller images -- ✅ BuildKit cache for faster builds -- ✅ Production-only dependencies -- ✅ Optimized layer caching - -### Reliability -- ✅ Health checks built-in -- ✅ dumb-init for proper signal handling -- ✅ Resource limits configurable -- ✅ Auto-restart on failure - -### Automation -- ✅ Automatic builds on push/tag -- ✅ Multi-platform support -- ✅ Smart semantic versioning -- ✅ Weekly image cleanup - -## Workflow Triggers Summary - -| Workflow | Push Main | Push Develop | Tags | PR | Schedule | Manual | -|----------|-----------|--------------|------|----|----------|--------| -| Build & Push | ✅ | ✅ | ✅ | ✅ (no push) | ❌ | ✅ | -| Security Scan | ✅ | ❌ | ✅ | ❌ | Daily 2AM | ✅ | -| Cleanup | ❌ | ❌ | ❌ | ❌ | Weekly Sun 3AM | ✅ | - -## Environment Variables - -### Required -- `PUBLIC_API_URL` - Directus API endpoint -- `PUBLIC_URL` - Frontend URL - -### Optional -- `PUBLIC_UMAMI_ID` - Analytics -- `LETTERSPACE_API_URL` - Newsletter API -- `LETTERSPACE_API_KEY` - Newsletter key -- `LETTERSPACE_LIST_ID` - Mailing list ID - -See `.env.production.example` for full reference. - -## Next Steps - -1. **Test Local Build** - ```bash - ./build.sh - docker run -d -p 3000:3000 --env-file .env.production sexy.pivoine.art:latest - ``` - -2. **Push to GitHub** - ```bash - git add . - git commit -m "Add Docker and CI/CD setup" - git push origin main - ``` - -3. **Monitor First Build** - - Go to GitHub Actions tab - - Watch "Build and Push Docker Image" workflow - - Wait ~30-45 minutes for multi-platform build - -4. **Test GHCR Image** - ```bash - docker pull ghcr.io/valknarxxx/sexy:latest - docker run -d -p 3000:3000 --env-file .env.production ghcr.io/valknarxxx/sexy:latest - ``` - -5. **Create First Release** - ```bash - git tag v1.0.0 - git push origin v1.0.0 - ``` - -6. **Check Security** - - Wait for daily scan or trigger manually - - Check GitHub → Security → Code scanning alerts - -## Support Resources - -- **Docker Guide:** [DOCKER.md](../DOCKER.md) -- **Quick Start:** [QUICKSTART.md](../QUICKSTART.md) -- **Development:** [CLAUDE.md](../CLAUDE.md) -- **Workflows:** [.github/workflows/README.md](workflows/README.md) - -## Troubleshooting - -### Common Issues - -1. **Build takes too long** - - Multi-platform builds take 30-45 minutes (normal) - - Consider using self-hosted runners - -2. **Permission denied on push** - - Check Settings → Actions → General → Workflow permissions - - Enable "Read and write permissions" - -3. **Image not found** - - For private repos, login to GHCR first - - Check package exists at github.com/valknarxxx?tab=packages - -4. **Container exits immediately** - - Check logs: `docker logs ` - - Verify environment variables - - Ensure port 3000 is not in use - -See [DOCKER.md](../DOCKER.md) for detailed troubleshooting. - ---- - -**Created:** 2025-10-25 -**Last Updated:** 2025-10-25 -**Status:** ✅ Ready for production diff --git a/.github/workflows/README.md b/.github/workflows/README.md deleted file mode 100644 index c2b9828..0000000 --- a/.github/workflows/README.md +++ /dev/null @@ -1,344 +0,0 @@ -# GitHub Actions Workflows - -This directory contains automated workflows for building, scanning, and managing Docker images for sexy.pivoine.art. - -## Workflows - -### 1. Build and Push Docker Image (`docker-build-push.yml`) - -**Triggers:** -- Push to `main` or `develop` branches -- New version tags (e.g., `v1.0.0`) -- Pull requests to `main` -- Manual trigger via workflow_dispatch - -**What it does:** -- Builds multi-platform Docker images (AMD64 + ARM64) -- Pushes to GitHub Container Registry as `ghcr.io/valknarxxx/sexy` -- Creates tags based on branch, version, and commit SHA -- Uses build cache for faster builds -- Only builds (doesn't push) for PRs - -**Image Tags:** -- `latest` - Latest build from main branch -- `main`, `develop` - Branch-based tags -- `v1.0.0`, `v1.0`, `v1` - Semantic version tags -- `main-abc123` - Branch + commit SHA -- `pr-123` - Pull request builds -- Custom tags via manual trigger - -**Usage:** - -```bash -# Automatically triggered on push to main -git push origin main - -# Create a release tag -git tag v1.0.0 -git push origin v1.0.0 - -# Manual trigger from GitHub UI -# Actions → Build and Push Docker Image → Run workflow -``` - -**Pulling images:** - -```bash -# Latest version -docker pull ghcr.io/valknarxxx/sexy:latest - -# Specific version -docker pull ghcr.io/valknarxxx/sexy:v1.0.0 - -# Specific branch -docker pull ghcr.io/valknarxxx/sexy:develop -``` - -### 2. Docker Image Security Scan (`docker-scan.yml`) - -**Triggers:** -- Daily at 2 AM UTC (scheduled) -- Push to `main` branch -- New version tags -- Manual trigger - -**What it does:** -- Scans the latest image for vulnerabilities using Trivy -- Reports CRITICAL and HIGH severity issues -- Uploads results to GitHub Security tab -- Runs on a schedule to detect new vulnerabilities - -**Viewing results:** -- Go to repository → Security → Code scanning alerts -- Check workflow run summary for table output - -**Manual scan:** - -```bash -# From GitHub UI -# Actions → Docker Image Security Scan → Run workflow -``` - -### 3. Cleanup Old Docker Images (`cleanup-images.yml`) - -**Triggers:** -- Weekly on Sunday at 3 AM UTC -- Manual trigger - -**What it does:** -- Removes old untagged image versions -- Keeps the 10 most recent versions by default -- Frees up GitHub Container Registry storage - -**Manual cleanup:** - -```bash -# From GitHub UI with custom retention -# Actions → Cleanup Old Docker Images → Run workflow -# Set "keep_count" parameter (default: 10) -``` - -## Setup Requirements - -### 1. Enable GitHub Container Registry - -The workflows automatically use GitHub's Container Registry (ghcr.io). No additional setup needed - the `GITHUB_TOKEN` is automatically provided to workflows. - -### 2. Repository Settings - -Ensure the following permissions are enabled: - -1. **Settings → Actions → General** - - Allow GitHub Actions: ✅ Enabled - - Workflow permissions: "Read and write permissions" - -2. **Settings → Packages** - - Package visibility will inherit from repository visibility - - Can be changed to public/private as needed - -### 3. Branch Protection (Optional) - -For production use, consider: - -1. **Settings → Branches → Branch protection rules** - - Protect `main` branch - - Require PR reviews - - Require status checks (Docker build) to pass - -## Secrets and Environment Variables - -### Required Secrets - -None! The workflows use the built-in `GITHUB_TOKEN` which is automatically provided. - -### Optional Secrets - -If you need to deploy to production automatically, you can add: - -- `PRODUCTION_SSH_KEY` - For SSH deployment -- `PRODUCTION_HOST` - Production server hostname -- `PRODUCTION_USER` - Production server user - -## Image Visibility - -By default, GitHub Container Registry packages inherit repository visibility: - -- **Public repository** → Public images -- **Private repository** → Private images - -To change package visibility: - -1. Go to https://github.com/users/valknarxxx/packages/container/sexy/settings -2. Change visibility under "Danger Zone" - -## Pulling Images - -### Public Images - -```bash -docker pull ghcr.io/valknarxxx/sexy:latest -``` - -### Private Images - -```bash -# 1. Create a GitHub Personal Access Token with read:packages scope -# Settings → Developer settings → Personal access tokens → Tokens (classic) -# Scopes: read:packages - -# 2. Login to GitHub Container Registry -echo $GITHUB_TOKEN | docker login ghcr.io -u USERNAME --password-stdin - -# 3. Pull the image -docker pull ghcr.io/valknarxxx/sexy:latest -``` - -## Best Practices - -### Version Tagging - -Use semantic versioning for releases: - -```bash -# Major release (breaking changes) -git tag v2.0.0 - -# Minor release (new features) -git tag v1.1.0 - -# Patch release (bug fixes) -git tag v1.0.1 - -# Always push tags -git push origin --tags -``` - -### Development Workflow - -```bash -# 1. Create feature branch -git checkout -b feature/new-feature - -# 2. Make changes and commit -git add . -git commit -m "Add new feature" - -# 3. Push and create PR -git push origin feature/new-feature -# Create PR on GitHub - this triggers a test build - -# 4. Merge to develop for staging -# Merging to develop triggers a build with 'develop' tag - -# 5. Merge to main for production -# Merging to main triggers a build with 'latest' tag - -# 6. Tag releases -git checkout main -git pull -git tag v1.0.0 -git push origin v1.0.0 -# This triggers a build with version tags -``` - -## Monitoring - -### Build Status - -Check workflow status: -- Repository → Actions → Select workflow -- View logs, artifacts, and summaries - -### Image Registry - -View published images: -- https://github.com/valknarxxx?tab=packages -- Or repository → Packages - -### Security Alerts - -View vulnerability scans: -- Repository → Security → Code scanning alerts -- Filter by "Trivy" tool - -## Troubleshooting - -### Build Failures - -**Problem:** Build fails at Rust installation - -**Solution:** -- Check GitHub Actions runner status -- Verify Dockerfile Rust installation steps -- Check build logs for network issues - -**Problem:** Permission denied when pushing - -**Solution:** -- Verify repository Settings → Actions → General → Workflow permissions -- Ensure "Read and write permissions" is enabled - -**Problem:** Multi-platform build timeout - -**Solution:** -- Builds can take 30-45 minutes for multi-platform -- This is normal for Rust/WASM compilation -- Consider splitting platforms or using self-hosted runners - -### Pull Failures - -**Problem:** Cannot pull private image - -**Solution:** -```bash -# Ensure you're logged in -echo $GITHUB_TOKEN | docker login ghcr.io -u valknarxxx --password-stdin - -# Verify token has read:packages scope -``` - -**Problem:** Image not found - -**Solution:** -- Check image exists: https://github.com/valknarxxx?tab=packages -- Verify tag name is correct -- Ensure you have access to private packages - -## Advanced Configuration - -### Self-Hosted Runners - -For faster builds, use self-hosted runners: - -```yaml -jobs: - build-and-push: - runs-on: self-hosted # Change from ubuntu-latest - # ... rest of job -``` - -### Build-time Variables - -Pass build arguments: - -```yaml -build-args: | - NODE_ENV=production - CUSTOM_VAR=value -``` - -### Deploy on Push - -Add a deployment job: - -```yaml -jobs: - deploy: - needs: build-and-push - runs-on: ubuntu-latest - if: github.ref == 'refs/heads/main' - steps: - - name: Deploy to production - # Add deployment steps -``` - -## Cost Optimization - -### Storage Limits - -GitHub provides: -- **Public repos:** Unlimited storage and bandwidth -- **Private repos:** 500MB storage, 1GB bandwidth (free tier) - -### Optimization Tips - -1. **Regular cleanup:** Run cleanup workflow weekly -2. **Limit platforms:** Build only needed architectures -3. **Use cache:** BuildKit cache reduces rebuild time -4. **Minimize layers:** Optimize Dockerfile - -### Monitoring Usage - -Check package storage: -- Settings → Billing → Packages -- View storage usage per package diff --git a/.github/workflows/cleanup-images.yml b/.github/workflows/cleanup-images.yml deleted file mode 100644 index 79d2017..0000000 --- a/.github/workflows/cleanup-images.yml +++ /dev/null @@ -1,42 +0,0 @@ -name: Cleanup Old Docker Images - -on: - schedule: - # Run weekly on Sunday at 3 AM UTC - - cron: '0 3 * * 0' - workflow_dispatch: - inputs: - keep_count: - description: 'Number of recent images to keep (per tag pattern)' - required: false - default: '10' - -env: - REGISTRY: ghcr.io - IMAGE_NAME: valknarxxx/sexy - -jobs: - cleanup: - runs-on: ubuntu-latest - permissions: - packages: write - - steps: - - name: Delete old container images - uses: actions/delete-package-versions@v5 - with: - package-name: 'sexy' - package-type: 'container' - min-versions-to-keep: ${{ github.event.inputs.keep_count || 10 }} - delete-only-untagged-versions: 'true' - - - name: Generate cleanup summary - run: | - echo "### Docker Image Cleanup :broom:" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "**Registry:** \`${{ env.REGISTRY }}\`" >> $GITHUB_STEP_SUMMARY - echo "**Image:** \`${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY - echo "**Kept versions:** ${{ github.event.inputs.keep_count || 10 }}" >> $GITHUB_STEP_SUMMARY - echo "**Cleanup Date:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "Old untagged images have been removed to free up storage." >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/docker-build-push.yml b/.github/workflows/docker-build-push.yml deleted file mode 100644 index e889481..0000000 --- a/.github/workflows/docker-build-push.yml +++ /dev/null @@ -1,116 +0,0 @@ -name: Build and Push Docker Image - -on: - push: - branches: - - main - - develop - tags: - - 'v*.*.*' - pull_request: - branches: - - main - workflow_dispatch: - inputs: - tag: - description: 'Custom tag for the image' - required: false - default: 'manual' - -env: - REGISTRY: ghcr.io - IMAGE_NAME: valknarxxx/sexy - -jobs: - build-and-push: - runs-on: ubuntu-latest - permissions: - contents: read - packages: write - id-token: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - platforms: linux/amd64,linux/arm64 - - - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - tags: | - # Tag as 'latest' for main branch - type=raw,value=latest,enable={{is_default_branch}} - # Tag with branch name - type=ref,event=branch - # Tag with PR number - type=ref,event=pr - # Tag with git tag (semver) - type=semver,pattern={{version}} - type=semver,pattern={{major}}.{{minor}} - type=semver,pattern={{major}} - # Tag with commit SHA - type=sha,prefix={{branch}}- - # Custom tag from workflow_dispatch - type=raw,value=${{ github.event.inputs.tag }},enable=${{ github.event_name == 'workflow_dispatch' }} - labels: | - org.opencontainers.image.title=sexy.pivoine.art - org.opencontainers.image.description=Adult content platform with SvelteKit, Directus, and hardware integration - org.opencontainers.image.vendor=valknarxxx - org.opencontainers.image.source=https://github.com/${{ github.repository }} - - - name: Build and push Docker image - uses: docker/build-push-action@v5 - with: - context: . - platforms: linux/amd64,linux/arm64 - push: ${{ github.event_name != 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - build-args: | - NODE_ENV=production - CI=true - - - name: Generate image digest - if: github.event_name != 'pull_request' - run: | - echo "### Docker Image Published :rocket:" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "**Registry:** \`${{ env.REGISTRY }}\`" >> $GITHUB_STEP_SUMMARY - echo "**Image:** \`${{ env.IMAGE_NAME }}\`" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "**Tags:**" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY - echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "**Pull command:**" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`bash" >> $GITHUB_STEP_SUMMARY - echo "docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY - - - name: PR Comment - Image built but not pushed - if: github.event_name == 'pull_request' - run: | - echo "### Docker Image Built Successfully :white_check_mark:" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "Image was built successfully but **not pushed** (PR builds are not published)." >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "**Would be tagged as:**" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY - echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY - echo "\`\`\`" >> $GITHUB_STEP_SUMMARY diff --git a/.github/workflows/docker-scan.yml b/.github/workflows/docker-scan.yml deleted file mode 100644 index ab23b34..0000000 --- a/.github/workflows/docker-scan.yml +++ /dev/null @@ -1,71 +0,0 @@ -name: Docker Image Security Scan - -on: - schedule: - # Run daily at 2 AM UTC - - cron: '0 2 * * *' - push: - branches: - - main - tags: - - 'v*.*.*' - workflow_dispatch: - -env: - REGISTRY: ghcr.io - IMAGE_NAME: valknarxxx/sexy - -jobs: - scan: - runs-on: ubuntu-latest - permissions: - contents: read - packages: read - security-events: write - - steps: - - name: Checkout repository - uses: actions/checkout@v4 - - - name: Log in to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Pull latest image - run: | - docker pull ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest || echo "Image not found, will skip scan" - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - format: 'sarif' - output: 'trivy-results.sarif' - severity: 'CRITICAL,HIGH' - - - name: Upload Trivy results to GitHub Security - uses: github/codeql-action/upload-sarif@v3 - if: always() - with: - sarif_file: 'trivy-results.sarif' - - - name: Run Trivy vulnerability scanner (table output) - uses: aquasecurity/trivy-action@master - with: - image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest - format: 'table' - severity: 'CRITICAL,HIGH,MEDIUM' - - - name: Generate scan summary - if: always() - run: | - echo "### Security Scan Results :shield:" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "**Image:** \`${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest\`" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "**Scan Date:** $(date -u '+%Y-%m-%d %H:%M:%S UTC')" >> $GITHUB_STEP_SUMMARY - echo "" >> $GITHUB_STEP_SUMMARY - echo "Check the Security tab for detailed vulnerability reports." >> $GITHUB_STEP_SUMMARY