- run scan on each push/pull request update
- can be run locally using make test_trivy_repo
- exit with error code 0/success when vulnerabilities are found, as not to make the workflow fail, a separate periodic run that exits with code 1 should be added in parallel
- update trivy to v0.43.0
- https://github.com/aquasecurity/trivy/releases/tag/v0.43.0
- also consider TRIVY_EXIT_CODE when running trivy on the latest docker image
- ref. https://github.com/shaarli/Shaarli/issues/1531
- fixes Error response from daemon: no such image: ghcr.io/***:trivy: No such image: ghcr.io/***:trivy
- introduced in https://github.com/shaarli/Shaarli/pull/1980 but the test target branch/tag was never reverted to 'latest'
- run trivy from makefile so that it can be run both locally and through github actions
- usage: make test_trivy TRIVY_TARGET_DOCKER_IMAGE=regist.ry/user/image:tag
- tested by downgrading the base image to alpine 3.15.7 and verifying that vulnerabilities are reported (https://github.com/nodiscc/Shaarli/actions/runs/4860040980/jobs/8663400103)
- TEMP/TESTING only push image to ghcr.io, run trivy on trivy branch/docker tag as well as master
- ref. https://github.com/shaarli/Shaarli/issues/1531
- push images to https://hub.docker.com/r/shaarli/shaarli/tags using a personal access token (access tokens are not available for organizations)
- push an image tagged :latest for builds on master
- push an image with the same tag as the git tag for v*.*.* tags, and for the "release" branch
- update documentation (remove references to Travis/Drone CI
- deprecate stable and master Docker tags (ref. https://github.com/shaarli/Shaarli/issues/1453)
- add deprecation notices to CHANGELOG.md
This is kind of a quick & dirty setup in order to fix our non-CI current status.
We can later decide to either improve it or fix Drone CI.
Related to #1754
