ci: use dedicated securityscan pipeline

thegeeklab · Dec 13, 2024 · 3f3bd3a · 3f3bd3a
1 parent f52e7fa
commit 3f3bd3a
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 34 deletions.
diff --git a/.woodpecker/build-container.yml b/.woodpecker/build-container.yml
@@ -1,34 +1,11 @@
 ---
 when:
-  - event: [pull_request, tag]
+  - event: [tag]
   - event: [push, manual]
     branch:
       - ${CI_REPO_DEFAULT_BRANCH}
 
 steps:
-  - name: security-build
-    image: quay.io/thegeeklab/wp-docker-buildx:6
-    settings:
-      containerfile: Containerfile.multiarch
-      output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
-      repo: ${CI_REPO}
-      registry_config:
-        from_secret: DOCKER_REGISTRY_CONFIG_PULL
-
-  - name: security-scan
-    image: docker.io/aquasec/trivy
-    depends_on: [security-build]
-    commands:
-      - trivy -v
-      - trivy image --input oci/${CI_REPO_NAME}
-    environment:
-      TRIVY_EXIT_CODE: "1"
-      TRIVY_IGNORE_UNFIXED: "true"
-      TRIVY_NO_PROGRESS: "true"
-      TRIVY_SEVERITY: HIGH,CRITICAL
-      TRIVY_TIMEOUT: 1m
-      TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
-
   - name: publish-dockerhub
     image: quay.io/thegeeklab/wp-docker-buildx:6
     depends_on: [security-scan]
@@ -44,11 +21,6 @@ steps:
       repo: ${CI_REPO}
       username:
         from_secret: docker_username
-    when:
-      - event: [tag]
-      - event: [push, manual]
-        branch:
-          - ${CI_REPO_DEFAULT_BRANCH}
 
   - name: publish-quay
     image: quay.io/thegeeklab/wp-docker-buildx:6
@@ -66,11 +38,6 @@ steps:
       repo: quay.io/${CI_REPO}
       username:
         from_secret: quay_username
-    when:
-      - event: [tag]
-      - event: [push, manual]
-        branch:
-          - ${CI_REPO_DEFAULT_BRANCH}
 
 depends_on:
   - test
diff --git a/.woodpecker/securityscan.yml b/.woodpecker/securityscan.yml
@@ -0,0 +1,33 @@
+---
+when:
+  - event: [pull_request, tag]
+  - event: [push, manual]
+    branch:
+      - ${CI_REPO_DEFAULT_BRANCH}
+
+steps:
+  - name: security-build
+    image: quay.io/thegeeklab/wp-docker-buildx:6
+    settings:
+      containerfile: Containerfile.multiarch
+      output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
+      repo: ${CI_REPO}
+      registry_config:
+        from_secret: DOCKER_REGISTRY_CONFIG_PULL
+
+  - name: security-scan
+    image: docker.io/aquasec/trivy
+    depends_on: [security-build]
+    commands:
+      - trivy -v
+      - trivy image --input oci/${CI_REPO_NAME}
+    environment:
+      TRIVY_EXIT_CODE: "1"
+      TRIVY_IGNORE_UNFIXED: "true"
+      TRIVY_NO_PROGRESS: "true"
+      TRIVY_SEVERITY: HIGH,CRITICAL
+      TRIVY_TIMEOUT: 1m
+      TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
+
+depends_on:
+  - test