From 1f800317159205c13410706d55a6589868fe6c55 Mon Sep 17 00:00:00 2001 From: Kelly Thomas Reardon Date: Wed, 13 May 2026 11:11:47 -0500 Subject: [PATCH] optimized pipeline to only build the docker image once --- .gitea/workflows/security.yaml | 75 +++++++++++++++------------------- 1 file changed, 33 insertions(+), 42 deletions(-) diff --git a/.gitea/workflows/security.yaml b/.gitea/workflows/security.yaml index ede07d5..1ce07ed 100644 --- a/.gitea/workflows/security.yaml +++ b/.gitea/workflows/security.yaml @@ -23,6 +23,21 @@ jobs: run: | mkdir -p security-results + - name: Compute image tag + id: tag + run: | + BRANCH="${{ gitea.ref_name }}" + + if [ "$BRANCH" = "main" ]; then + TAG="latest" + elif [[ "$BRANCH" == v* ]]; then + TAG="$BRANCH" + else + TAG="test" + fi + + echo "tag=$TAG" >> "$GITEA_OUTPUT" + ########################################################### # GITLEAKS ########################################################### @@ -97,7 +112,10 @@ jobs: - name: Build Image for scan run: | set +e - docker build -t app:${{ gitea.sha }} . + docker build \ + -t app:${{ gitea.sha }} \ + -t blinkfink182/donetick-notifier:${{ steps.tag.outputs.tag }} \ + . echo "$?" > security-results/docker-build.exit ########################################################### @@ -343,67 +361,40 @@ jobs: }" \ ${{ secrets.APPRISE_URL }} - build: - needs: security - if: ${{ gitea.event_name == 'push' }} - runs-on: ubuntu-latest - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Login to Docker Hub - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - - - name: Compute image tag - id: tag + id: docker-login + if: ${{ gitea.event_name == 'push' }} run: | - BRANCH="${{ gitea.ref_name }}" + echo "${{ secrets.DOCKER_PASSWORD }}" | docker login \ + --username "${{ secrets.DOCKER_USERNAME }}" \ + --password-stdin - if [ "$BRANCH" = "main" ]; then - TAG="latest" - elif [[ "$BRANCH" == v* ]]; then - TAG="$BRANCH" - else - TAG="test" - fi - - echo "tag=$TAG" >> "$GITEA_OUTPUT" - echo "branch=$BRANCH" >> "$GITEA_OUTPUT" - - - name: Build and push - uses: docker/build-push-action@v6 - with: - context: . - push: true - tags: blinkfink182/donetick-notifier:${{ steps.tag.outputs.tag }} + - name: Push scanned image + id: push + if: ${{ gitea.event_name == 'push' }} + run: | + docker push blinkfink182/donetick-notifier:${{ steps.tag.outputs.tag }} - name: Notify Apprise (success) - if: success() + if: ${{ success() && gitea.event_name == 'push' }} run: | curl -X POST \ -H "Content-Type: application/json" \ -d "{ \"tags\": \"all\", \"title\": \"Gitea Build Succeeded\", - \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ steps.tag.outputs.branch }}\\nImage tag built successfully\" + \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ gitea.ref_name }}\\nImage tag ${{ steps.tag.outputs.tag }} pushed successfully\" }" \ ${{ secrets.APPRISE_URL }} - name: Notify Apprise (failure) - if: failure() + if: ${{ failure() && (steps.docker-login.outcome == 'failure' || steps.push.outcome == 'failure') }} run: | curl -X POST \ -H "Content-Type: application/json" \ -d "{ \"tags\": \"all\", \"title\": \"Gitea Build Failed\", - \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ steps.tag.outputs.branch }}\\nCheck logs in Gitea\" + \"body\": \"Repo: ${{ gitea.repository }}\\nBranch: ${{ gitea.ref_name }}\\nCheck logs in Gitea\" }" \ ${{ secrets.APPRISE_URL }}