diff --git a/.github/workflows/stable-cicd.yaml b/.github/workflows/stable-cicd.yaml index d0c19a292..99990e181 100644 --- a/.github/workflows/stable-cicd.yaml +++ b/.github/workflows/stable-cicd.yaml @@ -14,7 +14,7 @@ # A *private* key with which we can sign artifacts. # ``OSSRH_USERNAME`` # Username for the Central Repository. -# ``OSSRH_PASSWORD`` +# ``OSSRH_USERNAME`` # Password for the Central Repository. # @@ -102,25 +102,7 @@ jobs: name: 🚢 Docker Buildx uses: docker/setup-buildx-action@v3 - - name: 🧱 Image Construction and Local Publication - uses: docker/build-push-action@v6 - with: - context: ./ - file: ./docker/Dockerfile - build-args: tar_file=${{steps.gettartag.outputs.tar_file}} - platforms: linux/amd64,linux/arm64 - push: false - load: true - tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}} - - - name: 🕵️‍♂️ Image Vulnerability Scanning - uses: anchore/scan-action@v5 - with: - fail-build: true - severity-cutoff: critical - image: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}} - - - name: 🧱 Image Construction and Remote Publication + name: 🧱 Image Construction and Publication uses: docker/build-push-action@v6 with: context: ./ diff --git a/.github/workflows/unstable-cicd.yaml b/.github/workflows/unstable-cicd.yaml index 302156313..c61ad542b 100644 --- a/.github/workflows/unstable-cicd.yaml +++ b/.github/workflows/unstable-cicd.yaml @@ -14,7 +14,7 @@ # A *private* key with which we can sign artifacts. # ``OSSRH_USERNAME`` # Username for the Central Repository. -# ``OSSRH_PASSWORD`` +# ``OSSRH_USERNAME`` # Password for the Central Repository. @@ -109,26 +109,8 @@ jobs: file: ./docker/Dockerfile build-args: tar_file=${{steps.gettar.outputs.tar_file}} platforms: linux/amd64,linux/arm64 - push: false - load: true - tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:latest - - - name: 🕵️‍♂️ Image Vulnerability Scanning - uses: anchore/scan-action@v5 - with: - fail-build: true - severity-cutoff: critical - image: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}} - - - name: 🧱 Image Construction and Remote Publication - uses: docker/build-push-action@v6 - with: - context: ./ - file: ./docker/Dockerfile - build-args: tar_file=${{steps.gettartag.outputs.tar_file}} - platforms: linux/amd64,linux/arm64 push: true - tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:${{steps.gettartag.outputs.image_tag}} + tags: ${{secrets.DOCKERHUB_USERNAME}}/validate:latest ... diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 4f6552315..8c598c9f9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -17,11 +17,3 @@ repos: - --exclude-files '\.git.*' - --exclude-files '\.pre-commit-config\.yaml' - --exclude-files 'target' -- repo: local - hooks: - - id: grype-cve-scan - name: Grype Vulnerability Scan - description: Scans for dependency vulnerabilities. Fails if CRITICAL vulnerabilities detected. - entry: python3 -c "import os; import subprocess; import sys; os.environ['GRYPE_DB_AUTO_UPDATE'] = 'false'; result=subprocess.run(['grype', 'dir:.', '--fail-on', 'critical'], capture_output=True); print(result.stdout.decode()); print('CRITICAL level vulnerabilities found. To address issues, run scan via `grype dir:.`, then `git add` followed by `git commit` your fix or ignore via `git commit --no-verify`') if result.returncode != 0 else print('No CRITICAL level vulnerabilities found.'); sys.exit(result.returncode)" - language: system - verbose: true