name: CI Pipeline on: push: branches-ignore: - 'renovate/**' pull_request: branches: - dev - staging - main env: REGISTRY_URL: ${{ vars.REGISTRY_URL }} IMAGE_NAME: ${{ vars.IMAGE_NAME }} jobs: lint: name: HTML Lint runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 - name: Install html-validate run: npm install -g html-validate - name: Validate HTML run: | set -euo pipefail html-validate src/index.html || true echo "::notice::HTML validation completed (non-blocking)" build: name: Build Docker Image runs-on: ubuntu-latest needs: lint steps: - name: Checkout uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Cache Docker layers uses: actions/cache@v4 with: path: /tmp/.buildx-cache key: ci-buildx-${{ gitea.sha }} restore-keys: | ci-buildx- - name: Build image run: | set -euo pipefail docker buildx build \ --cache-from=type=local,src=/tmp/.buildx-cache \ --cache-to=type=local,dest=/tmp/.buildx-cache-new,mode=max \ --load \ --build-arg APP_VERSION=ci-${{ gitea.sha }} \ --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ --build-arg GIT_COMMIT=${{ gitea.sha }} \ --build-arg GIT_BRANCH=${{ gitea.ref_name }} \ -t ci-image:latest \ . - name: Move cache run: | set -euo pipefail rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache security-scan: name: Security Scan runs-on: ubuntu-latest needs: build steps: - name: Run Trivy vulnerability scanner run: | docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ aquasec/trivy:latest \ image --severity HIGH,CRITICAL --exit-code 1 --ignore-unfixed ci-image:latest