infra/ci-runner
infra/ci-runner
1
1
Fork 0
Code Issues 1 Pull requests Projects 1 Releases Packages 1 Wiki Activity Actions
Image pour runner ci, avec docker + node
44 commits 1 branch 0 tags 86 KiB
  • Dockerfile 100%
Find a file
Exact
laurent c70c912c40
All checks were successful
Build CI Images / Detect changed images (push) Successful in 4s
Details
Build CI Images / Build ci-trivy (push) Has been skipped
Details
Build CI Images / Build ci-compose-tools (push) Has been skipped
Details
Build CI Images / Build ci-renovate (push) Has been skipped
Details
Build CI Images / Build ci-docker-node (push) Has been skipped
Details
feat(ci): rebuild hebdomadaire des images CI (schedule dim 3h UTC)
2026-03-16 13:49:11 +00:00
.forgejo/workflows feat(ci): rebuild hebdomadaire des images CI (schedule dim 3h UTC) 2026-03-16 13:49:11 +00:00
.idea Add first image 2026-01-07 14:37:17 +01:00
images feat(trivy): pré-télécharger la DB de vulnérabilités dans l'image 2026-03-16 13:48:34 +00:00
README.md feat: restructure en images spécialisées pour éliminer les pulls Docker Hub 2026-03-04 13:51:50 +01:00
renovate.json fix(renovate): supprimer platform/endpoint (options globales uniquement) 2026-03-04 18:05:07 +01:00

README.md

ci-runner

Custom Docker images for Forgejo CI runners, built with internal CA certificate trust and pinned dependencies.

Purpose

This repository builds and publishes reusable Docker images for CI/CD pipelines running on self-hosted Forgejo infrastructure. All images include the internal lab CA certificate (ca.lab.lan:9000/roots.pem) baked in, enabling secure communication with internal services without Docker Hub dependencies for scanning.

Registry: git.paradoxe.dev/infra/

Images

All images are based on Alpine Linux 3.23 for minimal attack surface and size.

1. ci-docker-node

Path: images/docker-node/ Base: docker:29.1.4-cli-alpine3.23 Purpose: Base runner image for Docker CLI and Node.js jobs

Includes:

  • Docker CLI (29.1.4)
  • Node.js + npm
  • git, bash, curl, jq, tar, zip, openssl, openssh-client
  • Internal CA certificate

Use cases:

  • runs-on: docker jobs requiring Docker CLI
  • runs-on: node jobs for npm/Node.js builds
  • General-purpose CI tasks with Docker + Node tooling

2. ci-trivy

Path: images/trivy/ Base: alpine:3.23 Purpose: Vulnerability scanner (pinned version)

Includes:

  • Trivy scanner (v0.62.0, pinned via ARG TRIVY_VERSION)
  • git, curl, ca-certificates
  • Internal CA certificate

Use cases:

  • Container image scanning (trivy image)
  • Filesystem scanning (trivy fs)
  • SBOM generation
  • Replaces aquasec/trivy:latest pulls from Docker Hub

Special role: Built first in the pipeline, then used to scan all other images (self-scanning + dependency scanning).

3. ci-compose-tools

Path: images/compose-tools/ Base: alpine:3.23 Purpose: Docker Compose validation and linting

Includes:

  • docker-compose
  • python3 + py3-yaml
  • jq, bash, git, curl
  • Internal CA certificate

Use cases:

  • Validating compose.yml syntax
  • Linting Docker Compose files
  • Compose-based deployment checks

4. ci-renovate

Path: images/renovate/ Base: node:22-alpine3.23 Purpose: Renovate dependency bot (pinned version)

Includes:

  • Renovate (v39, pinned via ARG RENOVATE_VERSION)
  • Node.js 22, npm
  • git, bash, python3, curl
  • Internal CA certificate

Use cases:

  • Automated dependency updates
  • Multi-platform dependency scanning (npm, Docker, GitHub Actions, etc.)

Build Workflow

File: .forgejo/workflows/build.yml Trigger: Push to main or tags v* Runner: bootstrap (privileged runner with Docker access)

Build sequence

  1. build-trivy job (runs first):

    • Builds ci-trivy:latest and ci-trivy:<sha>
    • Self-scans the freshly built image with Trivy
    • Fails on HIGH/CRITICAL vulnerabilities

  2. build-images matrix job (runs in parallel after trivy):

    • Builds ci-docker-node, ci-compose-tools, ci-renovate
    • Each image scanned by git.paradoxe.dev/infra/ci-trivy:latest
    • Fails on HIGH/CRITICAL vulnerabilities

All images are tagged with both :latest and :${{ github.sha }} for version pinning.

Zero Docker Hub dependency

All security scans use git.paradoxe.dev/infra/ci-trivy:latest instead of pulling aquasec/trivy:latest from Docker Hub. This ensures:

  • No external registry rate limits
  • No untrusted external images in security pipeline
  • Full control over scanner version and updates

Secrets Required

The build workflow requires two Forgejo secrets:

Secret Purpose
FORGEJO_GIT_TOKEN Git clone authentication (https clone with token)
FORGEJO_REGISTRY_TOKEN Docker registry push authentication (docker login git.paradoxe.dev)

Both secrets must be configured at the repository level in Forgejo.

Updating Pinned Versions

Trivy

Edit images/trivy/Dockerfile:

ARG TRIVY_VERSION=0.62.0  # Update this version

Commit and push to main. The build workflow will automatically build and test the new version.

Renovate

Edit images/renovate/Dockerfile:

ARG RENOVATE_VERSION=39  # Update this version

Alternatively, configure Renovate bot to auto-update this ARG line (recommended).

Docker CLI (docker-node)

Edit images/docker-node/Dockerfile:

FROM docker:29.1.4-cli-alpine3.23  # Update this tag

Check available versions at Docker Hub docker:cli tags.

Consuming Repositories

These images are used by:

  • debian-services:

    • ci-compose-tools — docker-best-practices.yml, security-scan.yml
    • ci-trivy — security-scan.yml
    • ci-renovate — renovate.yaml

  • paniero:

    • ci-trivy — trivy-staging, trivy-production jobs

Maintenance

  • Review Trivy version quarterly for new vulnerability detections
  • Update Renovate version when new major versions are released
  • Monitor Alpine base image security advisories
  • Rebuild all images when CA certificate is rotated

License

Internal infrastructure project. Not for public distribution.