Fix CI: bootstrap pip without apt on act runner.
Some checks failed
CI / skip-ci-check (pull_request) Successful in 7s
CI / lint-and-test (pull_request) Successful in 12s
CI / ansible-validation (pull_request) Failing after 6s
CI / secret-scanning (pull_request) Successful in 6s
CI / dependency-scan (pull_request) Successful in 9s
CI / sast-scan (pull_request) Failing after 6s
CI / license-check (pull_request) Successful in 11s
CI / vault-check (pull_request) Failing after 6s
CI / playbook-test (pull_request) Failing after 6s
CI / container-scan (pull_request) Successful in 6s
CI / sonar-analysis (pull_request) Failing after 3s
CI / workflow-summary (pull_request) Successful in 6s
Some checks failed
CI / skip-ci-check (pull_request) Successful in 7s
CI / lint-and-test (pull_request) Successful in 12s
CI / ansible-validation (pull_request) Failing after 6s
CI / secret-scanning (pull_request) Successful in 6s
CI / dependency-scan (pull_request) Successful in 9s
CI / sast-scan (pull_request) Failing after 6s
CI / license-check (pull_request) Successful in 11s
CI / vault-check (pull_request) Failing after 6s
CI / playbook-test (pull_request) Failing after 6s
CI / container-scan (pull_request) Successful in 6s
CI / sonar-analysis (pull_request) Failing after 3s
CI / workflow-summary (pull_request) Successful in 6s
Debian bullseye apt in Gitea act containers fails GPG signature checks; use get-pip.py + python3 -m pip instead of apt-get python3-pip. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
parent
70af1b1355
commit
08d5cb4073
@ -90,12 +90,12 @@ jobs:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install system Python and pip
|
||||
- name: Bootstrap pip (no apt — act runner hits bullseye GPG errors)
|
||||
run: |
|
||||
apt-get update -qq
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip python3-yaml ca-certificates
|
||||
python3 --version
|
||||
pip3 --version
|
||||
curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py
|
||||
python3 /tmp/get-pip.py --disable-pip-version-check
|
||||
python3 -m pip --version
|
||||
|
||||
- name: Configure CI Ansible (no vault, localhost inventory)
|
||||
run: |
|
||||
@ -123,7 +123,7 @@ jobs:
|
||||
echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV"
|
||||
|
||||
- name: Install Ansible and linting tools
|
||||
run: pip3 install --no-cache-dir ansible ansible-lint yamllint pyyaml
|
||||
run: python3 -m pip install --no-cache-dir ansible ansible-lint yamllint pyyaml
|
||||
|
||||
- name: Install Ansible collections
|
||||
run: |
|
||||
@ -193,10 +193,10 @@ jobs:
|
||||
- name: Scan Python dependencies
|
||||
run: |
|
||||
if [ -f requirements.txt ]; then
|
||||
apt-get update -qq
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip
|
||||
pip3 install --no-cache-dir pip-audit
|
||||
pip-audit -r requirements.txt
|
||||
curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py
|
||||
python3 /tmp/get-pip.py --disable-pip-version-check
|
||||
python3 -m pip install --no-cache-dir pip-audit
|
||||
python3 -m pip-audit -r requirements.txt
|
||||
else
|
||||
echo "No requirements.txt, skipping pip-audit"
|
||||
fi
|
||||
@ -212,13 +212,14 @@ jobs:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install system Python and pip
|
||||
- name: Bootstrap pip (no apt)
|
||||
run: |
|
||||
apt-get update -qq
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip ca-certificates
|
||||
python3 --version
|
||||
curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py
|
||||
python3 /tmp/get-pip.py --disable-pip-version-check
|
||||
|
||||
- name: Install Semgrep
|
||||
run: pip3 install --no-cache-dir semgrep
|
||||
run: python3 -m pip install --no-cache-dir semgrep
|
||||
|
||||
- name: Run Semgrep scan
|
||||
run: semgrep --config=auto --error
|
||||
@ -257,13 +258,14 @@ jobs:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install system Python and pip
|
||||
- name: Bootstrap pip (no apt)
|
||||
run: |
|
||||
apt-get update -qq
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip ca-certificates
|
||||
python3 --version
|
||||
curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py
|
||||
python3 /tmp/get-pip.py --disable-pip-version-check
|
||||
|
||||
- name: Install Ansible
|
||||
run: pip3 install --no-cache-dir ansible
|
||||
run: python3 -m pip install --no-cache-dir ansible
|
||||
|
||||
- name: Validate vault files are encrypted
|
||||
run: |
|
||||
@ -306,10 +308,11 @@ jobs:
|
||||
- name: Check out code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Install system Python and pip
|
||||
- name: Bootstrap pip (no apt)
|
||||
run: |
|
||||
apt-get update -qq
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip ca-certificates
|
||||
python3 --version
|
||||
curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py
|
||||
python3 /tmp/get-pip.py --disable-pip-version-check
|
||||
|
||||
- name: Configure CI Ansible (no vault, localhost inventory)
|
||||
run: |
|
||||
@ -367,7 +370,7 @@ jobs:
|
||||
echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV"
|
||||
|
||||
- name: Install Ansible
|
||||
run: pip3 install --no-cache-dir ansible
|
||||
run: python3 -m pip install --no-cache-dir ansible
|
||||
|
||||
- name: Install Ansible collections
|
||||
run: |
|
||||
@ -411,8 +414,6 @@ jobs:
|
||||
continue-on-error: true
|
||||
run: |
|
||||
set -e
|
||||
apt-get update -qq
|
||||
DEBIAN_FRONTEND=noninteractive apt-get install -y -qq curl ca-certificates
|
||||
# Use a fixed, known-good Trivy version to avoid URL/redirect issues
|
||||
TRIVY_VERSION="0.58.2"
|
||||
TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user