diff --git a/.gitea/workflows/ci.yml b/.gitea/workflows/ci.yml index 336be9c..74b403b 100644 --- a/.gitea/workflows/ci.yml +++ b/.gitea/workflows/ci.yml @@ -90,12 +90,12 @@ jobs: - name: Check out code uses: actions/checkout@v4 - - name: Install system Python and pip + - name: Bootstrap pip (no apt — act runner hits bullseye GPG errors) run: | - apt-get update -qq - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip python3-yaml ca-certificates python3 --version - pip3 --version + curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py + python3 /tmp/get-pip.py --disable-pip-version-check + python3 -m pip --version - name: Configure CI Ansible (no vault, localhost inventory) run: | @@ -123,7 +123,7 @@ jobs: echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV" - name: Install Ansible and linting tools - run: pip3 install --no-cache-dir ansible ansible-lint yamllint pyyaml + run: python3 -m pip install --no-cache-dir ansible ansible-lint yamllint pyyaml - name: Install Ansible collections run: | @@ -193,10 +193,10 @@ jobs: - name: Scan Python dependencies run: | if [ -f requirements.txt ]; then - apt-get update -qq - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip - pip3 install --no-cache-dir pip-audit - pip-audit -r requirements.txt + curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py + python3 /tmp/get-pip.py --disable-pip-version-check + python3 -m pip install --no-cache-dir pip-audit + python3 -m pip-audit -r requirements.txt else echo "No requirements.txt, skipping pip-audit" fi @@ -212,13 +212,14 @@ jobs: - name: Check out code uses: actions/checkout@v4 - - name: Install system Python and pip + - name: Bootstrap pip (no apt) run: | - apt-get update -qq - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip ca-certificates + python3 --version + curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py + python3 /tmp/get-pip.py --disable-pip-version-check - name: Install Semgrep - run: pip3 install --no-cache-dir semgrep + run: python3 -m pip install --no-cache-dir semgrep - name: Run Semgrep scan run: semgrep --config=auto --error @@ -257,13 +258,14 @@ jobs: - name: Check out code uses: actions/checkout@v4 - - name: Install system Python and pip + - name: Bootstrap pip (no apt) run: | - apt-get update -qq - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip ca-certificates + python3 --version + curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py + python3 /tmp/get-pip.py --disable-pip-version-check - name: Install Ansible - run: pip3 install --no-cache-dir ansible + run: python3 -m pip install --no-cache-dir ansible - name: Validate vault files are encrypted run: | @@ -306,10 +308,11 @@ jobs: - name: Check out code uses: actions/checkout@v4 - - name: Install system Python and pip + - name: Bootstrap pip (no apt) run: | - apt-get update -qq - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq python3 python3-pip ca-certificates + python3 --version + curl -fsSL https://bootstrap.pypa.io/get-pip.py -o /tmp/get-pip.py + python3 /tmp/get-pip.py --disable-pip-version-check - name: Configure CI Ansible (no vault, localhost inventory) run: | @@ -367,7 +370,7 @@ jobs: echo "ANSIBLE_INVENTORY=/tmp/ci-inventory.ini" >> "$GITHUB_ENV" - name: Install Ansible - run: pip3 install --no-cache-dir ansible + run: python3 -m pip install --no-cache-dir ansible - name: Install Ansible collections run: | @@ -411,8 +414,6 @@ jobs: continue-on-error: true run: | set -e - apt-get update -qq - DEBIAN_FRONTEND=noninteractive apt-get install -y -qq curl ca-certificates # Use a fixed, known-good Trivy version to avoid URL/redirect issues TRIVY_VERSION="0.58.2" TRIVY_URL="https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz"