Loading...
Loading...
Compare original and translation side by side
spec: inputsspec: inputs.gitlab-ci.yml.gitlab-ci.ymlcicd-pipelines.mdcicd-pipelines.md# vX.Y.Zpermissions:latestallow_failurenode:22node:ltspython:3.13python:3on: pushbranches: [main]paths:rules:ifonly: [pushes]${{ }}run:env:github.event.*github.ref_name# vX.Y.Zpermissions:latestallow_failurenode:22node:ltspython:3.13python:3on: pushbranches: [main]paths:ifrules:only: [pushes]${{ }}run:env:github.event.*github.ref_name| Signal | Platform |
|---|---|
| GitHub Actions |
| GitLab CI/CD |
| Forgejo CI/CD |
User says "work" / "gitlab" / | GitLab CI/CD |
| User says "home" / "forgejo" / "gitea" | Forgejo CI/CD |
User says "github" / "ghcr" / | GitHub Actions |
| 识别信号 | 对应平台 |
|---|---|
| GitHub Actions |
| GitLab CI/CD |
| Forgejo CI/CD |
用户提到"work"/"gitlab"/ | GitLab CI/CD |
| 用户提到"home"/"forgejo"/"gitea" | Forgejo CI/CD |
用户提到"github"/"ghcr"/ | GitHub Actions |
references/github-actions.mdreferences/gitlab-ci.mdreferences/supply-chain.mdreferences/github-actions.mdreferences/gitlab-ci.mdreferences/supply-chain.mdlint -> test -> build -> scan -> deploylint -> test -> build -> scan -> deploy| What | Cache key | Platform notes |
|---|---|---|
| npm/bun | | GH: |
| pip | | GH: cache action. GL: cache with |
| Go | | GH: |
| Docker layers | BuildKit cache mount or registry cache | GH: |
| 缓存内容 | 缓存key | 平台说明 |
|---|---|---|
| npm/bun | | GitHub: |
| pip | | GitHub: cache action。GitLab: 缓存添加 |
| Go | | GitHub: |
| Docker层 | BuildKit缓存挂载或镜像仓库缓存 | GitHub: |
| Platform | Mechanism | Scope control |
|---|---|---|
| GitHub | Repository/org/environment secrets | Per-environment, per-repo, per-org. Deployment branches. |
| GitLab | CI/CD variables (project/group/instance) | Protected branches/tags, environments, masked in logs. |
| Forgejo | Repository/org secrets | Per-repo, per-org. No environment scoping yet. |
ps| 平台 | 实现机制 | 作用域控制 |
|---|---|---|
| GitHub | 仓库/组织/环境密钥 | 按环境、按仓库、按组织配置,支持部署分支限制。 |
| GitLab | CI/CD变量(项目/组/实例级别) | 受保护分支/标签、环境限制,日志自动掩码。 |
| Forgejo | 仓库/组织密钥 | 按仓库、按组织配置,暂不支持环境级作用域。 |
ps| Environment | Trigger | Approval |
|---|---|---|
| Dev/Preview | Every PR/MR push | None |
| Staging | Merge to main | None (auto-deploy) |
| Production | Tag or manual dispatch | Required reviewer(s) |
when: manualenvironment:environment:workflow_dispatch| 环境 | 触发条件 | 审批要求 |
|---|---|---|
| 开发/预览环境 | 每次PR/MR推送 | 无需审批 |
| Staging环境 | 合并到main分支 | 无需审批(自动部署) |
| 生产环境 | 打标签或手动触发 | 需要指定审批人 |
when: manualenvironment:environment:workflow_dispatchon.push.pathson.pull_request.pathsrules: changes: paths:compare_to: refs/heads/mainon.push.pathson.push.pathson.pull_request.pathsrules: changes: paths:compare_to: refs/heads/mainon.push.pathslibs/common/pathspaths: ['services/api/**', 'libs/common/**']libs/common/pathspaths: ['services/api/**', 'libs/common/**']paths:paths:| Feature | GitHub Actions | Forgejo Actions |
|---|---|---|
| Controls GITHUB_TOKEN scope | Not enforced -- token always has full rw (read-only for fork PRs) |
| Allows job failure without failing workflow | Not supported -- step-level only |
| Runner images | Managed | Self-hosted, typically lean Debian/Alpine |
| Action resolution | | Resolves from Forgejo mirror (configurable) |
| OIDC | | |
| Workflow call defaults | | Always empty |
| Matrix + dynamic runs-on | Supported | Supported since v14.0 |
| LXC execution | Not supported | Supported (Forgejo-specific) |
| 功能 | GitHub Actions | Forgejo Actions |
|---|---|---|
| 控制GITHUB_TOKEN的作用域 | 不生效——token始终有完整读写权限(fork PR仅为只读) |
任务级 | 允许任务失败但不标记整个工作流失败 | 不支持——仅支持步骤级配置 |
| Runner镜像 | 托管的 | 自托管,通常为精简的Debian/Alpine镜像 |
| Action解析来源 | | 从Forgejo镜像站解析(可配置) |
| OIDC | | 通过 |
| 工作流调用默认值 | 自动填充 | 始终为空 |
| 矩阵+动态runs-on | 支持 | v14.0起支持 |
| LXC执行 | 不支持 | 支持(Forgejo专属特性) |
name: CI
on:
push:
branches: [main]
pull_request:
jobs:
ci:
runs-on: docker # self-hosted runner label
container:
image: oven/bun:1.2 # pin to minor version minimum
steps:
- uses: actions/checkout@<sha> # pin to SHA; resolves from Forgejo mirror
- run: bun install --frozen-lockfile
- run: bun run lint
- run: bun run typecheck
- run: bun run testname: CI
on:
push:
branches: [main]
pull_request:
jobs:
ci:
runs-on: docker # 自托管runner标签
container:
image: oven/bun:1.2 # 至少固定到次要版本
steps:
- uses: actions/checkout@<sha> # 绑定到SHA,从Forgejo镜像站解析
- run: bun install --frozen-lockfile
- run: bun run lint
- run: bun run typecheck
- run: bun run testubuntu-latestruns-ondockerapt-get installGIT_SSL_CAINFO=/path/to/ca-bundle.crtGIT_SSL_NO_VERIFY=true${{ secrets.* }}permissions:permissions:ubuntu-latestruns-ondockerapt-get installGIT_SSL_CAINFO=/path/to/ca-bundle.crtGIT_SSL_NO_VERIFY=true${{ secrets.* }}permissions:permissions:name: Release
on:
push:
tags: ['v*']
jobs:
build-and-push:
runs-on: docker
container:
image: catthehacker/ubuntu:act-24.04 # heavier image for multi-tool needs
env:
# Prefer GIT_SSL_CAINFO with your CA cert; this bypass is a last resort
GIT_SSL_NO_VERIFY: "true" # if cert is periodically expired
steps:
- uses: actions/checkout@<sha> # pin to SHA; resolves from Forgejo mirror
- name: Login to registry
env:
TOKEN: ${{ secrets.REGISTRY_TOKEN }}
HOST: ${{ secrets.REGISTRY_HOST }}
USER: ${{ secrets.REGISTRY_USER }}
run: echo "$TOKEN" | docker login "$HOST" -u "$USER" --password-stdin
- name: Build and push
env:
REGISTRY: ${{ secrets.REGISTRY_HOST }}/${{ secrets.REGISTRY_IMAGE }}
TAG: ${{ github.ref_name }}
run: |
docker build -t "$REGISTRY:$TAG" .
docker push "$REGISTRY:$TAG"name: Release
on:
push:
tags: ['v*']
jobs:
build-and-push:
runs-on: docker
container:
image: catthehacker/ubuntu:act-24.04 # 包含更多工具的镜像,适合多工具需求场景
env:
# 优先使用GIT_SSL_CAINFO配置CA证书,该绕过方案仅为最后手段
GIT_SSL_NO_VERIFY: "true" # 证书定期过期时临时使用
steps:
- uses: actions/checkout@<sha> # 绑定到SHA,从Forgejo镜像站解析
- name: Login to registry
env:
TOKEN: ${{ secrets.REGISTRY_TOKEN }}
HOST: ${{ secrets.REGISTRY_HOST }}
USER: ${{ secrets.REGISTRY_USER }}
run: echo "$TOKEN" | docker login "$HOST" -u "$USER" --password-stdin
- name: Build and push
env:
REGISTRY: ${{ secrets.REGISTRY_HOST }}/${{ secrets.REGISTRY_IMAGE }}
TAG: ${{ github.ref_name }}
run: |
docker build -t "$REGISTRY:$TAG" .
docker push "$REGISTRY:$TAG"| PCI-DSS Req | What it means for CI/CD | Implementation |
|---|---|---|
| 6.2.1 | Secure development training + OWASP-aware processes | SAST on every PR/MR, dependency scanning, secret detection |
| 6.2.4 | Access control + change tracking | Branch protection, required reviewers, signed commits, audit logs |
| 6.3.2 | Software inventory (SBOM) | Generate SPDX/CycloneDX SBOM per release, attach to artifacts |
| 6.4.2 | Changes approved, documented, tested | Gated deployments, required approvals for prod, IaC audit trails |
| 6.5.3 | Consistent security controls across environments | Same scanning in dev/staging/prod, not just prod |
references/supply-chain.md| PCI-DSS需求 | 对CI/CD的要求 | 实现方案 |
|---|---|---|
| 6.2.1 | 安全开发培训+符合OWASP要求的流程 | 每次PR/MR执行SAST、依赖扫描、密钥检测 |
| 6.2.4 | 访问控制+变更追踪 | 分支保护、强制审批、提交签名、审计日志 |
| 6.3.2 | 软件资产清单(SBOM) | 每个版本生成SPDX/CycloneDX格式的SBOM,关联到对应制品 |
| 6.4.2 | 变更经过审批、记录、测试 | 部署门控、生产部署强制审批、IaC审计追踪 |
| 6.5.3 | 跨环境的一致安全控制 | 开发/staging/生产环境执行相同的扫描规则,而非仅在生产环境扫描 |
references/supply-chain.mdpermissions:allow_failure: true:latestrun:references/supply-chain.mdpermissions:allow_failure: true:latestrun:references/supply-chain.md@<sha>oven/bun:1.2docker:27.5@<sha>oven/bun:1.2docker:27.5references/github-actions.mdreferences/gitlab-ci.mdreferences/supply-chain.mdreferences/github-actions.mdreferences/gitlab-ci.mdreferences/supply-chain.mdreferences/cicd-pipelines.mdreferences/cicd-pipelines.mdactgitlab-ci-localactgitlab-ci-local