ci: add trivy and replace deprecated workflow syntax

.woodpecker/build-container.yml

@@ -12,22 +12,31 @@ steps:
       - pip install poetry poetry-dynamic-versioning -qq
       - poetry build
 
-  - name: dryrun
+  - name: security-build
     image: quay.io/thegeeklab/wp-docker-buildx:5
+    depends_on: [build]
     settings:
       containerfile: Containerfile.multiarch
-      dry_run: true
-      platforms:
-        - linux/amd64
-        - linux/arm64
-      provenance: false
+      output: type=oci,dest=oci/${CI_REPO_NAME},tar=false
       repo: ${CI_REPO}
-    when:
-      - event: [pull_request]
+
+  - name: security-scan
+    image: docker.io/aquasec/trivy
+    depends_on: [security-build]
+    commands:
+      - trivy -v
+      - trivy image --input oci/${CI_REPO_NAME}
+    environment:
+      TRIVY_EXIT_CODE: "1"
+      TRIVY_IGNORE_UNFIXED: "true"
+      TRIVY_NO_PROGRESS: "true"
+      TRIVY_SEVERITY: HIGH,CRITICAL
+      TRIVY_TIMEOUT: 1m
+      TRIVY_DB_REPOSITORY: docker.io/aquasec/trivy-db:2
 
   - name: publish-dockerhub
     image: quay.io/thegeeklab/wp-docker-buildx:5
-    group: container
+    depends_on: [security-scan]
     settings:
       auto_tag: true
       containerfile: Containerfile.multiarch
@@ -48,7 +57,7 @@ steps:
 
   - name: publish-quay
     image: quay.io/thegeeklab/wp-docker-buildx:5
-    group: container
+    depends_on: security-scan
     settings:
       auto_tag: true
       containerfile: Containerfile.multiarch

.woodpecker/build-package.yml

@@ -40,11 +40,11 @@ steps:
 
   - name: publish-pypi
     image: docker.io/library/python:3.12
-    secrets:
-      - source: pypi_password
-        target: POETRY_HTTP_BASIC_PYPI_PASSWORD
-      - source: pypi_username
-        target: POETRY_HTTP_BASIC_PYPI_USERNAME
+    environment:
+      POETRY_HTTP_BASIC_PYPI_PASSWORD:
+        from_secret: pypi_password
+      POETRY_HTTP_BASIC_PYPI_USERNAME:
+        from_secret: pypi_username
     commands:
       - pip install poetry poetry-dynamic-versioning -qq
       - poetry publish -n

.woodpecker/docs.yml

@@ -13,38 +13,41 @@ steps:
 
   - name: markdownlint
     image: quay.io/thegeeklab/markdownlint-cli
-    group: test
+    depends_on: [assets]
     commands:
       - markdownlint 'README.md' 'CONTRIBUTING.md'
 
   - name: spellcheck
     image: quay.io/thegeeklab/alpine-tools
-    group: test
+    depends_on: [assets]
     commands:
       - spellchecker --files 'docs/**/*.md' 'README.md' 'CONTRIBUTING.md' -d .dictionary -p spell indefinite-article syntax-urls
     environment:
       FORCE_COLOR: "true"
 
   - name: link-validation
     image: docker.io/lycheeverse/lychee
-    group: test
+    depends_on: [assets]
     commands:
       - lychee --no-progress --format detailed docs/content README.md
 
   - name: build
     image: quay.io/thegeeklab/hugo:0.133.0
+    depends_on: [link-validation]
     commands:
       - hugo --panicOnWarning -s docs/
 
   - name: beautify
     image: quay.io/thegeeklab/alpine-tools
+    depends_on: [build]
     commands:
       - html-beautify -r -f 'docs/public/**/*.html'
     environment:
       FORCE_COLOR: "true"
 
   - name: publish
     image: quay.io/thegeeklab/wp-s3-action
+    depends_on: [beautify]
     settings:
       access_key:
         from_secret: s3_access_key
@@ -66,12 +69,12 @@ steps:
 
   - name: pushrm-dockerhub
     image: docker.io/chko/docker-pushrm:1
-    secrets:
-      - source: docker_password
-        target: DOCKER_PASS
-      - source: docker_username
-        target: DOCKER_USER
+    depends_on: [publish]
     environment:
+      DOCKER_PASS:
+        from_secret: docker_password
+      DOCKER_USER:
+        from_secret: docker_username
       PUSHRM_FILE: README.md
       PUSHRM_SHORT: Annotation based documentation for your Ansible roles
       PUSHRM_TARGET: ${CI_REPO}
@@ -83,10 +86,10 @@ steps:
 
   - name: pushrm-quay
     image: docker.io/chko/docker-pushrm:1
-    secrets:
-      - source: quay_token
-        target: APIKEY__QUAY_IO
+    depends_on: [publish]
     environment:
+      APIKEY__QUAY_IO:
+        from_secret: quay_token
       PUSHRM_FILE: README.md
       PUSHRM_TARGET: quay.io/${CI_REPO}
     when:

.woodpecker/lint.yml

@@ -8,6 +8,7 @@ when:
 steps:
   - name: check-format
     image: docker.io/library/python:3.12
+    depends_on: []
     commands:
       - pip install poetry poetry-dynamic-versioning -qq
       - poetry install -E ansible-core
@@ -17,6 +18,7 @@ steps:
 
   - name: check-coding
     image: docker.io/library/python:3.12
+    depends_on: []
     commands:
       - pip install poetry poetry-dynamic-versioning -qq
       - poetry install -E ansible-core
@@ -26,6 +28,7 @@ steps:
 
   - name: check-jinja
     image: docker.io/library/python:3.12
+    depends_on: []
     commands:
       - pip install poetry poetry-dynamic-versioning -qq
       - poetry install -E ansible-core

.woodpecker/test.yml

@@ -7,7 +7,7 @@ when:
 
 variables:
   - &pytest_base
-    group: pytest
+    depends_on: []
     commands:
       - pip install poetry poetry-dynamic-versioning -qq
       - poetry install -E ansible-core