Skip to content

Commit

Permalink
ci: Refactor GitHub Actions config file (#46)
Browse files Browse the repository at this point in the history 
* ci: Refactor GitHub Actions config file
* ci: Upload Trivy scan results to GitHub Security tab
  • Loading branch information
@Tiryoh
Tiryoh authored Mar 8, 2022
1 parent 4886c42 commit 1d0c312
Show file tree
Hide file tree
Showing 2 changed files with 51 additions and 30 deletions.
19 changes: 10 additions & 9 deletions .github/workflows/deploy.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,8 @@ jobs:
build-and-deploy:
strategy:
matrix:
ros-distro: [foxy-amd64, foxy-arm64, galactic-amd64, galactic-arm64, rolling, rolling-arm64]
ros-distro: [foxy, galactic, rolling]
arch: [arm64, amd64]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
Expand All @@ -34,8 +35,8 @@ jobs:
images: |
${{ env.DOCKER_USERNAME }}/${{ env.DOCKER_IMAGENAME }}
tags: |
type=raw,value=${{ matrix.ros-distro }}-{{date 'YYYYMMDDTHHmm'}}
type=raw,value=${{ matrix.ros-distro }}
type=raw,value=${{ matrix.ros-distro }}-${{ matrix.arch }}-{{date 'YYYYMMDDTHHmm'}}
type=raw,value=${{ matrix.ros-distro }}-${{ matrix.arch }}
flavor: |
latest=false
prefix=
Expand All @@ -53,7 +54,7 @@ jobs:
- name: Build docker image
env:
DOCKER_TAGNAME: ${{ matrix.ros-distro }}
DOCKER_TAGNAME: ${{ matrix.ros-distro }}-${{ matrix.arch }}
run: |
cd ${DOCKER_TAGNAME%-amd64} && docker build ${{ steps.docker-build-option.outputs.labels }} -t $DOCKER_USERNAME/$DOCKER_IMAGENAME:$DOCKER_TAGNAME .
Expand All @@ -72,7 +73,7 @@ jobs:

- name: Publish docker image
env:
DOCKER_TAGNAME: ${{ matrix.ros-distro }}
DOCKER_TAGNAME: ${{ matrix.ros-distro }}-${{ matrix.arch }}
id: docker
run: |
TIMESTAMP=$(date '+%Y%m%dT%H%M')
Expand All @@ -97,14 +98,14 @@ jobs:
uses: Tiryoh/gha-jobid-action@v0
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
job_name: build-and-deploy (${{ matrix.ros-distro }})
job_name: build-and-deploy (${{ matrix.ros-distro }}, ${{ matrix.arch }})

- name: Update GitHub wiki
env:
DOCKER_TAGNAME: ${{ matrix.ros-distro }}
DOCKER_SNAPSHOT: ${{ matrix.ros-distro }}-${{ steps.docker.outputs.timestamp }}
DOCKER_TAGNAME: ${{ matrix.ros-distro }}-${{ matrix.arch }}
DOCKER_SNAPSHOT: ${{ matrix.ros-distro }}-${{ matrix.arch }}-${{ steps.docker.outputs.timestamp }}
DOCKER_DIGEST_RAW: ${{ steps.docker.outputs.digest }}
TARGET_MD_NAME: ${{ matrix.ros-distro }}
TARGET_MD_NAME: ${{ matrix.ros-distro }}-${{ matrix.arch }}
run: |
DOCKER_DIGEST=$(echo $DOCKER_DIGEST_RAW | sed -E 's/.*@sha256:(.*)/sha256-\1/g')
DOCKER_DIGEST_SHORT=$(echo $DOCKER_DIGEST | sed -E 's/.*([0-9a-z]{12})[0-9a-z]{52}$/\1/g')
Expand Down
62 changes: 41 additions & 21 deletions .github/workflows/test.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,41 +18,61 @@ jobs:
build:
strategy:
matrix:
ros-distro: [foxy, foxy-arm64, galactic, galactic-arm64, rolling, rolling-arm64]
ros-distro: [foxy, galactic, rolling]
arch: [arm64, amd64]
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2

- uses: docker/setup-qemu-action@v1

- name: Prepare Docker metadata
id: meta
uses: docker/metadata-action@v3
with:
images: |
${{ env.DOCKER_USERNAME }}/${{ env.DOCKER_IMAGENAME }}
tags: |
type=raw,value=${{ matrix.ros-distro }}-${{ matrix.arch }}-{{date 'YYYYMMDDTHHmm'}}
type=raw,value=${{ matrix.ros-distro }}-${{ matrix.arch }}
flavor: |
latest=false
prefix=
suffix=
- name: Parse docker build option
id: docker-build-option
run: |
LABELS=$(cat << EOF | grep -E "=." | sed -e "s/org\./--label org./g" | sed -e "s/--label org\(.*\)=\(.*\)$/--label org\1='\2'/g"
${{ steps.meta.outputs.labels }}
EOF
)
echo $LABELS
echo ::set-output name=labels::$LABELS
- name: Build docker image
env:
ROS_DISTRO: ${{ matrix.ros-distro }}
DOCKER_TAGNAME: ${{ matrix.ros-distro }}-${{ matrix.arch }}
run: |
cd $ROS_DISTRO && docker build -t $DOCKER_USERNAME/$DOCKER_IMAGENAME:$ROS_DISTRO .
cd ${DOCKER_TAGNAME%-amd64} && docker build ${{ steps.docker-build-option.outputs.labels }} -t $DOCKER_USERNAME/$DOCKER_IMAGENAME:$DOCKER_TAGNAME .
- name: List docker images
run: |
mkdir -p build_log
docker image ls "$DOCKER_USERNAME/*" | tee ./build_log/docker_images.txt
- name: Install trivy
run: |
sudo apt-get install apt-transport-https gnupg
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
- name: Vulnerability Scan with Trivy
env:
ROS_DISTRO: ${{ matrix.ros-distro }}
run: |
mkdir -p build_log
trivy --exit-code 0 --severity HIGH --no-progress $DOCKER_USERNAME/$DOCKER_IMAGENAME:$ROS_DISTRO | tee ./build_log/trivy_log-HIGH.txt
trivy --exit-code 0 --severity CRITICAL --no-progress $DOCKER_USERNAME/$DOCKER_IMAGENAME:$ROS_DISTRO | tee ./build_log/trivy_log-CRITICAL.txt
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{ env.DOCKER_USERNAME }}/${{ env.DOCKER_IMAGENAME }}:${{ matrix.ros-distro }}-${{ matrix.arch }}'
exit-code: '0'
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'

- uses: actions/upload-artifact@v2
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
name: build_log-${{ matrix.ros-distro }}
path: build_log
sarif_file: 'trivy-results.sarif'

0 comments on commit 1d0c312

Please sign in to comment.