diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index d19c819..33e8e1a 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -20,7 +20,8 @@ jobs: build-and-deploy: strategy: matrix: - ros-distro: [foxy-amd64, foxy-arm64, galactic-amd64, galactic-arm64, rolling, rolling-arm64] + ros-distro: [foxy, galactic, rolling] + arch: [arm64, amd64] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 @@ -34,8 +35,8 @@ jobs: images: | ${{ env.DOCKER_USERNAME }}/${{ env.DOCKER_IMAGENAME }} tags: | - type=raw,value=${{ matrix.ros-distro }}-{{date 'YYYYMMDDTHHmm'}} - type=raw,value=${{ matrix.ros-distro }} + type=raw,value=${{ matrix.ros-distro }}-${{ matrix.arch }}-{{date 'YYYYMMDDTHHmm'}} + type=raw,value=${{ matrix.ros-distro }}-${{ matrix.arch }} flavor: | latest=false prefix= @@ -53,7 +54,7 @@ jobs: - name: Build docker image env: - DOCKER_TAGNAME: ${{ matrix.ros-distro }} + DOCKER_TAGNAME: ${{ matrix.ros-distro }}-${{ matrix.arch }} run: | cd ${DOCKER_TAGNAME%-amd64} && docker build ${{ steps.docker-build-option.outputs.labels }} -t $DOCKER_USERNAME/$DOCKER_IMAGENAME:$DOCKER_TAGNAME . @@ -72,7 +73,7 @@ jobs: - name: Publish docker image env: - DOCKER_TAGNAME: ${{ matrix.ros-distro }} + DOCKER_TAGNAME: ${{ matrix.ros-distro }}-${{ matrix.arch }} id: docker run: | TIMESTAMP=$(date '+%Y%m%dT%H%M') @@ -97,14 +98,14 @@ jobs: uses: Tiryoh/gha-jobid-action@v0 with: github_token: ${{ secrets.GITHUB_TOKEN }} - job_name: build-and-deploy (${{ matrix.ros-distro }}) + job_name: build-and-deploy (${{ matrix.ros-distro }}, ${{ matrix.arch }}) - name: Update GitHub wiki env: - DOCKER_TAGNAME: ${{ matrix.ros-distro }} - DOCKER_SNAPSHOT: ${{ matrix.ros-distro }}-${{ steps.docker.outputs.timestamp }} + DOCKER_TAGNAME: ${{ matrix.ros-distro }}-${{ matrix.arch }} + DOCKER_SNAPSHOT: ${{ matrix.ros-distro }}-${{ matrix.arch }}-${{ steps.docker.outputs.timestamp }} DOCKER_DIGEST_RAW: ${{ steps.docker.outputs.digest }} - TARGET_MD_NAME: ${{ matrix.ros-distro }} + TARGET_MD_NAME: ${{ matrix.ros-distro }}-${{ matrix.arch }} run: | DOCKER_DIGEST=$(echo $DOCKER_DIGEST_RAW | sed -E 's/.*@sha256:(.*)/sha256-\1/g') DOCKER_DIGEST_SHORT=$(echo $DOCKER_DIGEST | sed -E 's/.*([0-9a-z]{12})[0-9a-z]{52}$/\1/g') diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index e9506af..2672adb 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -18,41 +18,61 @@ jobs: build: strategy: matrix: - ros-distro: [foxy, foxy-arm64, galactic, galactic-arm64, rolling, rolling-arm64] + ros-distro: [foxy, galactic, rolling] + arch: [arm64, amd64] runs-on: ubuntu-latest steps: - uses: actions/checkout@v2 - uses: docker/setup-qemu-action@v1 + - name: Prepare Docker metadata + id: meta + uses: docker/metadata-action@v3 + with: + images: | + ${{ env.DOCKER_USERNAME }}/${{ env.DOCKER_IMAGENAME }} + tags: | + type=raw,value=${{ matrix.ros-distro }}-${{ matrix.arch }}-{{date 'YYYYMMDDTHHmm'}} + type=raw,value=${{ matrix.ros-distro }}-${{ matrix.arch }} + flavor: | + latest=false + prefix= + suffix= + + - name: Parse docker build option + id: docker-build-option + run: | + LABELS=$(cat << EOF | grep -E "=." | sed -e "s/org\./--label org./g" | sed -e "s/--label org\(.*\)=\(.*\)$/--label org\1='\2'/g" + ${{ steps.meta.outputs.labels }} + EOF + ) + echo $LABELS + echo ::set-output name=labels::$LABELS + - name: Build docker image env: - ROS_DISTRO: ${{ matrix.ros-distro }} + DOCKER_TAGNAME: ${{ matrix.ros-distro }}-${{ matrix.arch }} run: | - cd $ROS_DISTRO && docker build -t $DOCKER_USERNAME/$DOCKER_IMAGENAME:$ROS_DISTRO . + cd ${DOCKER_TAGNAME%-amd64} && docker build ${{ steps.docker-build-option.outputs.labels }} -t $DOCKER_USERNAME/$DOCKER_IMAGENAME:$DOCKER_TAGNAME . - name: List docker images run: | mkdir -p build_log docker image ls "$DOCKER_USERNAME/*" | tee ./build_log/docker_images.txt - - name: Install trivy - run: | - sudo apt-get install apt-transport-https gnupg - wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - - echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -cs) main | sudo tee -a /etc/apt/sources.list.d/trivy.list - sudo apt-get update - sudo apt-get install trivy - - - name: Vulnerability Scan with Trivy - env: - ROS_DISTRO: ${{ matrix.ros-distro }} - run: | - mkdir -p build_log - trivy --exit-code 0 --severity HIGH --no-progress $DOCKER_USERNAME/$DOCKER_IMAGENAME:$ROS_DISTRO | tee ./build_log/trivy_log-HIGH.txt - trivy --exit-code 0 --severity CRITICAL --no-progress $DOCKER_USERNAME/$DOCKER_IMAGENAME:$ROS_DISTRO | tee ./build_log/trivy_log-CRITICAL.txt + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: '${{ env.DOCKER_USERNAME }}/${{ env.DOCKER_IMAGENAME }}:${{ matrix.ros-distro }}-${{ matrix.arch }}' + exit-code: '0' + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' - - uses: actions/upload-artifact@v2 + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v1 with: - name: build_log-${{ matrix.ros-distro }} - path: build_log + sarif_file: 'trivy-results.sarif'