-
Notifications
You must be signed in to change notification settings - Fork 71
78 lines (74 loc) · 2.91 KB
/
docker-build-test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
#This action test builds EMHASS standalone Docker images, in each architecture.
name: "Test Docker"
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
workflow_dispatch:
permissions:
actions: read
security-events: write
contents: read
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
platform: [
{target_arch: amd64, os_version: debian},
{target_arch: armv7, os_version: debian},
{target_arch: armhf, os_version: raspbian},
{target_arch: aarch64, os_version: debian}
]
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push by digest
id: build
uses: docker/build-push-action@v5
with:
context: .
platforms: ${{ matrix.platform.buildx }}
build-args: |
TARGETARCH=${{ matrix.platform.target_arch }}
os_version=${{ matrix.platform.os_version }}
tags: emhass
load: true
- name: Test #Assume Docker fail with FileNotFound secrets_emhass.yaml error
run: docker run --rm -it emhass/standalone-test | grep -q secrets_emhass.yaml && echo 0 || echo 1
# Google OSV-Scanner
# Extract Debian and Python packadge list stored in Image
- name: Export Debian package list
run: mkdir OSV && docker run --rm --entrypoint '/bin/cat' emhass/standalone-test /var/lib/dpkg/status >> ./OSV/${{ matrix.platform.target_arch }}.status
- name: Export Python package list
run: docker run --rm --entrypoint '/usr/bin/pip3' emhass/standalone-test freeze >> ./OSV/${{ matrix.platform.target_arch }}-requirements.txt
# Check Docker image debian and python packages list for known vulnerabilities
- name: "Run scanner"
uses: google/osv-scanner-action/[email protected]
with:
scan-args: |-
--output=results.json
--format=json
--lockfile=dpkg-status:./${{ matrix.platform.target_arch }}.status
--lockfile=requirements.txt:./${{matrix.platform.target_arch }}-requirements.txt
continue-on-error: true
- name: "Run osv-scanner-reporter"
uses: google/osv-scanner-action/[email protected]
with:
scan-args: |-
--output=${{ inputs.results-file-name }}
--new=results.json
--gh-annotations=false
--fail-on-vuln=true
# Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning"
if: "${{ !cancelled() }}"
uses: github/codeql-action/upload-sarif@407ffafae6a767df3e0230c3df91b6443ae8df75 # v2.22.8
with:
sarif_file: ${{ inputs.results-file-name }}