-
-
Notifications
You must be signed in to change notification settings - Fork 1
201 lines (179 loc) · 6.13 KB
/
docker-image.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
---
name: Docker Image CI
on: # yamllint disable-line rule:truthy
push:
branches: ["main"]
pull_request:
# The branches below must be a subset of the branches above
branches: ["main"]
workflow_dispatch:
env:
IMAGE_NAME: algorithm-exercises-ts
ARTIFACT_NAME: algorithm-exercises-ts_${{ github.sha }}
jobs:
build:
name: "Build Docker images"
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: "LINT: Build and push"
uses: docker/build-push-action@v6
with:
context: .
target: lint
outputs: |
type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_lint.tar
tags: |
${{ env.IMAGE_NAME }}:lint
- name: "LINT: Upload artifact"
uses: actions/upload-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_lint
path: /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
- name: "TEST: Build and push"
uses: docker/build-push-action@v6
with:
context: .
target: testing
outputs: |
type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_test.tar
tags: |
${{ env.IMAGE_NAME }}:test
- name: "TEST: Upload artifact"
uses: actions/upload-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_test
path: /tmp/${{ env.ARTIFACT_NAME }}_test.tar
- name: "PRODUCTION: Build and push"
uses: docker/build-push-action@v6
with:
context: .
target: production
outputs: |
type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_prod.tar
tags: |
${{ env.IMAGE_NAME }}:latest
${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: "PRODUCTION: Upload artifact"
uses: actions/upload-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_prod
path: /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
lint:
name: "Run in docker: LINT"
runs-on: ubuntu-latest
needs: build
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_lint
path: /tmp/
- name: Load image
run: |
docker load --input /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
docker image ls -a
- name: Run lint
run: |
docker run --rm ${{ env.IMAGE_NAME }}:lint make lint
test:
name: "Run in docker: TEST"
runs-on: ubuntu-latest
needs: build
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_test
path: /tmp/
- name: Load image
run: |
docker load --input /tmp/${{ env.ARTIFACT_NAME }}_test.tar
docker image ls -a
- name: Run test
run: |
docker run --rm ${{ env.IMAGE_NAME }}:test make test
security:
name: "Snyk Container"
runs-on: ubuntu-latest
needs: build
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_prod
path: /tmp/
- name: Load image
run: |
docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
docker image ls -a
- name: Run Snyk to check Docker image for vulnerabilities
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/docker@master
env:
# yamllint disable rule:line-length
# In order to use the Snyk Action you will need to have a Snyk API token.
# See https://docs.snyk.io/integrations/ci-cd-integrations/github-actions-integration#getting-your-snyk-token
# or you can sign up for free at https://snyk.io/login
# yamllint enable rule:line-length
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.IMAGE_NAME }}:${{ github.sha }}
args: --file=Dockerfile
# yamllint disable rule:line-length
# https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
- name: Replace security-severity undefined for license-related findings
run: |
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
# yamllint enable rule:line-length
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'snyk.sarif'
scan:
name: "Trivy"
runs-on: ubuntu-latest
needs: build
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_prod
path: /tmp/
- name: Load image
run: |
docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
docker image ls -a
- name: Run Trivy vulnerability scanner (cli report)
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'table'
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
- name: Run Trivy vulnerability scanner (sarif report)
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'