Bump alpine #180
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: CI/CD | |
| 'on': | |
| pull_request: | |
| push: | |
| jobs: | |
| hadolint: | |
| name: Test dockerfile syntax | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out the codebase. | |
| uses: actions/checkout@v3 | |
| - name: Install hadolint. | |
| run: | | |
| sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint | |
| sudo chmod 755 /usr/local/bin/hadolint | |
| env: | |
| HADOLINT_VERSION: 2.12.0 | |
| - name: Run hadolint. | |
| run: hadolint --ignore DL3003 --ignore DL3018 --ignore DL3019 Dockerfile | |
| build: | |
| name: Build and test docker | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Check out the codebase. | |
| uses: actions/checkout@v3 | |
| - name: Find an open port. | |
| run: | | |
| CLIENT_PORT=$(cat /dev/urandom | od -N2 -An -i | awk -v f=10000 -v r=19999 '{printf "%i\n", f + r * $1 / 65536}') | |
| [ $(netstat -an | grep LISTEN | grep :$CLIENT_PORT | wc -l) -eq 0 ] || { ./$0 && exit 0 || exit 1; } | |
| echo "CLIENT_PORT=$CLIENT_PORT" >> $GITHUB_ENV | |
| - name: Build docker image. | |
| run: docker build --no-cache --tag ${GITHUB_REPOSITORY}:${GITHUB_RUN_ID} . | |
| - name: Run a container of created image. | |
| run: | | |
| DOCKERCONTAINER=$(docker run --sysctl net.ipv4.ip_forward=1 --cap-add NET_ADMIN --security-opt no-new-privileges -p 127.0.0.1:${CLIENT_PORT}:443 -p 127.0.0.1:${CLIENT_PORT}:443/udp -d ${GITHUB_REPOSITORY}:${GITHUB_RUN_ID}) | |
| sleep 5 | |
| echo "DOCKERCONTAINER=$DOCKERCONTAINER" >> $GITHUB_ENV | |
| - name: Check if container is still running. | |
| run: docker ps -f id=${DOCKERCONTAINER} | |
| - name: Check if the port is responding. | |
| run: curl -sk https://127.0.0.1:${CLIENT_PORT} | grep -q 'client="vpn"' | |
| - name: Check if the container is correctly stopped and removed. | |
| run: docker stop ${DOCKERCONTAINER} && docker rm -fv ${DOCKERCONTAINER} | |
| - name: Run Trivy vulnerability scanner. | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ github.repository }}:${{ github.run_id }} | |
| exit-code: '1' | |
| severity: 'CRITICAL,HIGH' | |
| deploy: | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| needs: [hadolint, build] | |
| name: Push to Quay | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Get the tag version | |
| id: get_version | |
| run: | | |
| echo ::set-output name=TAG::${GITHUB_REF/refs\/tags\/v/} | |
| TAG=${GITHUB_REF/refs\/tags\/v/} | |
| echo ::set-output name=VERSION::${TAG%-*} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| - name: Login to Quay | |
| uses: docker/login-action@v1 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| - name: Push to Quay | |
| uses: docker/build-push-action@v3 | |
| with: | |
| file: ./Dockerfile | |
| pull: true | |
| push: true | |
| tags: | | |
| quay.io/aminvakil/ocserv:${{ env.TAG }} | |
| quay.io/aminvakil/ocserv:${{ env.VERSION }} | |
| quay.io/aminvakil/ocserv:latest | |
| env: | |
| TAG: ${{ steps.get_version.outputs.TAG }} | |
| VERSION: ${{ steps.get_version.outputs.VERSION }} |