Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add image scanner to build process #105

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 63 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
on:
workflow_call:

jobs:
build:
name: Build Docker image
runs-on: ubuntu-latest
env:
GENERATOR_IMAGE_NAME: decidim/decidim-generator
TEST_IMAGE_NAME: decidim/decidim-test
DEV_IMAGE_NAME: decidim/decidim-dev
APP_IMAGE_NAME: decidim/decidim
TAG: ${{ github.sha }}
steps:
- name: Fetch Decidim Tag
id: decidim-tag
uses: oprypin/find-latest-tag@v1
with:
repository: decidim/decidim
releases-only: true

- name: Set Ruby Version
id: ruby-version
env:
RUBY_VERSION_URL: https://raw.githubusercontent.com/decidim/decidim/${{ steps.decidim-tag.outputs.tag }}/.ruby-version
run: |
echo ::set-output name=version::$(curl -s $RUBY_VERSION_URL)
- name: Set Decidim Version
id: decidim-version
run: echo ::set-output name=version::$(echo ${{ steps.decidim-tag.outputs.tag }} | cut -c2-)

- name: Checkout Our Repo
uses: actions/checkout@v2

- name: Build decidim-generator Image
env:
RUBY_VERSION: ${{ steps.ruby-version.outputs.version }}
DECIDIM_VERSION: ${{ steps.decidim-version.outputs.version }}
run: |
docker build \
--build-arg ruby_version=$RUBY_VERSION \
--build-arg decidim_version=$DECIDIM_VERSION \
--file Dockerfile-generator \
-t $GENERATOR_IMAGE_NAME .
docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$TAG
docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$TAG
docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$DECIDIM_VERSION
docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$DECIDIM_VERSION
-
name: Scan for vulnerabilities
id: scan
uses: crazy-max/ghaction-container-scan@v3
with:
image: decidim/decidim-generator
dockerfile: ./Dockerfile-generator
severity_threshold: HIGH
annotations: true
-
name: Upload SARIF file
if: ${{ steps.scan.outputs.sarif != '' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
51 changes: 10 additions & 41 deletions .github/workflows/dockerhub.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,18 @@ on:
branches:
- master
paths:
- 'Dockerfile'
- 'Dockerfile-test'
- 'Dockerfile-dev'
- 'Dockerfile-generator'
- '.github/workflows/dockerhub.yml'
- "*"
- 'Dockerfile'
- 'Dockerfile-test'
- 'Dockerfile-dev'
- 'Dockerfile-generator'
- '.github/workflows/dockerhub.yml'

jobs:
build:
uses: ./.github/workflows/build.yml
secrets: inherit
name: Build image
build-publish:
name: Build & Publish Docker Images
runs-on: ubuntu-latest
Expand All @@ -24,42 +29,6 @@ jobs:
TAG: ${{ github.sha }}

steps:
- name: Fetch Decidim Tag
id: decidim-tag
uses: oprypin/find-latest-tag@v1
with:
repository: decidim/decidim
releases-only: true

- name: Set Ruby Version
id: ruby-version
env:
RUBY_VERSION_URL: https://raw.githubusercontent.com/decidim/decidim/${{ steps.decidim-tag.outputs.tag }}/.ruby-version
run: |
echo ::set-output name=version::$(curl -s $RUBY_VERSION_URL)

- name: Set Decidim Version
id: decidim-version
run: echo ::set-output name=version::$(echo ${{ steps.decidim-tag.outputs.tag }} | cut -c2-)

- name: Checkout Our Repo
uses: actions/checkout@v2

- name: Build decidim-generator Image
env:
RUBY_VERSION: ${{ steps.ruby-version.outputs.version }}
DECIDIM_VERSION: ${{ steps.decidim-version.outputs.version }}
run: |
docker build \
--build-arg ruby_version=$RUBY_VERSION \
--build-arg decidim_version=$DECIDIM_VERSION \
--file Dockerfile-generator \
-t $GENERATOR_IMAGE_NAME .
docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$TAG
docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$TAG
docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$DECIDIM_VERSION
docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$DECIDIM_VERSION

- name: Publish decidim-generator Image to Docker Hub
uses: docker/login-action@v1
with:
Expand Down
16 changes: 16 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: "Test Current PR"
on:
pull_request:
paths:
- "*"
- ".github/**"

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true

jobs:
build:
uses: ./.github/workflows/build.yml
secrets: inherit
name: Build image
Loading