diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 81269ff..68cd456 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -5,6 +5,7 @@ name: ci on: push: + branches: [main] paths: - '**/Dockerfile' - '**/.github/workflows/ci.yml' @@ -25,11 +26,8 @@ env: jobs: test: runs-on: ubuntu-latest - outputs: - targets: ${{ steps.matrix.outputs.targets }} steps: - name: Checkout code - # kics-scan ignore-line uses: actions/checkout@v4.1.0 - name: Setup Docker Buildx @@ -39,34 +37,48 @@ jobs: # get docker binary path to use it with env -i - name: Get the docker binary path id: docker-binary-path - run: echo "DOCKER_BINARY_PATH=$(which docker)" >> "$GITHUB_OUTPUT" + run: echo "docker-bin=$(which docker)" | tee "${GITHUB_OUTPUT}" - name: Print the bake file with a empty env id: bake-file-no-env - run: env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print + run: env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print - - name: Verify the tag ends on -local + - name: Verify the tags end on -local run: | - BAKE_TAG="$(env -i ${{ steps.docker-binary-path.outputs.DOCKER_BINARY_PATH }} buildx bake --print | jq -r '[.target[].tags[]][0]')" - [[ "${BAKE_TAG}" == *"-local" ]] || exit 1 + while IFS='' read -r container_tag; do + printf "Container tag: %s\n" "${container_tag}" + [[ "${container_tag}" == *"-local" ]] || exit 1 + done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | jq -r '.target[].tags[0]') - name: Print the bake file with the runner env run: docker buildx bake --print - - name: Validate tag ends on -${{ github.base_ref || github.ref_name }} + - name: Verify the tags are valid run: | - BAKE_TAG="$(docker buildx bake --print | jq -r '[.target[].tags[]][0]')" - [[ "${BAKE_TAG}" == *"-${{ github.base_ref || github.ref_name}}" ]] || exit 1 + while IFS='' read -r container_tag; do + printf "Container tag: %s\n" "${container_tag}" + [[ "${container_tag}" == *"-${REF//\//-}" ]] || exit 1 + done < <(docker buildx bake --print | jq -r '.target[].tags[0]') + env: + REF: ${{ github.head_ref || github.ref_name}} - - name: Create matrix - id: matrix - run: printf "targets=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" >>"${GITHUB_OUTPUT}" + generate-jobs: + needs: [test] + runs-on: ubuntu-latest + outputs: + targets: ${{ steps.targets.outputs.matrix }} + # platforms: ${{ steps.platforms.outputs.matrix }} + steps: + - name: Checkout code + uses: actions/checkout@v4.1.0 - - name: Show matrix - run: "echo '${{ steps.matrix.outputs.targets }}' | jq" + - name: Generate targets matrix + id: targets + run: | + printf "matrix=%s\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" | tee "${GITHUB_OUTPUT}" build: - needs: test + needs: [generate-jobs] runs-on: ubuntu-latest permissions: contents: read @@ -75,25 +87,20 @@ jobs: security-events: write strategy: matrix: - targets: ${{ fromJson(needs.test.outputs.targets) }} + targets: ${{ fromJson(needs.generate-jobs.outputs.targets) }} steps: - name: Checkout code - # kics-scan ignore-line uses: actions/checkout@v4.1.0 - name: Setup QEMU # kics-scan ignore-line uses: docker/setup-qemu-action@v3.0.0 - # with: - # image: 'tonistiigi/binfmt:buildkit-latest' - name: Setup Docker Buildx # kics-scan ignore-line uses: docker/setup-buildx-action@v3.0.0 - # with: - # driver-opts: | - # image=moby/buildkit:latest - # # driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }} + with: + driver: ${{ github.event_name == 'pull_request' && 'docker' || 'docker-container' }} # Login against a container registry # https://github.com/docker/login-action @@ -114,6 +121,15 @@ jobs: deleteDotnet: 'true' deleteAndroid: 'true' + - name: Get meta data + id: meta + run: | + { + printf "arch=linux/%s\n" "$(docker run --rm --quiet ubuntu:22.04 dpkg --print-architecture)"; + printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')"; + printf "main_tag=%s\n" "$(REF_NAME=main docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')"; + } | tee "${GITHUB_OUTPUT}" + # Bake the image # kics-scan ignore-line - uses: docker/bake-action@v4.0.0 @@ -122,51 +138,51 @@ jobs: with: files: docker-bake.hcl targets: ${{ matrix.targets }} - sbom: true - provenance: true + sbom: ${{ github.event_name != 'pull_request' }} + provenance: ${{ github.event_name != 'pull_request' }} + set: | + ${{ github.event_name == 'pull_request' && '*.cache-to=' || '' }} + ${{ github.event_name == 'pull_request' && format('*.platform={0}', steps.meta.outputs.arch) || '' }} push: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }} + load: ${{ github.event_name == 'pull_request' }} - - name: Get the image tag - id: meta - run: | - printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '[.target[].tags[]][0]')" >> "$GITHUB_OUTPUT" - - - name: Analyze for critical and high CVEs + # vulnerability scan the image + # kics-scan ignore-line + - uses: docker/scout-action@v1.0.8 + name: Analyze for critical and high CVEs id: docker-scout-cves if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }} - # kics-scan ignore-line - uses: docker/scout-action@v1.0.8 with: command: cves image: ${{ steps.meta.outputs.tag }} sarif-file: sarif.output.json summary: false - - - name: Upload SARIF result + # upload the results as a SARIF file to gh security tab + # kics-scan ignore-line + - uses: github/codeql-action/upload-sarif@v2.22.0 + name: Upload SARIF result id: upload-sarif if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }} - # kics-scan ignore-line - uses: github/codeql-action/upload-sarif@v2 with: sarif_file: sarif.output.json - # # vulnerability scanning to verify PRs - # - name: Docker Scout - # id: docker-scout - # uses: docker/scout-action@v1.0.8 - # if: github.event_name == 'pull_request' - # with: - # platform: ${{ matrix.platforms }} - # command: quickview - # image: ${{ env.FROM_IMAGE_PATH }} - # type: archive - # to: ${{ env.TO_TAG }} - # ignore-unchanged: true - # only-severities: critical - # write-comment: ${{ github.actor != 'nektos/act' }} - # summary: ${{ github.actor != 'nektos/act' }} - # github-token: ${{ secrets.GITHUB_TOKEN }} - # organization: ${{ vars.DOCKERHUB_USERNAME || github.repository_owner }} + # vulnerability scanning to verify PRs + # kics-scan ignore-line + - uses: docker/scout-action@64ca6fb5e6ada64f5febd1a991b499900b29faf0 + name: Docker Scout compare + id: pr-quickview + if: ${{ github.event_name == 'pull_request' && steps.meta.outputs.tag != steps.meta.outputs.main_tag && vars.DOCKERHUB_USERNAME != '' }} + with: + command: compare + platform: ${{ steps.meta.outputs.arch }} + image: ${{ steps.meta.outputs.tag }} + to: ${{ steps.meta.outputs.main_tag }} + ignore-unchanged: true + only-fixed: true + only-severities: critical,high + write-comment: ${{ github.actor != 'nektos/act' }} + summary: ${{ github.actor != 'nektos/act' }} + github-token: ${{ secrets.GITHUB_TOKEN }} approve-pr: name: Approve PR diff --git a/.mega-linter.yml b/.mega-linter.yml index b64d02f..6e44e6a 100644 --- a/.mega-linter.yml +++ b/.mega-linter.yml @@ -1,14 +1,16 @@ --- # yaml-language-server: $schema=https://raw.githubusercontent.com/oxsecurity/megalinter/main/megalinter/descriptors/schemas/megalinter-configuration.jsonschema.json + # Configuration file for MegaLinter # See all available variables at https://megalinter.io/latest/config-file/ and in linters documentation + APPLY_FIXES: 'all' # all, none, or list of linter keys CLEAR_REPORT_FOLDER: true DISABLE_LINTERS: - REPOSITORY_SEMGREP # doesn't work for me currently FILEIO_REPORTER: false -# FILTER_REGEX_EXCLUDE: '(megalinter-reports)' IGNORE_GITIGNORED_FILES: true SHOW_ELAPSED_TIME: true SPELL_LYCHEE_FILTER_REGEX_EXCLUDE: '(\.github/workflows|\.mega-linter\.yml)' YAML_V8R_FILTER_REGEX_EXCLUDE: '(\.prettierrc\.yaml)' +VALIDATE_ALL_CODEBASE: true diff --git a/README.md b/README.md index b56ce14..93ba387 100644 --- a/README.md +++ b/README.md @@ -41,8 +41,8 @@ The easiest way is to add those lines in your `~/.actrc`: -P ubuntu-20.04=mauwii/ubuntu-act:20.04 ``` -For further information about [nektos/act][nektosActRepo] and how to use it, take a 👀 at the [nektos -documentation📖][nektosDocs] +For further information about [nektos/act][nektosActRepo] and how to use it, take a 👀 at the +[nektos documentation📖][nektosDocs] ## How I run act on my M2-Max 💻 @@ -111,9 +111,12 @@ documentation📖][nektosDocs] ## docker-bake file As always, there are different options to build the images locally. I added `docker-bake.hcl` which -helps with orchestrating builds and needs buildx to be available, which comes out of the box with -docker desktop. Bake Files are still considered experimental, and your results may be totally -different depending on your local docker configuration. +helps with orchestrating builds but needs buildx to be available on the host (it comes out of the +box with docker desktop). + +> [!WARNING] +> Bake Files are still considered experimental, and your results may be totally different depending +> on your local docker configuration. - using the `local` tag: diff --git a/docker-bake.hcl b/docker-bake.hcl index f948c9a..1acbccc 100644 --- a/docker-bake.hcl +++ b/docker-bake.hcl @@ -19,14 +19,14 @@ variable "GITHUB_SHA" { } variable "REF_NAME" { - default = and(notequal(GITHUB_BASE_REF, null), notequal(GITHUB_BASE_REF, "")) ? "${GITHUB_BASE_REF}" : and(notequal(GITHUB_REF_NAME, null), notequal(GITHUB_REF_NAME, "")) ? "${GITHUB_REF_NAME}" : "local" + default = and(notequal(GITHUB_HEAD_REF, null), notequal(GITHUB_HEAD_REF, "")) ? "${GITHUB_HEAD_REF}" : and(notequal(GITHUB_REF_NAME, null), notequal(GITHUB_REF_NAME, "")) ? "${GITHUB_REF_NAME}" : "local" } variable "GITHUB_REF_NAME" { default = null } -variable "GITHUB_BASE_REF" { +variable "GITHUB_HEAD_REF" { default = null } @@ -128,10 +128,10 @@ target "ubuntu" { "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:cache-${release.codename}" ] cache-to = [ - notequal(REF_NAME, "local") ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:cache-${release.codename}" : "" + and(notequal("nektos/act", GITHUB_ACTOR), notequal(REF_NAME, "local")) ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:cache-${release.codename}" : "" ] tags = [ - "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:${release.major}.${release.minor}-${REF_NAME}", + "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:${release.major}.${release.minor}-${replace(REF_NAME, "/", "-")}", and(notequal(GITHUB_SHA, null), equal("${REF_NAME}", "main")) ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:${release.major}.${release.minor}-${substr(GITHUB_SHA, 0, 7)}" : "", equal("${REF_NAME}", "main") ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:${release.major}.${release.minor}" : "", and(equal("${REF_NAME}", "main"), equal(release.codename, "jammy")) ? "${REGISTRY}/${GITHUB_REPOSITORY_OWNER}/ubuntu-act:latest" : "", diff --git a/linux/ubuntu/Dockerfile b/linux/ubuntu/Dockerfile index b2c7ac0..35459a6 100644 --- a/linux/ubuntu/Dockerfile +++ b/linux/ubuntu/Dockerfile @@ -6,16 +6,6 @@ ARG FROM_VERSION_MINOR=04 ARG FROM_VERSION=${FROM_VERSION_MAJOR}.${FROM_VERSION_MINOR} FROM ${FROM_IMAGE}:${FROM_VERSION} as base -FROM base as bicep -ARG TARGETARCH -ARG BICEP_VERSION=v0.21.1 -RUN export targetarch="${TARGETARCH}" \ - && if [ "${targetarch}" = "amd64" ]; then export targetarch="x64"; fi \ - && curl -sSLo bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VERSION}/bicep-linux-${targetarch}" \ - && chmod +x ./bicep \ - && mv ./bicep /usr/local/bin/bicep \ - && bicep --version - FROM base as golang ARG TARGETARCH SHELL [ "/bin/bash", "--login", "-e", "-o", "pipefail", "-c" ] @@ -42,6 +32,16 @@ RUN curl -fsSL https://get.pulumi.com \ && export PATH="$HOME/.pulumi/bin:$PATH" \ && pulumi version +FROM base as bicep +ARG TARGETARCH +ARG BICEP_VERSION=v0.21.1 +RUN export targetarch="${TARGETARCH}" \ + && if [ "${targetarch}" = "amd64" ]; then export targetarch="x64"; fi \ + && curl -sSLo bicep "https://github.com/Azure/bicep/releases/download/${BICEP_VERSION}/bicep-linux-${targetarch}" \ + && chmod +x ./bicep \ + && mv ./bicep /usr/local/bin/bicep \ + && bicep --version + FROM base as act-base # automatic buildx ARGs @@ -304,14 +304,6 @@ ARG TARGETARCH SHELL [ "/bin/bash", "--login", "-e", "-o", "pipefail", "-c" ] WORKDIR /tmp -# add PowerShell -ARG TOOL_PATH_PWSH=/usr/share/powershell -COPY --from=powershell ${TOOL_PATH_PWSH} ${TOOL_PATH_PWSH} -RUN ln -s "${TOOL_PATH_PWSH}/pwsh" /usr/local/bin/pwsh - -# add PowerShell-modules -COPY --from=powershell-modules /usr/local/share/powershell /usr/local/share/powershell - # add go COPY --from=golang /usr/local/go /usr/local/go ENV PATH=/usr/local/go/bin:${PATH} @@ -323,6 +315,14 @@ COPY --from=pulumi /root/.pulumi/bin /usr/local/bin/ # add bicep COPY --from=bicep /usr/local/bin/bicep /usr/local/bin/bicep +# add PowerShell +ARG TOOL_PATH_PWSH=/usr/share/powershell +COPY --from=powershell ${TOOL_PATH_PWSH} ${TOOL_PATH_PWSH} +RUN ln -s "${TOOL_PATH_PWSH}/pwsh" /usr/local/bin/pwsh + +# add PowerShell-modules +COPY --from=powershell-modules /usr/local/share/powershell /usr/local/share/powershell + ARG RUNNER USER ${RUNNER}