mirror of https://github.com/0xERR0R/blocky.git
complete workflow rework
This commit is contained in:
Kwitsch
parent
e2d2d8e2ae
commit
d5fa05a5ea
|
|
@ -1,14 +1,54 @@
|
|||
name: Development docker build
|
||||
|
||||
on:
|
||||
push:
|
||||
branches:
|
||||
- development
|
||||
- fb-*
|
||||
|
||||
permissions:
|
||||
security-events: write
|
||||
actions: read
|
||||
contents: read
|
||||
packages: write
|
||||
|
||||
concurrency:
|
||||
group: ${{ github.workflow }}-${{ github.ref }}
|
||||
cancel-in-progress: true
|
||||
|
||||
jobs:
|
||||
docker:
|
||||
if: github.repository_owner == '0xERR0R'
|
||||
check:
|
||||
name: Check if workflow should run
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
enabled: ${{ steps.check.outputs.enabled }}
|
||||
steps:
|
||||
- name: Enabled Check
|
||||
id: check
|
||||
shell: bash
|
||||
run: |
|
||||
SECVAR=${{ secrets.DEVELOPMENT_DOCKER }}
|
||||
ENABLED=$(echo "${SECVAR,,}")
|
||||
|
||||
if [[ "${{ github.repository_owner }}" == "0xERR0R" ]]; then
|
||||
ENABLED="true"
|
||||
fi
|
||||
|
||||
if [[ "${ENABLED}" != 'true' ]]; then
|
||||
echo "##[set-output name=enabled;]$(echo 0)"
|
||||
echo "::notice::Enable this workflow by creating a secret 'DEVELOPMENT_DOCKER' with the value 'true'"
|
||||
else
|
||||
echo "##[set-output name=enabled;]$(echo 1)"
|
||||
echo "Workflow is enabled"
|
||||
fi
|
||||
|
||||
docker:
|
||||
name: Build Docker image
|
||||
runs-on: ubuntu-latest
|
||||
needs: check
|
||||
if: needs.check.outputs.enabled == 1
|
||||
outputs:
|
||||
branch: ${{ steps.extract_branch.outputs.branch }}
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
|
|
@ -26,19 +66,31 @@ jobs:
|
|||
with:
|
||||
registry: ghcr.io
|
||||
username: ${{ github.repository_owner }}
|
||||
password: ${{ secrets.CR_PAT }}
|
||||
password: ${{ secrets.GITHUB_TOKEN }}
|
||||
|
||||
- name: Login to DockerHub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
- name: Prepare build cache
|
||||
shell: bash
|
||||
run: |
|
||||
TOKEN64=$(echo ${{ secrets.GITHUB_TOKEN }} | base64)
|
||||
JSON=$(curl -s -H "Authorization: Bearer ${TOKEN64}" https://ghcr.io/v2/${{ github.repository }}/tags/list | jq .)
|
||||
CACHE_EXISTS=$(jq '[ .tags[]? | contains("buildcache") ] | any' <<< "$JSON")
|
||||
|
||||
if [[ $CACHE_EXISTS == 'true' ]]; then
|
||||
echo "No preparation needed"
|
||||
else
|
||||
echo '::echo::off'
|
||||
docker pull ghcr.io/0xerr0r/blocky:development
|
||||
docker tag ghcr.io/0xerr0r/blocky:development ghcr.io/${{ github.repository }}:buildcache
|
||||
docker push ghcr.io/${{ github.repository }}:buildcache
|
||||
echo '::echo::on'
|
||||
echo "Preparation complete"
|
||||
fi
|
||||
|
||||
- name: Extract branch name
|
||||
id: extract_branch
|
||||
shell: bash
|
||||
run: echo "##[set-output name=branch;]$(echo ${GITHUB_REF#refs/heads/})"
|
||||
id: extract_branch
|
||||
|
||||
|
||||
- name: Build and push
|
||||
uses: docker/build-push-action@v3
|
||||
with:
|
||||
|
|
@ -46,20 +98,69 @@ jobs:
|
|||
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
|
||||
push: true
|
||||
tags: |
|
||||
ghcr.io/0xerr0r/blocky:${{ steps.extract_branch.outputs.branch }}
|
||||
spx01/blocky:${{ steps.extract_branch.outputs.branch }}
|
||||
cache-from: type=registry,ref=ghcr.io/0xerr0r/blocky:buildcache
|
||||
cache-to: type=registry,ref=ghcr.io/0xerr0r/blocky:buildcache,mode=max
|
||||
ghcr.io/${{ github.repository }}:${{ steps.extract_branch.outputs.branch }}
|
||||
cache-from: type=registry,ref=ghcr.io/${{ github.repository }}:buildcache
|
||||
cache-to: type=registry,ref=ghcr.io/${{ github.repository }}:buildcache,mode=max
|
||||
|
||||
- name: Scan image
|
||||
uses: anchore/scan-action@v3
|
||||
id: scan
|
||||
retag:
|
||||
name: Add DockerHub tag
|
||||
runs-on: ubuntu-latest
|
||||
needs: docker
|
||||
if: github.repository_owner == '0xERR0R'
|
||||
steps:
|
||||
- name: Login to DockerHub
|
||||
uses: docker/login-action@v2
|
||||
with:
|
||||
image: "spx01/blocky:${{ steps.extract_branch.outputs.branch }}"
|
||||
fail-build: false
|
||||
acs-report-enable: true
|
||||
username: ${{ secrets.DOCKER_USERNAME }}
|
||||
password: ${{ secrets.DOCKER_PASSWORD }}
|
||||
|
||||
- name: upload Anchore scan SARIF report
|
||||
uses: github/codeql-action/upload-sarif@v1
|
||||
- name: DockerHub tag
|
||||
shell: bash
|
||||
run: |
|
||||
docker tag ghcr.io/${{ github.repository }}:${{ needs.docker.outputs.branch }} spx01/blocky:${{ needs.docker.outputs.branch }}
|
||||
docker push
|
||||
|
||||
repo-scan:
|
||||
name: Repo vulnerability scan
|
||||
runs-on: ubuntu-latest
|
||||
needs: check
|
||||
if: needs.check.outputs.enabled == 1
|
||||
steps:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v3
|
||||
|
||||
- name: Run Trivy vulnerability scanner in repo mode
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
sarif_file: ${{ steps.scan.outputs.sarif }}
|
||||
scan-type: 'fs'
|
||||
ignore-unfixed: true
|
||||
format: 'sarif'
|
||||
output: 'trivy-repo-results.sarif'
|
||||
severity: 'CRITICAL'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-repo-results.sarif'
|
||||
|
||||
image-scan:
|
||||
name: Image vulnerability scan
|
||||
runs-on: ubuntu-latest
|
||||
needs: docker
|
||||
steps:
|
||||
- name: Checkout
|
||||
uses: actions/checkout@v3
|
||||
with:
|
||||
fetch-depth: 0
|
||||
|
||||
- name: Run Trivy vulnerability scanner on Docker image
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'ghcr.io/${{ github.repository }}:${{ needs.docker.outputs.branch }}'
|
||||
format: 'sarif'
|
||||
output: 'trivy-image-results.sarif'
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v2
|
||||
with:
|
||||
sarif_file: 'trivy-image-results.sarif'
|
||||
Loading…
Reference in New Issue