Skip to content

Commit

Permalink
Add image scanner to build process
Browse files Browse the repository at this point in the history
  • Loading branch information
alecslupu committed Sep 10, 2024
1 parent cdddb8c commit aacd27f
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 41 deletions.
63 changes: 63 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
on:
workflow_call:

jobs:
build:
name: Build Docker image
runs-on: ubuntu-latest
env:
GENERATOR_IMAGE_NAME: decidim/decidim-generator
TEST_IMAGE_NAME: decidim/decidim-test
DEV_IMAGE_NAME: decidim/decidim-dev
APP_IMAGE_NAME: decidim/decidim
TAG: ${{ github.sha }}
steps:
- name: Fetch Decidim Tag
id: decidim-tag
uses: oprypin/find-latest-tag@v1
with:
repository: decidim/decidim
releases-only: true

- name: Set Ruby Version
id: ruby-version
env:
RUBY_VERSION_URL: https://raw.githubusercontent.com/decidim/decidim/${{ steps.decidim-tag.outputs.tag }}/.ruby-version
run: |
echo ::set-output name=version::$(curl -s $RUBY_VERSION_URL)
- name: Set Decidim Version
id: decidim-version
run: echo ::set-output name=version::$(echo ${{ steps.decidim-tag.outputs.tag }} | cut -c2-)

- name: Checkout Our Repo
uses: actions/checkout@v2

- name: Build decidim-generator Image
env:
RUBY_VERSION: ${{ steps.ruby-version.outputs.version }}
DECIDIM_VERSION: ${{ steps.decidim-version.outputs.version }}
run: |
docker build \
--build-arg ruby_version=$RUBY_VERSION \
--build-arg decidim_version=$DECIDIM_VERSION \
--file Dockerfile-generator \
-t $GENERATOR_IMAGE_NAME .
docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$TAG
docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$TAG
docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$DECIDIM_VERSION
docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$DECIDIM_VERSION
-
name: Scan for vulnerabilities
id: scan
uses: crazy-max/ghaction-container-scan@v3
with:
image: decidim/decidim-generator
dockerfile: ./Dockerfile-generator
severity_threshold: HIGH
annotations: true
-
name: Upload SARIF file
if: ${{ steps.scan.outputs.sarif != '' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
51 changes: 10 additions & 41 deletions .github/workflows/dockerhub.yml
Original file line number Diff line number Diff line change
Expand Up @@ -6,13 +6,18 @@ on:
branches:
- master
paths:
- 'Dockerfile'
- 'Dockerfile-test'
- 'Dockerfile-dev'
- 'Dockerfile-generator'
- '.github/workflows/dockerhub.yml'
- "*"
- 'Dockerfile'
- 'Dockerfile-test'
- 'Dockerfile-dev'
- 'Dockerfile-generator'
- '.github/workflows/dockerhub.yml'

jobs:
build:
uses: ./.github/workflows/build.yml
secrets: inherit
name: Build image
build-publish:
name: Build & Publish Docker Images
runs-on: ubuntu-latest
Expand All @@ -24,42 +29,6 @@ jobs:
TAG: ${{ github.sha }}

steps:
- name: Fetch Decidim Tag
id: decidim-tag
uses: oprypin/find-latest-tag@v1
with:
repository: decidim/decidim
releases-only: true

- name: Set Ruby Version
id: ruby-version
env:
RUBY_VERSION_URL: https://raw.githubusercontent.com/decidim/decidim/${{ steps.decidim-tag.outputs.tag }}/.ruby-version
run: |
echo ::set-output name=version::$(curl -s $RUBY_VERSION_URL)
- name: Set Decidim Version
id: decidim-version
run: echo ::set-output name=version::$(echo ${{ steps.decidim-tag.outputs.tag }} | cut -c2-)

- name: Checkout Our Repo
uses: actions/checkout@v2

- name: Build decidim-generator Image
env:
RUBY_VERSION: ${{ steps.ruby-version.outputs.version }}
DECIDIM_VERSION: ${{ steps.decidim-version.outputs.version }}
run: |
docker build \
--build-arg ruby_version=$RUBY_VERSION \
--build-arg decidim_version=$DECIDIM_VERSION \
--file Dockerfile-generator \
-t $GENERATOR_IMAGE_NAME .
docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$TAG
docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$TAG
docker tag $GENERATOR_IMAGE_NAME $GENERATOR_IMAGE_NAME:$DECIDIM_VERSION
docker tag $GENERATOR_IMAGE_NAME ghcr.io/$GENERATOR_IMAGE_NAME:$DECIDIM_VERSION
- name: Publish decidim-generator Image to Docker Hub
uses: docker/login-action@v1
with:
Expand Down
16 changes: 16 additions & 0 deletions .github/workflows/test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
name: "Test Current PR"
on:
pull_request:
paths:
- "*"
- ".github/**"

concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.ref }}
cancel-in-progress: true

jobs:
build:
uses: ./.github/workflows/build.yml
secrets: inherit
name: Build image

0 comments on commit aacd27f

Please sign in to comment.