SBC pod launcher JSON based configuration parser #275

Workflow file for this run

.github/workflows/build_tiber.yml at 9465564

	name: dockerfiles-build

	on:
	workflow_call:
	workflow_dispatch:
	pull_request:
	push:
	branches: [ "main" ]

	permissions:
	contents: read

	env:
	BUILD_TYPE: "Release"
	DOCKER_IMAGE_BASE: "ghcr.io/openvisualcloud/intel-tiber-broadcast-suite"
	DOCKER_IMAGE_NAME: "tiber-broadcast-suite"
	DOCKER_IMAGE_TAG: "${{ github.sha }}"
	DEBIAN_FRONTEND: "noninteractive"
	TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
	TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db"

	concurrency:
	group: ${{ github.workflow }}-${{ github.event.pull_request.number \|\| github.sha }}
	cancel-in-progress: true

	jobs:
	docker:
	name: "Dockerfile build for Intel® Tiber™ Broadcast Suite"
	runs-on: ubuntu-22.04
	timeout-minutes: 120
	permissions:
	contents: read
	security-events: write
	env:
	BUILDKIT_STEP_LOG_MAX_SIZE: 50000000
	BUILDKIT_STEP_LOG_MAX_SPEED: 10000000
	DOCKER_TMPDIR: "/mnt/docker/docker-tmp"
	steps:
	- name: "OS-Configuration: Preparation: Harden Runner"
	uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
	with:
	egress-policy: audit

	- name: "OS-Configuration: Report memory, block-dev and free disk space."
	run: \|
	sudo free -h
	sudo lsblk
	sudo df -h

	- name: "OS-Configuration: Disable SWAP in OS, create mnt points, show settings."
	shell: bash
	run: \|
	export SWAP_FILE="$(sudo swapon --show=NAME \| tail -n 1)"
	sudo swapoff "${SWAP_FILE}"
	sudo rm "${SWAP_FILE}"
	sudo mkdir -p "/mnt/docker/docker-d" "/mnt/docker/docker-tmp"

	- name: "OS-Configuration: Add data-root and other JSON changes to dockerd, reload it."
	run: \|
	sudo chmod 666 /etc/docker/daemon.json
	echo "$(sudo jq '. += {"data-root":"/mnt/docker/docker-d","log-driver":"json-file","log-format":"text","log-level":"info","log-opts":{"cache-disabled":"false","cache-max-file":"5","cache-max-size":"20m","max-file":"5","max-size":"10m"}}' /etc/docker/daemon.json)" > /etc/docker/daemon.json
	sudo chmod 644 /etc/docker/daemon.json
	sudo systemctl daemon-reload
	sudo systemctl restart docker
	sudo cat "/etc/docker/daemon.json"

	- name: "Configuration: Docker with Buildx Toolkit set up"
	uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
	with:
	buildkitd-flags: "--debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host"
	platforms: "linux/amd64"
	driver-opts: memory=14Gib,memory-swap=25Gib,env.BUILDKIT_STEP_LOG_MAX_SIZE=50000000,env.BUILDKIT_STEP_LOG_MAX_SPEED=10000000

	- name: "Validation: Build/Push Dokcerfile"
	uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
	with:
	file: Dockerfile
	push: false
	load: true
	target: final-stage
	tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}"
	platforms: "linux/amd64"
	cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }}
	cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }}

	- name: "Validation: Run Trivy vulnerability scanner on image"
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
	continue-on-error: true
	with:
	image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}"
	output: "trivy-image-scan-tiber-${{ env.DOCKER_IMAGE_TAG }}.sarif"
	format: "sarif"

	- name: "Finish: Upload Trivy scan results to GitHub Security tab"
	uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
	continue-on-error: true
	with:
	sarif_file: "trivy-image-scan-tiber-${{ env.DOCKER_IMAGE_TAG }}.sarif"

	trivy-config-scan:
	name: "trivy config scans"
	runs-on: ubuntu-22.04
	permissions:
	contents: read
	security-events: write
	steps:
	- name: "Preparation: Harden Runner"
	uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
	with:
	egress-policy: audit

	- name: "Preparation: Repository Checkout"
	uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

	- name: Run Trivy 'config' type vulnerability scan.
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
	with:
	scan-type: 'config'
	hide-progress: false
	ignore-unfixed: true
	format: 'sarif'
	output: 'trivy-config-scan-tiber.sarif'
	severity: 'CRITICAL,HIGH,MEDIUM'

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
	if: always()
	with:
	sarif_file: 'trivy-config-scan-tiber.sarif'

	trivy-fs-scan:
	name: "trivy fs scans"
	runs-on: ubuntu-22.04
	permissions:
	contents: read
	security-events: write
	steps:
	- name: "Preparation: Harden Runner"
	uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
	with:
	egress-policy: audit

	- name: "Preparation: Repository Checkout"
	uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

	- name: Run Trivy 'fs' type vulnerability scanner.
	uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
	with:
	scan-type: 'fs'
	ignore-unfixed: true
	format: 'sarif'
	output: 'trivy-fs-scan-tiber.sarif'
	severity: 'CRITICAL,HIGH,MEDIUM'

	- name: Upload Trivy scan results to GitHub Security tab
	if: always()
	uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
	with:
	sarif_file: 'trivy-fs-scan-tiber.sarif'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

SBC pod launcher JSON based configuration parser #275

Workflow file

SBC pod launcher JSON based configuration parser #275

Jobs

Run details

Workflow file for this run