From ba3fc49ec8d38576ee8c3806384db80684fa26c8 Mon Sep 17 00:00:00 2001 From: Milosz Linkiewicz Date: Mon, 1 Jul 2024 20:41:08 +0000 Subject: [PATCH] Workflow for Intel Tiber Build and Validation Process Workflow for Intel Tiber Build and Validation Process - added Trivy scans - added Docker buildx builder Node - Fixed Ci Documentation Preparation script Signed-off-by: Milosz Linkiewicz --- .github/workflows/build_tiber.yml | 59 +++++++++++++++ .github/workflows/ci_documentation_update.yml | 6 +- .github/workflows/trivy.yml | 74 +++++++++++++++++++ 3 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 .github/workflows/build_tiber.yml create mode 100644 .github/workflows/trivy.yml diff --git a/.github/workflows/build_tiber.yml b/.github/workflows/build_tiber.yml new file mode 100644 index 0000000..d504612 --- /dev/null +++ b/.github/workflows/build_tiber.yml @@ -0,0 +1,59 @@ +name: Docker Build + +on: + workflow_call: + workflow_dispatch: + pull_request: + push: + branches: [ "main" ] + +permissions: + contents: read + +env: + BUILD_TYPE: "Release" + DOCKER_IMAGE_NAME: "docker.io/ovc/tiber-broadcast-suite" + DOCKER_IMAGE_TAG: "${{ github.sha }}" + DEBIAN_FRONTEND: "noninteractive" + +jobs: + docker: + name: "Dockerfile build for Intel® Tiber™ Broadcast Suite" + runs-on: ubuntu-22.04 + timeout-minutes: 120 + steps: + - name: "Preparation: Harden Runner" + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: "Preparation: Repository Checkout" + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + + - name: "Configuration: QEMU for Docker setup" + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + + - name: "Configuration: Docker with Buildx Toolkit set up" + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + with: + buildkitd-flags: --debug + + - name: "Validation: Build/Push Dokcerfile" + uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0 + with: + file: Dockerfile + context: . + push: false + tags: "${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" + + - name: "Validation: Run Trivy vulnerability scanner on image" + uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0 + with: + image-ref: "${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" + format: "sarif" + output: "trivy-image-scan-tiber-${{ env.DOCKER_IMAGE_TAG }}.sarif" + + - name: "Finish: Upload Trivy scan results to GitHub Security tab" + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + with: + sarif_file: "trivy-image-scan-tiber-${{ env.DOCKER_IMAGE_TAG }}.sarif" diff --git a/.github/workflows/ci_documentation_update.yml b/.github/workflows/ci_documentation_update.yml index 59752ab..85fb81c 100644 --- a/.github/workflows/ci_documentation_update.yml +++ b/.github/workflows/ci_documentation_update.yml @@ -15,7 +15,7 @@ jobs: environment: name: github-pages url: ${{ steps.deployment.outputs.page_url }} - runs-on: ubuntu-latest + runs-on: ubuntu-22.04 timeout-minutes: 20 steps: - name: Secure the runner @@ -27,7 +27,9 @@ jobs: uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: Prepare operating system for documentation build - run: apt install make python3 python3-pip python3-sphinx + run: | + sudo apt-get update -y && \ + sudo apt-get install -y --no-install-recommends make python3 python3-pip python3-sphinx - name: Prepare environment for documentation build run: python3 -m pip install sphinx_book_theme myst_parser sphinxcontrib.mermaid sphinx-copybutton diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000..0e8f057 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,74 @@ +name: Trivy for Intel® Tiber™ Broadcast Suite +on: + push: + workflow_call: + workflow_dispatch: + branches: [main] + pull_request: + +env: + BUILD_TYPE: "Release" + DOCKER_IMAGE_NAME: "docker.io/ovc/tiber-broadcast-suite" + DOCKER_IMAGE_TAG: "${{ github.sha }}" + DEBIAN_FRONTEND: "noninteractive" + +permissions: + contents: read + +jobs: + checkout_code: + name: "Node Preparations for Intel® Tiber™ Broadcast Suite" + runs-on: ubuntu-22.04 + steps: + - name: Harden Runner + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: Checkout code + uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 + + trivy-code-scan: + name: "Code-Scan for Intel® Tiber™ Broadcast Suite" + runs-on: ubuntu-22.04 + needs: checkout_code + permissions: + contents: read + security-events: write + steps: + - name: Run Trivy 'config' type vulnerability scanner. + uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0 + with: + scan-type: 'config' + hide-progress: false + ignore-unfixed: true + format: 'sarif' + output: 'trivy-config-tiber-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + with: + sarif_file: 'trivy-config-tiber-results.sarif' + + trivy-fs-scan: + name: "Code-FS-Scan for Intel® Tiber™ Broadcast Suite" + runs-on: ubuntu-22.04 + needs: checkout_code + permissions: + contents: read + security-events: write + steps: + - name: Run Trivy 'fs' type vulnerability scanner. + uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0 + with: + scan-type: 'fs' + ignore-unfixed: true + format: 'sarif' + output: 'trivy-fs-tiber-results.sarif' + severity: 'CRITICAL,HIGH,MEDIUM' + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + with: + sarif_file: 'trivy-fs-tiber-results.sarif'