-
Notifications
You must be signed in to change notification settings - Fork 8
142 lines (142 loc) · 4.69 KB
/
publish_and_trivyscan.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# GHCR:
# GitHub Container Repository
# Images from ghcr are used when deploying prod and dev.
#
# Trivy
# Trivy is a comprehensive and versatile security scanner. Trivy has scanners that look for
# security issues, and targets where it can find those issues.
#
# This action publishes a docker image and then runs the trivy security scan on that image.
# Potential security issues will be uploaded to the security tab in the repository.
#
# https://github.com/aquasecurity/trivy
# ---------------------------------------
# Publish Docker Image to GHCR and run Trivy Security Scan
name: Publish to GHCR (+ Trivy scan)
on:
workflow_dispatch:
pull_request:
push:
branches:
- master
- dev
release:
types: [published]
jobs:
build_tech_overview:
name: Build technical overview
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Build tech overview PDF
uses: docker://pandoc/latex:3.2
with:
entrypoint: /bin/sh
args: >-
-c "
tlmgr update --self &&
tlmgr install cm-super fontaxes lato pdflscape xkeyval &&
updmap-sys &&
pandoc
--output=dds_web/static/dds-technical-overview.pdf
doc/technical-overview.md
"
- name: Upload technical overview PDF
uses: actions/upload-artifact@v4
with:
name: technical-overview-pdf
path: dds_web/static/dds-technical-overview.pdf
build_troubleshooting:
name: Build troubleshooting guide
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Build troubleshooting guide
uses: docker://pandoc/latex:3.2
with:
entrypoint: /bin/sh
args: >-
-c "
tlmgr update --self &&
tlmgr install cm-super fontaxes lato xkeyval &&
updmap-sys &&
pandoc
--output=dds_web/static/dds-troubleshooting.pdf
doc/troubleshooting.md
"
- name: Upload troubleshooting PDF
uses: actions/upload-artifact@v4
with:
name: troubleshooting-pdf
path: dds_web/static/dds-troubleshooting.pdf
push_to_registry:
needs: [build_tech_overview, build_troubleshooting]
if: github.repository == 'ScilifelabDataCentre/dds_web'
name: Push image
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
concurrency:
group: ${{ github.ref }}-docker-trivy
cancel-in-progress: true
steps:
- name: Check out the repo
uses: actions/checkout@v4
- name: Log in to Github Container Repository
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Download technical overview PDF
uses: actions/download-artifact@v4
with:
name: technical-overview-pdf
path: dds_web/static
- name: Download troubleshooting PDF
uses: actions/download-artifact@v4
with:
name: troubleshooting-pdf
path: dds_web/static
- name: Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/scilifelabdatacentre/dds-backend
- name: Ensure lowercase name
run: echo IMAGE_REPOSITORY=$(echo ${{ github.repository }} | tr '[:upper:]' '[:lower:]') >> $GITHUB_ENV
- name: Build for scan
uses: docker/build-push-action@v5
with:
file: Dockerfiles/backend.Dockerfile
context: .
push: false
tags: ghcr.io/${{ env.IMAGE_REPOSITORY }}:sha-${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
with:
image-ref: "ghcr.io/${{ env.IMAGE_REPOSITORY }}:sha-${{ github.sha }}"
format: "sarif"
output: "trivy-results.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to Github Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
category: trivy-build
- name: Publish image
uses: docker/build-push-action@v5
with:
file: Dockerfiles/backend.Dockerfile
context: .
push: true
build-args: version=${{ github.ref_name }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}