diff --git a/.github/workflows/container-scan.yml b/.github/workflows/container-scan.yml index 48b7147..7c86ac5 100644 --- a/.github/workflows/container-scan.yml +++ b/.github/workflows/container-scan.yml @@ -13,20 +13,30 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + - name: Install Docker run: | apt-get update - apt-get install -y docker.io - rm -rf /var/lib/apt/lists/* + apt-get install -y ca-certificates curl + install -m 0755 -d /etc/apt/keyrings + curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc + chmod a+r /etc/apt/keyrings/docker.asc + echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null + apt-get update + apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin + - name: Build an image from Dockerfile run: docker build -t git.dominikstahl.dev/dhbw-we/meetup:${{ github.sha }} . + - name: Install Trivy run: | curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.61.0 + - name: Run Trivy vulnerability scanner run: | trivy image --exit-code 1 --severity HIGH,CRITICAL,MEDIUM --ignore-unfixed --no-progress --format table git.dominikstahl.dev/dhbw-we/meetup:${{ github.sha }} trivy image --exit-code 1 --severity HIGH,CRITICAL,MEDIUM --ignore-unfixed --no-progress --format json git.dominikstahl.dev/dhbw-we/meetup:${{ github.sha }} > trivy-report.json + - name: Upload Trivy report uses: forgejo/upload-artifact@v4 with: diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 0000000..3578744 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,58 @@ +name: docker-build + +on: + push: + branches: + - main + tags: + - "v*" + pull_request: + +jobs: + docker: + runs-on: docker + steps: + - name: Install Docker + run: | + apt-get update + apt-get install -y ca-certificates curl + install -m 0755 -d /etc/apt/keyrings + curl -fsSL https://download.docker.com/linux/debian/gpg -o /etc/apt/keyrings/docker.asc + chmod a+r /etc/apt/keyrings/docker.asc + echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | tee /etc/apt/sources.list.d/docker.list > /dev/null + apt-get update + apt-get install -y docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + registry: git.dominikstahl.dev + username: ${{ secrets.DOER }} + password: ${{ secrets.TOKEN }} + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Build and push (pull_request) + uses: docker/build-push-action@v6 + if: github.event_name == 'pull_request' + with: + push: true + tags: ${{ github.repository }}:sha_${{ github.sha }},${{ github.repository }}:pr_${{ github.head_ref }} + + - name: Build and push (push_tag) + uses: docker/build-push-action@v6 + if: github.event_name == 'push' && github.ref_type == 'tag' + with: + push: true + tags: ${{ github.repository }}:${{ github.ref_name }},${{ github.repository }}:latest + + - name: Build and push (push_branch) + uses: docker/build-push-action@v6 + if: github.event_name == 'push' && github.ref_type == 'branch' + with: + push: true + tags: ${{ github.repository }}:sha_${{ github.sha }},${{ github.repository }}:main