-
Notifications
You must be signed in to change notification settings - Fork 103
94 lines (82 loc) · 3.51 KB
/
CI.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# File and code auto-generated from GitHub (when initiating GitHub Actions)
# This is a basic workflow to help you get started with Actions
name: CI
# Controls when the action will run. Triggers the workflow on push or pull request
# events but only for the master branch
on:
push:
branches: [master]
pull_request:
branches: [master]
schedule:
# run the build at midnight every night
- cron: '0 0 * * *'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- name: Maximize build space
uses: easimon/maximize-build-space@master
with:
root-reserve-mb: '16384'
temp-reserve-mb: '100'
swap-size-mb: '8192'
remove-dotnet: 'true'
remove-android: 'true'
remove-haskell: 'true'
remove-codeql: 'true'
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
# Build base dockerfile
- name: Build the base.Dockerfile
run: docker build -t base_cloudshell -f linux/base.Dockerfile .
- name: Create temporary trivy directories
run: |
mkdir -p $GITHUB_WORKSPACE/trivy-tmp/.cache
echo "TMPDIR=$GITHUB_WORKSPACE/trivy-tmp" >> $GITHUB_ENV
echo "TRIVY_CACHE_DIR=$GITHUB_WORKSPACE/trivy-tmp/.cache" >> $GITHUB_ENV
- name: Scan base image with Trivy
id: trivy-base-scan
uses: aquasecurity/[email protected]
with:
scan-type: 'image'
image-ref: base_cloudshell
scanners: 'vuln,config'
severity: 'HIGH,CRITICAL'
# Build tools dockerfile
- name: Build the tools.Dockerfile
run: |
docker build -t tools_cloudshell --build-arg IMAGE_LOCATION=base_cloudshell -f linux/tools.Dockerfile .
- name: Scan Tools image with Trivy
id: trivy-tools-scan
uses: aquasecurity/[email protected]
with:
scan-type: 'image'
image-ref: tools_cloudshell
scanners: 'vuln,config'
severity: 'HIGH,CRITICAL'
# Run the test cases
- name: Run the test cases
run: docker run --volume $(pwd)/tests:/tests tools_cloudshell /bin/bash /tests/test.sh
# Show Docker image size
- name: find the pull request id
run: echo ISSUEID=$(echo "${{github.ref }}" | sed 's!refs/pull/\([0-9]*\)/merge!\1!') >> $GITHUB_ENV
- name: find the base size info
run: echo BASE_SIZE=$(docker inspect base_cloudshell:latest --format "{{.Size}}") >> $GITHUB_ENV
- name: find the tools size info
run: echo TOOLS_SIZE=$(docker inspect tools_cloudshell:latest --format "{{.Size}}") >> $GITHUB_ENV
- name: update a comment with size
run: |
echo "pull id $ISSUEID size $BASE_SIZE $TOOLS_SIZE" && \
curl --request POST \
--url https://api.github.com/repos/${{ github.repository }}/issues/$ISSUEID/comments \
--header 'authorization: Bearer ${{ secrets.GITHUB_TOKEN }}' \
--header 'content-type: application/json' \
--header 'Accept: application/vnd.github.v3+json' \
--data "{
\"body\": \"Image size with this change is base: $(($BASE_SIZE / 1048576))MB, tools: $(($TOOLS_SIZE / 1048576))MB. \"
}"