Skip to content

Build

Build #217

Workflow file for this run

name: "Build"
on:
push:
branches:
- master
pull_request:
branches:
- master
schedule:
# Tuesday at 10. One day after the CircleCI scheduled upddate
# See: https://github.com/CircleCI-Public/cimg-base/blob/main/.circleci/schedule.json
- cron: '0 10 * * 2'
workflow_dispatch:
jobs:
build_push_check:
name: Build docker image, publish it and run vuln scanner against it
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
packages: write # for image publication to GitHub Packages
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # 3.6.1
- name: Login to ghcr.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # 3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Free Disk Space (Ubuntu) # Reclaim disk space for build
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
with:
docker-images: false # Do not remove locally built images (including trivy scanner)
- name: Build images
id: build
run: ./build
- name: Test images
run: ./build --test
- name: Describe images
run: ./build --describe >> $GITHUB_STEP_SUMMARY
- name: Push images
run: ./build --push
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@915b19bbe73b92a6cf82a1bc12b087c9a19a5fe2 # v0.28.0
with:
image-ref: '${{ steps.build.outputs.LATEST_IMAGE_TAG }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
env:
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
keepalive-job:
name: Keep repository alive to prevent workflows to be disabled
if: ${{ always() }}
needs: build_push_check
permissions:
actions: write # for gautamkrishnar/keepalive-workflow to keep the workflow alive
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
- name: Keep workflow alive
uses: gautamkrishnar/keepalive-workflow@24ba73b43d5ea8d2b3d56fb9b8de951ba9a3dd18 # v2.0.6