diff --git a/.github/configs/super-linter/.clang-format b/.github/configs/super-linter/.clang-format new file mode 100644 index 00000000..9b3aa8b7 --- /dev/null +++ b/.github/configs/super-linter/.clang-format @@ -0,0 +1 @@ +BasedOnStyle: LLVM diff --git a/.github/configs/super-linter/.golangci.yml b/.github/configs/super-linter/.golangci.yml new file mode 100644 index 00000000..873a719e --- /dev/null +++ b/.github/configs/super-linter/.golangci.yml @@ -0,0 +1,37 @@ +--- +######################### +######################### +## Golang Linter rules ## +######################### +######################### + +# configure golangci-lint +# see https://github.com/golangci/golangci-lint/blob/master/.golangci.example.yml +issues: + exclude-rules: + - path: _test\.go + linters: + - dupl + - gosec + - goconst +linters: + enable: + - gosec + - unconvert + - gocyclo + - goconst + - goimports + - gocritic + - govet + - revive +linters-settings: + errcheck: + # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`; + # default is false: such cases aren't reported by default. + check-blank: true + govet: + enable: + - shadow + gocyclo: + # minimal code complexity to report, 30 by default + min-complexity: 15 diff --git a/.github/configs/super-linter/.markdown-lint.yml b/.github/configs/super-linter/.markdown-lint.yml new file mode 100644 index 00000000..f4abcce9 --- /dev/null +++ b/.github/configs/super-linter/.markdown-lint.yml @@ -0,0 +1,35 @@ +--- +########################### +########################### +## Markdown Linter rules ## +########################### +########################### + +# Linter rules doc: +# - https://github.com/DavidAnson/markdownlint +# +# Note: +# To comment out a single error: +# +# any violations you want +# +# + +############### +# Rules by id # +############### +MD004: false # Unordered list style +MD007: + indent: 2 # Unordered list indentation +MD013: + line_length: 400 # Line length 80 is far too short +MD026: + punctuation: ".,;:!。,;:" # List of not allowed +MD029: false # Ordered list item prefix +MD033: false # Allow inline HTML +MD036: false # Emphasis used instead of a heading + +################# +# Rules by tags # +################# +blank_lines: false # Error on blank lines diff --git a/.github/configs/super-linter/.python-lint b/.github/configs/super-linter/.python-lint new file mode 100644 index 00000000..30b8045e --- /dev/null +++ b/.github/configs/super-linter/.python-lint @@ -0,0 +1,10 @@ +[MASTER] + +# Use multiple processes to speed up Pylint. +jobs=0 + +[MESSAGES CONTROL] + +# Ignoring Import Errors is desired as super-linter +# does not support installing dependencies as it runs +disable=import-error diff --git a/.github/configs/super-linter/.yaml-lint.yml b/.github/configs/super-linter/.yaml-lint.yml new file mode 100644 index 00000000..2aa49bd1 --- /dev/null +++ b/.github/configs/super-linter/.yaml-lint.yml @@ -0,0 +1,59 @@ +--- +########################################### +# These are the rules used for # +# linting all the yaml files in the stack # +# NOTE: # +# You can disable line with: # +# # yamllint disable-line # +########################################### +rules: + braces: + level: warning + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: 1 + max-spaces-inside-empty: 5 + brackets: + level: warning + min-spaces-inside: 0 + max-spaces-inside: 0 + min-spaces-inside-empty: 1 + max-spaces-inside-empty: 5 + colons: + level: warning + max-spaces-before: 0 + max-spaces-after: 1 + commas: + level: warning + max-spaces-before: 0 + min-spaces-after: 1 + max-spaces-after: 1 + comments: disable + comments-indentation: disable + document-end: disable + document-start: + level: warning + present: true + empty-lines: + level: warning + max: 2 + max-start: 0 + max-end: 0 + hyphens: + level: warning + max-spaces-after: 1 + indentation: + level: warning + spaces: consistent + indent-sequences: true + check-multi-line-strings: false + key-duplicates: enable + line-length: + level: warning + max: 80 + allow-non-breakable-words: true + allow-non-breakable-inline-mappings: true + new-line-at-end-of-file: disable + new-lines: + type: unix + trailing-spaces: disable diff --git a/.github/scripts/github_common.sh b/.github/scripts/github_common.sh new file mode 100644 index 00000000..2f49c5a3 --- /dev/null +++ b/.github/scripts/github_common.sh @@ -0,0 +1,191 @@ +#!/bin/bash + +# SPDX-License-Identifier: BSD-3-Clause +# Copyright 2024 Intel Corporation + +script_dir=$(readlink -f "$(dirname "${BASH_SOURCE[0]}")") +repository_root=$(readlink -f "${script_dir}/../..") + +# shellcheck source="../../scripts/common.sh" +. "${repository_root}/scripts/common.sh" + +allow_non_ascii_filenames="false" + +function get_main_sha() +{ + log_info "Getting origin/main commit SHA" + git_origin_main=$(git rev-parse --verify origin/main) + log_info "running against origin/master=${git_origin_main}" + echo $git_origin_main +} + +function get_head_sha() +{ + log_info "Getting HEAD commit SHA" + if $(git rev-parse --verify HEAD >/dev/null 2>&1) + then + git_current_hash=$(git rev-parse --verify HEAD) + else + echo "This is first commit, nothing to check, exiting" + exit 0 + fi + log_info "running against HEAD=${git_current_hash}" + echo $git_current_hash +} + +function check_nonascii_files() +{ + local github_origin_main="$1" + local github_current_hash="$2" + local allow_non_ascii=${3:-false} + + if [ "$allow_non_ascii" == "false" ] + then + if test $(git diff --diff-filter=AR --relative --name-only -z $github_origin_main $github_current_hash | LC_ALL=C tr -d '[ -~]\0' | wc -c) != 0 + then + cat <&2 + exit 1 + fi + printf "${modified_file}" | cut -d'/' "-f${fields_range}" +} + +function files_subdir_types() +{ + local github_origin_main="$1" + local github_current_hash="$2" + +# diff-filter params, uppercase include, lowercase exclude: +# Added (A), Copied (C), Deleted (D), Modified (M), Renamed (R), changed (T), Unmerged (U), Unknown (X), pairing Broken (B) + modified_file_list="$(git diff --diff-filter=dxb --relative --name-only -z $github_origin_main $github_current_hash | xargs -0)" + + for pt in $modified_file_list + do + modified_file="$(readlink -f "${pt}")" + + [ -d "$modified_file" ] && modified_dir="$modified_file" || modified_dir="$(dirname "$modified_file")"; + case $(check_file_subdir_type "${modified_file}") in + deployment) + deployment_subdir_check "${modified_file}" "${modified_dir}" + ;; + + config) + configuration_subdir_check "${modified_file}" + ;; + + docs) + documentation_subdir_check "${modified_file}" + ;; + + .github) + github_workflow_subdir_check "${modified_file}" + ;; + + tests|scripts) + ansible_subdir_check "${modified_file}" + ;; + + *) + if echo "${modified_file}" | grep --silent ".*\.sh\$"; then + shell_script_file_check "${modified_file}" + elif echo "${modified_file}" | grep --silent ".*\.py\$"; then + python_script_file_check "${modified_file}" + elif echo "${modified_file}" | grep --silent "\(\.yaml\$\)\|\(\.yml\$\)"; then + ansible_subdir_check "${modified_file}" + else + other_file_check "${modified_file}" + fi + ;; + esac + done +} + +function images_subdir_check { + local filepath="$1" + shift + log_info "Dockerfiles images subdirectory. ${filepath}" +} + +function deployment_subdir_check() { + local filepath="$1" + local dirpath="$2" + shift; shift; + log_info "Helm Charts deployment subdirectory. ${filepath}" + helm lint "$dirpath" 1>&2 || true +} + +function ansible_subdir_check() { + local filepath="$1" + local dirpath="$2" + shift; shift; + echo "ansible roles and playbooks subdirectory. ${filepath}" + ansible-lint "$filepath" 1>&2 || true +} + +function inventories_subdir_check() { + local filepath="$1" + shift + log_info "inventories files subdirectory. ${filepath}" +} + +function configuration_subdir_check() { + local filepath="$1" + shift + log_info "configuration files subdirectory. ${filepath}" +} + +function documentation_subdir_check() { + local filepath="$1" + shift + log_info "documentation files and styles subdirectory. ${filepath}" +} + +function github_workflow_subdir_check() { + local filepath="$1" + shift + log_info "GitHub workflows subdirectory. ${filepath}" +} + +function shell_script_file_check() { + local filepath="$1" + shift + log_info "Shell script file path. ${filepath}" + shellcheck -f tty "${repository_root}/$filepath" 1>&2 +} + +function python_script_file_check() { + local filepath="$1" + shift + log_info "Python script file path. ${filepath}" +} + +function other_file_check() { + local filepath="$1" + shift + log_info "Other file path, not categorized. ${filepath}" +} + +function start_git_head_parsing() { + cd "${repository_root}" + git_current_hash="$(get_head_sha)" + git_origin_main="$(get_main_sha)" + check_nonascii_files "$git_origin_main" "$git_current_hash" allow_non_ascii_filenames + files_subdir_types "$git_origin_main" "$git_current_hash" || true +} + +start_git_head_parsing diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index c7a230f9..5dfc33ec 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,7 +20,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 12f31fa4..94509fd9 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -20,6 +20,10 @@ env: permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: true + jobs: coverity: runs-on: 'ubuntu-22.04' @@ -89,7 +93,7 @@ jobs: ${{ github.workspace }}/ffmpeg-plugin/configure-ffmpeg.sh && \ ${{ github.workspace }}/ffmpeg-plugin/build-ffmpeg.sh - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: coverity-reports path: '${{ github.workspace }}/cov-int' diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 10a3959c..552af50b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -1,21 +1,77 @@ # Source repository: https://github.com/actions/dependency-review-action + name: scan-dependency-review on: [pull_request] permissions: contents: read +env: + LINTER_RULES_PATH: .github/configs/super-linter + +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: true jobs: dependency-review: - runs-on: ubuntu-latest + name: 'Super-linter: Workflow initializing' + runs-on: 'ubuntu-22.04' steps: - - name: 'Harden Runner' + - name: 'dependency-review: harden runner' uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 with: egress-policy: audit - - name: 'Checkout Repository' + - name: 'dependency-review: checkout repository' uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: 'Dependency Review' + - name: 'dependency-review: perform dependency-review action' uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3 + + super-linter: + name: 'super-linter: Workflow initializing' + runs-on: 'ubuntu-22.04' + permissions: + contents: read + packages: read + timeout-minutes: 90 + env: + SUPER_LINTER_OUTPUT_DIRECTORY_NAME: super-linter-output + SUPER_LINTER_SUMMARY_FILE_NAME: super-linter-summary.md + SAVE_SUPER_LINTER_SUMMARY: true + ENABLE_GITHUB_ACTIONS_STEP_SUMMARY : true + steps: + - name: 'super-linter: Harden Runner' + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: 'super-linter: checkout repository [fetch-depth=0]' + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + with: + fetch-depth: 0 + ref: ${{ inputs.branch }} + + - name: 'super-linter: perform super-linter scan workflow.' + uses: super-linter/super-linter/slim@e1cb86b6e8d119f789513668b4b30bf17fe1efe4 # v7.2.0 x-release-please-version + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DISABLE_ERRORS: true + VALIDATE_PROTOBUF: true + VALIDATE_MARKDOWN: true + VALIDATE_MARKDOWN_PRETTIER: true + VALIDATE_JSONC: true + VALIDATE_GO: true + VALIDATE_GITHUB_ACTIONS: true + VALIDATE_CPP: true + VALIDATE_CLANG_FORMAT: true + VALIDATE_BASH: true + VALIDATE_BASH_EXEC: true + + - name: 'super-linter: upload linter results as an artifact.' + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if: env.SAVE_SUPER_LINTER_SUMMARY == 'true' || env.ENABLE_GITHUB_ACTIONS_STEP_SUMMARY == 'true' + with: + name: coverity-reports + path: + '${{ github.workspace }}/${{ env.SUPER_LINTER_OUTPUT_DIRECTORY_NAME }}/${{ env.SUPER_LINTER_SUMMARY_FILE_NAME }}' diff --git a/.github/workflows/docker-cached-build.yml b/.github/workflows/docker-cached-build.yml index f57bce3e..ea40e019 100644 --- a/.github/workflows/docker-cached-build.yml +++ b/.github/workflows/docker-cached-build.yml @@ -10,344 +10,49 @@ on: permissions: contents: read -env: - CONCURRENCY_GROUP: "${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}" - BUILD_TYPE: "Release" - DOCKER_REGISTRY: "ghcr.io" - DOCKER_REGISTRY_LOGIN: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && false }}" - DOCKER_BUILD_ARGS: "" - DOCKER_PLATFORMS: "linux/amd64" - DOCKER_IMAGE_PUSH: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && github.event_name == 'push' && false }}" - DOCKER_IMAGE_BASE: "ghcr.io/openvisualcloud/media-communications-mesh" - DOCKER_IMAGE_TAG: "${{ github.sha }}" - concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: sdk-image-build: - name: Build sdk Docker Image - runs-on: ubuntu-22.04 permissions: - contents: read security-events: write - timeout-minutes: 60 - env: - DOCKER_FILE_PATH: "sdk/Dockerfile" - DOCKER_IMAGE_NAME: "sdk" - steps: - - name: "${{ env.DOCKER_IMAGE_NAME }}: Harden Runner" - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Checkout repository" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan sarif format" - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: sarif - output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - no-fail: true - failure-threshold: info - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan tty output" - if: always() - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: tty - failure-threshold: warning - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Set up Docker Buildx" - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - with: - buildkitd-flags: --debug - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Login to Docker Container Registry" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} - with: - registry: "${{ env.DOCKER_REGISTRY }}" - username: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_USER || env.GITHUB_ACTOR }} - password: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_KEY || secrets.GITHUB_TOKEN }} - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Build and push image" - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 - with: - load: true - push: "${{ env.DOCKER_IMAGE_PUSH }}" - outputs: type=docker - platforms: "${{ env.DOCKER_PLATFORMS }}" - file: "${{ env.DOCKER_FILE_PATH }}" - tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} - cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} - build-args: "${{ env.DOCKER_BUILD_ARGS }}" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy run vulnerability scanner on image" - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 - with: - image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - format: "sarif" - output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + contents: read + name: Build sdk Docker Image + uses: ./.github/workflows/template-docker-cached-build.yml + with: + docker_file_path: "sdk/Dockerfile" + docker_image_name: "sdk" ffmpeg-6-1-image-build: - name: Build ffmpeg v6.1 Docker Image - runs-on: ubuntu-22.04 permissions: - contents: read security-events: write - timeout-minutes: 60 - env: - DOCKER_FILE_PATH: "ffmpeg-plugin/Dockerfile" - DOCKER_IMAGE_NAME: "ffmpeg-6-1" - DOCKER_BUILD_ARGS: "FFMPEG_VER=6.1" - steps: - - name: "${{ env.DOCKER_IMAGE_NAME }}: Harden Runner" - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Checkout repository" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan sarif format" - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: sarif - output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - no-fail: true - failure-threshold: info - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan tty format." - if: always() - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: tty - failure-threshold: warning - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Set up Docker Buildx" - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - with: - buildkitd-flags: --debug - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Login to Docker Container Registry" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} - with: - registry: "${{ env.DOCKER_REGISTRY }}" - username: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_USER || env.GITHUB_ACTOR }} - password: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_KEY || secrets.GITHUB_TOKEN }} - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Build and push image" - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 - with: - load: true - push: "${{ env.DOCKER_IMAGE_PUSH }}" - outputs: type=docker - platforms: "${{ env.DOCKER_PLATFORMS }}" - file: "${{ env.DOCKER_FILE_PATH }}" - tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} - cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} - build-args: "${{ env.DOCKER_BUILD_ARGS }}" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy run vulnerability scanner on image" - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 - with: - image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - format: "sarif" - output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + contents: read + name: Build ffmpeg v6.1 Docker Image + uses: ./.github/workflows/template-docker-cached-build.yml + with: + docker_file_path: "ffmpeg-plugin/Dockerfile" + docker_image_name: "ffmpeg-6-1" + docker_build_args: "FFMPEG_VER=6.1" ffmpeg-7-0-image-build: - name: Build ffmpeg v7.0 Docker Image - runs-on: ubuntu-22.04 permissions: - contents: read security-events: write - timeout-minutes: 60 - env: - DOCKER_FILE_PATH: "ffmpeg-plugin/Dockerfile" - DOCKER_IMAGE_NAME: "ffmpeg-7-0" - DOCKER_BUILD_ARGS: "FFMPEG_VER=7.0" - steps: - - name: "${{ env.DOCKER_IMAGE_NAME }}: Harden Runner" - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Checkout repository" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan sarif format" - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: sarif - output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - no-fail: true - failure-threshold: info - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan tty output" - if: always() - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: tty - failure-threshold: warning - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Set up Docker Buildx" - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - with: - buildkitd-flags: --debug - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Login to Docker Container Registry" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} - with: - registry: "${{ env.DOCKER_REGISTRY }}" - username: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_USER || env.GITHUB_ACTOR }} - password: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_KEY || secrets.GITHUB_TOKEN }} - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Build and push image" - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 - with: - load: true - push: "${{ env.DOCKER_IMAGE_PUSH }}" - outputs: type=docker - platforms: "${{ env.DOCKER_PLATFORMS }}" - file: "${{ env.DOCKER_FILE_PATH }}" - tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} - cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} - build-args: "${{ env.DOCKER_BUILD_ARGS }}" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy run vulnerability scanner on image" - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 - with: - image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - format: "sarif" - output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + contents: read + name: Build ffmpeg v7.0 Docker Image + uses: ./.github/workflows/template-docker-cached-build.yml + with: + docker_file_path: "ffmpeg-plugin/Dockerfile" + docker_image_name: "ffmpeg-7-0" + docker_build_args: "FFMPEG_VER=7.0" media-proxy-image-build: - name: Build Media-Proxy Docker Image - runs-on: ubuntu-22.04 permissions: - contents: read security-events: write - timeout-minutes: 60 - env: - DOCKER_FILE_PATH: media-proxy/Dockerfile - DOCKER_IMAGE_NAME: media-proxy - steps: - - name: "${{ env.DOCKER_IMAGE_NAME }}: Harden Runner" - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Checkout repository" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan sarif format" - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: sarif - output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - no-fail: true - failure-threshold: info - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan tty output" - if: always() - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: tty - failure-threshold: warning - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Set up Docker Buildx" - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - with: - buildkitd-flags: --debug - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Login to Docker Container Registry" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} - with: - registry: "${{ env.DOCKER_REGISTRY }}" - username: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_USER || env.GITHUB_ACTOR }} - password: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_KEY || secrets.GITHUB_TOKEN }} - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Build and push image" - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 - with: - load: true - push: "${{ env.DOCKER_IMAGE_PUSH }}" - outputs: type=docker - platforms: "${{ env.DOCKER_PLATFORMS }}" - file: "${{ env.DOCKER_FILE_PATH }}" - tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} - cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} - build-args: "${{ env.DOCKER_BUILD_ARGS }}" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy run vulnerability scanner on image" - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 - with: - image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - format: "sarif" - output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + contents: read + name: Build Media-Proxy Docker Image + uses: ./.github/workflows/template-docker-cached-build.yml + with: + docker_file_path: "media-proxy/Dockerfile" + docker_image_name: "media-proxy" diff --git a/.github/workflows/github_pages_update.yml b/.github/workflows/github_pages_update.yml index 742f745f..16825557 100644 --- a/.github/workflows/github_pages_update.yml +++ b/.github/workflows/github_pages_update.yml @@ -11,6 +11,10 @@ env: permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} + cancel-in-progress: true + jobs: publishGitHubPages: name: Publish GitHub Pages diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index d78cd941..b611854b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -15,7 +15,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: @@ -42,7 +42,7 @@ jobs: - name: "scorecard: Run analysis" uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: - results_file: "scorecard-scan-results-${{ github.event.pull_request.number || github.ref }}.sarif" + results_file: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" results_format: sarif repo_token: ${{ secrets.GITHUB_TOKEN }} publish_results: true @@ -51,11 +51,11 @@ jobs: - name: "scorecard: Upload results artifact" uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: - name: "scorecard-scan-results-${{ github.event.pull_request.number || github.ref }}" - path: "scorecard-scan-results-${{ github.event.pull_request.number || github.ref }}.sarif" + name: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}" + path: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" retention-days: 5 - name: "scorecard: Upload results to code-scanning" uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: - sarif_file: "scorecard-scan-results-${{ github.event.pull_request.number || github.ref }}.sarif" + sarif_file: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" diff --git a/.github/workflows/template-docker-cached-build.yml b/.github/workflows/template-docker-cached-build.yml new file mode 100644 index 00000000..b503592e --- /dev/null +++ b/.github/workflows/template-docker-cached-build.yml @@ -0,0 +1,142 @@ +name: template-docker-cached-build + +on: + workflow_call: + inputs: + build_type: + required: false + type: string + default: 'Release' + docker_registry: + required: false + type: string + default: 'ghcr.io' + docker_registry_prefix: + required: false + type: string + default: 'openvisualcloud/media-communications-mesh' + docker_registry_login: + required: false + type: boolean + default: false + docker_registry_push: + required: false + type: boolean + default: false + docker_build_args: + required: false + type: string + default: '' + docker_build_platforms: + required: false + type: string + default: 'linux/amd64' + docker_image_tag: + required: false + type: string + docker_image_name: + required: true + type: string + docker_file_path: + required: false + type: string + default: './Dockerfile' + secrets: + docker_registry_login: + required: false + docker_registry_passkey: + required: false + +permissions: + contents: read + +jobs: + scan-and-build-docker-image: + name: "${{ inputs.docker_image_name }}: Performing scan and build of Dockerfile." + runs-on: ubuntu-22.04 + permissions: + contents: read + security-events: write + timeout-minutes: 60 + env: + BUILD_TYPE: "${{ inputs.build_type }}" + CONCURRENCY_GROUP: "${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}" + DOCKER_REGISTRY: "${{ inputs.docker_registry }}" + DOCKER_REGISTRY_LOGIN: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && inputs.docker_registry_login }}" + DOCKER_BUILD_ARGS: "${{ inputs.docker_build_args }}" + DOCKER_PLATFORMS: "${{ inputs.docker_build_platforms }}" + DOCKER_IMAGE_PUSH: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && inputs.docker_registry_push }}" + DOCKER_IMAGE_BASE: "${{ inputs.docker_registry }}/${{ inputs.docker_registry_prefix }}" + DOCKER_IMAGE_TAG: "${{ inputs.docker_image_tag || github.sha }}" + DOCKER_IMAGE_NAME: "${{ inputs.docker_image_name }}" + DOCKER_FILE_PATH: "${{ inputs.docker_file_path }}" + steps: + - name: "${{ inputs.docker_image_name }}: Harden Runner" + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: "${{ inputs.docker_image_name }}: Set up Docker Buildx" + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + with: + buildkitd-flags: --debug + + - name: "${{ inputs.docker_image_name }}: Checkout repository" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: "${{ inputs.docker_image_name }}: Scanner Hadolint Dockerfile scan sarif format" + uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 + with: + dockerfile: "${{ env.DOCKER_FILE_PATH }}" + config: .github/configs/hadolint.yaml + format: sarif + output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + no-fail: true + failure-threshold: info + + - name: "${{ inputs.docker_image_name }}: Scanner Hadolint upload results to Security tab" + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + with: + sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + + - name: "${{ inputs.docker_image_name }}: Login to Docker Container Registry" + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} + with: + registry: "${{ env.DOCKER_REGISTRY }}" + username: "${{ secrets.docker_registry_login || env.GITHUB_ACTOR }}" + password: "${{ secrets.docker_registry_passkey || secrets.GITHUB_TOKEN }}" + + - name: "${{ inputs.docker_image_name }}: Build and push image" + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + with: + load: true + push: "${{ env.DOCKER_IMAGE_PUSH }}" + outputs: type=docker + platforms: "${{ env.DOCKER_PLATFORMS }}" + file: "${{ env.DOCKER_FILE_PATH }}" + tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" + cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} + cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} + build-args: "${{ env.DOCKER_BUILD_ARGS }}" + + - name: "${{ inputs.docker_image_name }}: Scanner Trivy run vulnerability scanner on image" + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 + with: + image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" + format: "sarif" + output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + + - name: "${{ inputs.docker_image_name }}: Scanner Trivy upload results to Security tab" + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + with: + sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + + - name: "${{ inputs.docker_image_name }}: Scanner Hadolint Dockerfile scan tty output" + if: always() + uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 + with: + dockerfile: "${{ env.DOCKER_FILE_PATH }}" + config: .github/configs/hadolint.yaml + format: tty + failure-threshold: warning diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 6058325c..4bbd6018 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -1,9 +1,9 @@ name: scan-trivy-workflow on: push: - branches: [ "main", "master", "dev", "devel", "develop", "maint-*" ] + branches: [ "main", "maint-*" ] pull_request: - branches: [ "main", "master", "dev", "devel", "develop", "maint-*" ] + branches: [ "main", "maint-*" ] workflow_dispatch: inputs: branch: @@ -15,7 +15,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: @@ -42,7 +42,7 @@ jobs: skip-dirs: deployment #helm charts not supported exit-code: '0' format: 'sarif' - output: "trivy-config-scan-results-${{ github.event.pull_request.number || github.ref }}.sarif" + output: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" - name: "Trivy: Run vulnerability scanner for type=config (out=table)" if: always() @@ -52,26 +52,26 @@ jobs: skip-dirs: deployment #helm charts not supported exit-code: '0' format: 'table' - output: "trivy-config-scan-results-${{ github.event.pull_request.number || github.ref }}.txt" + output: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.txt" - name: "Trivy: Upload scan results to GitHub Security tab" if: always() uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: - sarif_file: "trivy-config-scan-results-${{ github.event.pull_request.number || github.ref }}.sarif" + sarif_file: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" - name: "Trivy: Upload scan results as artifacts (out=sarif)" uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # V4.4.3 if: always() with: - name: "trivy-config-scan-results-sarif-${{ github.event.pull_request.number || github.ref }}" - path: "trivy-config-scan-results-${{ github.event.pull_request.number || github.ref }}.sarif" + name: "trivy-config-scan-results-sarif-${{ github.event.pull_request.number || github.sha }}" + path: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" retention-days: 5 - name: "Trivy: Upload scan results as artifacts (out=table)" uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # V4.4.3 if: always() with: - name: "trivy-config-scan-results-table-${{ github.event.pull_request.number || github.ref }}" - path: "trivy-config-scan-results-${{ github.event.pull_request.number || github.ref }}.txt" + name: "trivy-config-scan-results-table-${{ github.event.pull_request.number || github.sha }}" + path: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.txt" retention-days: 5 diff --git a/.github/workflows/ubuntu-build.yml b/.github/workflows/ubuntu-build.yml index f254b758..60f0b13f 100644 --- a/.github/workflows/ubuntu-build.yml +++ b/.github/workflows/ubuntu-build.yml @@ -21,7 +21,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: @@ -83,10 +83,32 @@ jobs: run: eval 'source scripts/setup_build_env.sh && lib_install_grpc' - name: 'Build MCM SDK and Media Proxy' - run: ./build.sh + run: eval 'source scripts/common.sh && ./build.sh "${PREFIX_DIR}"' - - name: 'Build MCM FFmpeg plugin' + - name: 'Build FFmpeg 6.1 with MCM plugin' working-directory: ${{ github.workspace }}/ffmpeg-plugin run: | - ./configure-ffmpeg.sh && \ - ./build-ffmpeg.sh + ./configure-ffmpeg.sh "6.1" && \ + ./build-ffmpeg.sh "6.1" + + - name: 'Build FFmpeg 7.0 with MCM plugin' + working-directory: ${{ github.workspace }}/ffmpeg-plugin + run: | + ./configure-ffmpeg.sh "7.0" && \ + ./build-ffmpeg.sh "7.0" + + - name: 'Scanner: Send to VirusTotal for analysis' + id: vt + uses: cssnr/virustotal-action@331c320c79202fdaa7a30f16163390f8d09c3f45 # v1.2.0 + with: + github_token: ${{ secrets.GITHUB_TOKEN }} + vt_api_key: ${{ secrets.VT_API_KEY }} + file_globs: | + _build/mcm/lib/*.so* + _build/mcm/bin/* + _install/usr/local/sbin/* + _build/ffmpeg-6-1/ffmpeg + _build/ffmpeg-7-0/ffmpeg + + - name: 'Scanner: Print scan results' + run: echo ${{ steps.vt.outputs.results }} diff --git a/build.sh b/build.sh index 1bfd76e6..e3f299ed 100755 --- a/build.sh +++ b/build.sh @@ -24,12 +24,12 @@ cmake -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" \ -DBUILD_UNIT_TESTS="${BUILD_UNIT_TESTS}" \ -B "${MCM_BUILD_DIR}" -S "${SCRIPT_DIR}" cmake --build "${MCM_BUILD_DIR}" -j - -as_root make -C "${MCM_BUILD_DIR}" install +make -j "${NPROC}" -C "${MCM_BUILD_DIR}" if [[ $# -ne 0 ]]; then DESTDIR="${1:-$DESTDIR}" make -C "${MCM_BUILD_DIR}" install fi +as_root make -C "${MCM_BUILD_DIR}" install as_root ln -s /usr/lib64/libbpf.so.1 /usr/lib/x86_64-linux-gnu/libbpf.so.1 2>/dev/null || true as_root ldconfig diff --git a/ffmpeg-plugin/Dockerfile b/ffmpeg-plugin/Dockerfile index 5ebaba79..28a7175b 100644 --- a/ffmpeg-plugin/Dockerfile +++ b/ffmpeg-plugin/Dockerfile @@ -49,11 +49,11 @@ COPY . ${MCM_DIR} WORKDIR ${MCM_DIR} RUN ./sdk/build.sh && \ INSTALL_PREFIX="${PREFIX_DIR}/usr/local" ./sdk/build.sh && \ - ./ffmpeg-plugin/clone-and-patch-ffmpeg.sh && \ - ./ffmpeg-plugin/configure-ffmpeg.sh --enable-libx264 --enable-gpl --prefix="${PREFIX_DIR}/usr/local" + ./ffmpeg-plugin/clone-and-patch-ffmpeg.sh "${FFMPEG_VER}" && \ + ./ffmpeg-plugin/configure-ffmpeg.sh "${FFMPEG_VER}" --enable-libx264 --enable-gpl --prefix="${PREFIX_DIR}/usr/local" WORKDIR ${MCM_DIR}/ffmpeg-plugin -RUN ./build-ffmpeg.sh +RUN ./build-ffmpeg.sh "${FFMPEG_VER}" ARG IMAGE_CACHE_REGISTRY ARG IMAGE_NAME diff --git a/ffmpeg-plugin/configure-ffmpeg.sh b/ffmpeg-plugin/configure-ffmpeg.sh index 9a718ac5..12b00881 100755 --- a/ffmpeg-plugin/configure-ffmpeg.sh +++ b/ffmpeg-plugin/configure-ffmpeg.sh @@ -5,6 +5,10 @@ set -eo pipefail +if [[ $# -ne 0 ]]; then + FFMPEG_VER="${1:-${FFMPEG_VER}}" + shift +fi SCRIPT_DIR="$(readlink -f "$(dirname -- "${BASH_SOURCE[0]}")")" REPOSITORY_DIR="$(readlink -f "${SCRIPT_DIR}/..")" BUILD_DIR="${BUILD_DIR:-${REPOSITORY_DIR}/_build}" diff --git a/media-proxy/build.sh b/media-proxy/build.sh index 2cf3fd22..cb8c7206 100755 --- a/media-proxy/build.sh +++ b/media-proxy/build.sh @@ -19,10 +19,11 @@ BUILD_TYPE="${BUILD_TYPE:-Release}" INSTALL_PREFIX="${INSTALL_PREFIX:-/usr/local}" cmake -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" -B "${MCM_MEDIA_PROXY_DIR}" -S "${SCRIPT_DIR}" - -as_root make -C "${MCM_MEDIA_PROXY_DIR}" install +make -j "${NPROC}" -C "${MCM_MEDIA_PROXY_DIR}" if [[ $# -ne 0 ]]; then DESTDIR="${1:-$DESTDIR}" make -C "${MCM_MEDIA_PROXY_DIR}" install fi +as_root make -C "${MCM_MEDIA_PROXY_DIR}" install + ln -s "${MCM_MEDIA_PROXY_DIR}" "${SCRIPT_DIR}/build" diff --git a/sdk/build.sh b/sdk/build.sh index 03d12fca..0e2be5b0 100755 --- a/sdk/build.sh +++ b/sdk/build.sh @@ -20,10 +20,11 @@ BUILD_TYPE="${BUILD_TYPE:-Release}" INSTALL_PREFIX="${INSTALL_PREFIX:-/usr/local}" cmake -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" -B "${MCM_SDK_DIR}" -S "${SCRIPT_DIR}" - -as_root make -C "${MCM_SDK_DIR}" install +make -j "${NPROC}" -C "${MCM_SDK_DIR}" if [[ $# -ne 0 ]]; then DESTDIR="${1:-$DESTDIR}" make -C "${MCM_SDK_DIR}" install fi +as_root make -C "${MCM_SDK_DIR}" install + ln -s "${MCM_SDK_DIR}" "${SCRIPT_DIR}/build"