From 6507295e9ace8e31141a9bc517c0808d6778969d Mon Sep 17 00:00:00 2001 From: Milosz Linkiewicz Date: Wed, 27 Nov 2024 20:52:56 +0000 Subject: [PATCH] Fully Templated Docker cached build job Fully Templated Docker cached build job - most parameters are defaulted based on git variables - all of defaulted parameters can be overwritten using inputs - fixes to existing workflows due to naming convention miss-match between action pull_request and push Signed-off-by: Milosz Linkiewicz --- .github/configs/super-linter/.golangci.yml | 7 +- .github/workflows/codeql.yml | 2 +- .github/workflows/coverity.yml | 4 +- .github/workflows/dependency-review.yml | 33 +- .github/workflows/docker-cached-build.yml | 349 ++---------------- .github/workflows/github_pages_update.yml | 2 +- .github/workflows/scorecard.yml | 10 +- .../template-docker-cached-build.yml | 142 +++++++ .github/workflows/trivy.yml | 16 +- .github/workflows/ubuntu-build.yml | 29 +- build.sh | 4 +- ffmpeg-plugin/Dockerfile | 6 +- ffmpeg-plugin/configure-ffmpeg.sh | 4 + media-proxy/build.sh | 5 +- sdk/build.sh | 5 +- 15 files changed, 247 insertions(+), 371 deletions(-) create mode 100644 .github/workflows/template-docker-cached-build.yml diff --git a/.github/configs/super-linter/.golangci.yml b/.github/configs/super-linter/.golangci.yml index cbd6fdab..873a719e 100644 --- a/.github/configs/super-linter/.golangci.yml +++ b/.github/configs/super-linter/.golangci.yml @@ -31,12 +31,7 @@ linters-settings: check-blank: true govet: enable: - # report about shadowed variables - - shadowing + - shadow gocyclo: # minimal code complexity to report, 30 by default min-complexity: 15 - maligned: - # print struct with more effective memory layout or not, false by default - suggest-new: true - \ No newline at end of file diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml index 72a1bd7e..5dfc33ec 100644 --- a/.github/workflows/codeql.yml +++ b/.github/workflows/codeql.yml @@ -20,7 +20,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: diff --git a/.github/workflows/coverity.yml b/.github/workflows/coverity.yml index 8c9fd3d3..94509fd9 100644 --- a/.github/workflows/coverity.yml +++ b/.github/workflows/coverity.yml @@ -21,7 +21,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: @@ -93,7 +93,7 @@ jobs: ${{ github.workspace }}/ffmpeg-plugin/configure-ffmpeg.sh && \ ${{ github.workspace }}/ffmpeg-plugin/build-ffmpeg.sh - - uses: actions/upload-artifact@v4 + - uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 with: name: coverity-reports path: '${{ github.workspace }}/cov-int' diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml index 438a8d0e..552af50b 100644 --- a/.github/workflows/dependency-review.yml +++ b/.github/workflows/dependency-review.yml @@ -9,7 +9,7 @@ env: LINTER_RULES_PATH: .github/configs/super-linter concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: @@ -32,8 +32,14 @@ jobs: name: 'super-linter: Workflow initializing' runs-on: 'ubuntu-22.04' permissions: - statuses: write + contents: read + packages: read timeout-minutes: 90 + env: + SUPER_LINTER_OUTPUT_DIRECTORY_NAME: super-linter-output + SUPER_LINTER_SUMMARY_FILE_NAME: super-linter-summary.md + SAVE_SUPER_LINTER_SUMMARY: true + ENABLE_GITHUB_ACTIONS_STEP_SUMMARY : true steps: - name: 'super-linter: Harden Runner' uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 @@ -46,7 +52,26 @@ jobs: fetch-depth: 0 ref: ${{ inputs.branch }} - - name: 'super-linter: perform supe-linter scan workflow.' - uses: super-linter/super-linter@v7.2.0 # x-release-please-version + - name: 'super-linter: perform super-linter scan workflow.' + uses: super-linter/super-linter/slim@e1cb86b6e8d119f789513668b4b30bf17fe1efe4 # v7.2.0 x-release-please-version env: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + DISABLE_ERRORS: true + VALIDATE_PROTOBUF: true + VALIDATE_MARKDOWN: true + VALIDATE_MARKDOWN_PRETTIER: true + VALIDATE_JSONC: true + VALIDATE_GO: true + VALIDATE_GITHUB_ACTIONS: true + VALIDATE_CPP: true + VALIDATE_CLANG_FORMAT: true + VALIDATE_BASH: true + VALIDATE_BASH_EXEC: true + + - name: 'super-linter: upload linter results as an artifact.' + uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 + if: env.SAVE_SUPER_LINTER_SUMMARY == 'true' || env.ENABLE_GITHUB_ACTIONS_STEP_SUMMARY == 'true' + with: + name: coverity-reports + path: + '${{ github.workspace }}/${{ env.SUPER_LINTER_OUTPUT_DIRECTORY_NAME }}/${{ env.SUPER_LINTER_SUMMARY_FILE_NAME }}' diff --git a/.github/workflows/docker-cached-build.yml b/.github/workflows/docker-cached-build.yml index 59f90bf1..ea40e019 100644 --- a/.github/workflows/docker-cached-build.yml +++ b/.github/workflows/docker-cached-build.yml @@ -10,344 +10,49 @@ on: permissions: contents: read -env: - CONCURRENCY_GROUP: "${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }}" - BUILD_TYPE: "Release" - DOCKER_REGISTRY: "ghcr.io" - DOCKER_REGISTRY_LOGIN: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && false }}" - DOCKER_BUILD_ARGS: "" - DOCKER_PLATFORMS: "linux/amd64" - DOCKER_IMAGE_PUSH: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && github.event_name == 'push' && false }}" - DOCKER_IMAGE_BASE: "ghcr.io/openvisualcloud/media-communications-mesh" - DOCKER_IMAGE_TAG: "${{ github.sha }}" - concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: sdk-image-build: - name: Build sdk Docker Image - runs-on: ubuntu-22.04 permissions: - contents: read security-events: write - timeout-minutes: 60 - env: - DOCKER_FILE_PATH: "sdk/Dockerfile" - DOCKER_IMAGE_NAME: "sdk" - steps: - - name: "${{ env.DOCKER_IMAGE_NAME }}: Harden Runner" - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Checkout repository" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan sarif format" - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: sarif - output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - no-fail: true - failure-threshold: info - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan tty output" - if: always() - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: tty - failure-threshold: warning - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Set up Docker Buildx" - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - with: - buildkitd-flags: --debug - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Login to Docker Container Registry" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} - with: - registry: "${{ env.DOCKER_REGISTRY }}" - username: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_USER || env.GITHUB_ACTOR }} - password: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_KEY || secrets.GITHUB_TOKEN }} - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Build and push image" - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 - with: - load: true - push: "${{ env.DOCKER_IMAGE_PUSH }}" - outputs: type=docker - platforms: "${{ env.DOCKER_PLATFORMS }}" - file: "${{ env.DOCKER_FILE_PATH }}" - tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} - cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} - build-args: "${{ env.DOCKER_BUILD_ARGS }}" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy run vulnerability scanner on image" - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 - with: - image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - format: "sarif" - output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + contents: read + name: Build sdk Docker Image + uses: ./.github/workflows/template-docker-cached-build.yml + with: + docker_file_path: "sdk/Dockerfile" + docker_image_name: "sdk" ffmpeg-6-1-image-build: - name: Build ffmpeg v6.1 Docker Image - runs-on: ubuntu-22.04 permissions: - contents: read security-events: write - timeout-minutes: 60 - env: - DOCKER_FILE_PATH: "ffmpeg-plugin/Dockerfile" - DOCKER_IMAGE_NAME: "ffmpeg-6-1" - DOCKER_BUILD_ARGS: "FFMPEG_VER=6.1" - steps: - - name: "${{ env.DOCKER_IMAGE_NAME }}: Harden Runner" - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Checkout repository" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan sarif format" - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: sarif - output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - no-fail: true - failure-threshold: info - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan tty format." - if: always() - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: tty - failure-threshold: warning - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Set up Docker Buildx" - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - with: - buildkitd-flags: --debug - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Login to Docker Container Registry" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} - with: - registry: "${{ env.DOCKER_REGISTRY }}" - username: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_USER || env.GITHUB_ACTOR }} - password: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_KEY || secrets.GITHUB_TOKEN }} - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Build and push image" - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 - with: - load: true - push: "${{ env.DOCKER_IMAGE_PUSH }}" - outputs: type=docker - platforms: "${{ env.DOCKER_PLATFORMS }}" - file: "${{ env.DOCKER_FILE_PATH }}" - tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} - cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} - build-args: "${{ env.DOCKER_BUILD_ARGS }}" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy run vulnerability scanner on image" - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 - with: - image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - format: "sarif" - output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + contents: read + name: Build ffmpeg v6.1 Docker Image + uses: ./.github/workflows/template-docker-cached-build.yml + with: + docker_file_path: "ffmpeg-plugin/Dockerfile" + docker_image_name: "ffmpeg-6-1" + docker_build_args: "FFMPEG_VER=6.1" ffmpeg-7-0-image-build: - name: Build ffmpeg v7.0 Docker Image - runs-on: ubuntu-22.04 permissions: - contents: read security-events: write - timeout-minutes: 60 - env: - DOCKER_FILE_PATH: "ffmpeg-plugin/Dockerfile" - DOCKER_IMAGE_NAME: "ffmpeg-7-0" - DOCKER_BUILD_ARGS: "FFMPEG_VER=7.0" - steps: - - name: "${{ env.DOCKER_IMAGE_NAME }}: Harden Runner" - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Checkout repository" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan sarif format" - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: sarif - output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - no-fail: true - failure-threshold: info - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan tty output" - if: always() - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: tty - failure-threshold: warning - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Set up Docker Buildx" - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - with: - buildkitd-flags: --debug - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Login to Docker Container Registry" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} - with: - registry: "${{ env.DOCKER_REGISTRY }}" - username: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_USER || env.GITHUB_ACTOR }} - password: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_KEY || secrets.GITHUB_TOKEN }} - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Build and push image" - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 - with: - load: true - push: "${{ env.DOCKER_IMAGE_PUSH }}" - outputs: type=docker - platforms: "${{ env.DOCKER_PLATFORMS }}" - file: "${{ env.DOCKER_FILE_PATH }}" - tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} - cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} - build-args: "${{ env.DOCKER_BUILD_ARGS }}" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy run vulnerability scanner on image" - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 - with: - image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - format: "sarif" - output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + contents: read + name: Build ffmpeg v7.0 Docker Image + uses: ./.github/workflows/template-docker-cached-build.yml + with: + docker_file_path: "ffmpeg-plugin/Dockerfile" + docker_image_name: "ffmpeg-7-0" + docker_build_args: "FFMPEG_VER=7.0" media-proxy-image-build: - name: Build Media-Proxy Docker Image - runs-on: ubuntu-22.04 permissions: - contents: read security-events: write - timeout-minutes: 60 - env: - DOCKER_FILE_PATH: media-proxy/Dockerfile - DOCKER_IMAGE_NAME: media-proxy - steps: - - name: "${{ env.DOCKER_IMAGE_NAME }}: Harden Runner" - uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 - with: - egress-policy: audit - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Checkout repository" - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan sarif format" - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: sarif - output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - no-fail: true - failure-threshold: info - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Hadolint Dockerfile scan tty output" - if: always() - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 - with: - dockerfile: "${{ env.DOCKER_FILE_PATH }}" - config: .github/configs/hadolint.yaml - format: tty - failure-threshold: warning - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Set up Docker Buildx" - uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 - with: - buildkitd-flags: --debug - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Login to Docker Container Registry" - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 - if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} - with: - registry: "${{ env.DOCKER_REGISTRY }}" - username: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_USER || env.GITHUB_ACTOR }} - password: ${{ secrets.ACTION_DOCKER_REGISTRY_LOGIN_KEY || secrets.GITHUB_TOKEN }} - - - name: "${{ env.DOCKER_IMAGE_NAME }}: Build and push image" - uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 - with: - load: true - push: "${{ env.DOCKER_IMAGE_PUSH }}" - outputs: type=docker - platforms: "${{ env.DOCKER_PLATFORMS }}" - file: "${{ env.DOCKER_FILE_PATH }}" - tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} - cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} - build-args: "${{ env.DOCKER_BUILD_ARGS }}" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy run vulnerability scanner on image" - uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 - with: - image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" - format: "sarif" - output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" - - - name: "${{ env.DOCKER_IMAGE_NAME }} Scanner: Trivy upload results to Security tab" - uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 - with: - sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + contents: read + name: Build Media-Proxy Docker Image + uses: ./.github/workflows/template-docker-cached-build.yml + with: + docker_file_path: "media-proxy/Dockerfile" + docker_image_name: "media-proxy" diff --git a/.github/workflows/github_pages_update.yml b/.github/workflows/github_pages_update.yml index b9904e3f..16825557 100644 --- a/.github/workflows/github_pages_update.yml +++ b/.github/workflows/github_pages_update.yml @@ -12,7 +12,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index 7fb607d6..b611854b 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -15,7 +15,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: @@ -42,7 +42,7 @@ jobs: - name: "scorecard: Run analysis" uses: ossf/scorecard-action@dc50aa9510b46c811795eb24b2f1ba02a914e534 # v2.3.3 with: - results_file: "scorecard-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif" + results_file: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" results_format: sarif repo_token: ${{ secrets.GITHUB_TOKEN }} publish_results: true @@ -51,11 +51,11 @@ jobs: - name: "scorecard: Upload results artifact" uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3 with: - name: "scorecard-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}" - path: "scorecard-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif" + name: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}" + path: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" retention-days: 5 - name: "scorecard: Upload results to code-scanning" uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: - sarif_file: "scorecard-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif" + sarif_file: "scorecard-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" diff --git a/.github/workflows/template-docker-cached-build.yml b/.github/workflows/template-docker-cached-build.yml new file mode 100644 index 00000000..b503592e --- /dev/null +++ b/.github/workflows/template-docker-cached-build.yml @@ -0,0 +1,142 @@ +name: template-docker-cached-build + +on: + workflow_call: + inputs: + build_type: + required: false + type: string + default: 'Release' + docker_registry: + required: false + type: string + default: 'ghcr.io' + docker_registry_prefix: + required: false + type: string + default: 'openvisualcloud/media-communications-mesh' + docker_registry_login: + required: false + type: boolean + default: false + docker_registry_push: + required: false + type: boolean + default: false + docker_build_args: + required: false + type: string + default: '' + docker_build_platforms: + required: false + type: string + default: 'linux/amd64' + docker_image_tag: + required: false + type: string + docker_image_name: + required: true + type: string + docker_file_path: + required: false + type: string + default: './Dockerfile' + secrets: + docker_registry_login: + required: false + docker_registry_passkey: + required: false + +permissions: + contents: read + +jobs: + scan-and-build-docker-image: + name: "${{ inputs.docker_image_name }}: Performing scan and build of Dockerfile." + runs-on: ubuntu-22.04 + permissions: + contents: read + security-events: write + timeout-minutes: 60 + env: + BUILD_TYPE: "${{ inputs.build_type }}" + CONCURRENCY_GROUP: "${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}" + DOCKER_REGISTRY: "${{ inputs.docker_registry }}" + DOCKER_REGISTRY_LOGIN: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && inputs.docker_registry_login }}" + DOCKER_BUILD_ARGS: "${{ inputs.docker_build_args }}" + DOCKER_PLATFORMS: "${{ inputs.docker_build_platforms }}" + DOCKER_IMAGE_PUSH: "${{ github.repository == 'openvisualcloud/media-communications-mesh' && inputs.docker_registry_push }}" + DOCKER_IMAGE_BASE: "${{ inputs.docker_registry }}/${{ inputs.docker_registry_prefix }}" + DOCKER_IMAGE_TAG: "${{ inputs.docker_image_tag || github.sha }}" + DOCKER_IMAGE_NAME: "${{ inputs.docker_image_name }}" + DOCKER_FILE_PATH: "${{ inputs.docker_file_path }}" + steps: + - name: "${{ inputs.docker_image_name }}: Harden Runner" + uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1 + with: + egress-policy: audit + + - name: "${{ inputs.docker_image_name }}: Set up Docker Buildx" + uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0 + with: + buildkitd-flags: --debug + + - name: "${{ inputs.docker_image_name }}: Checkout repository" + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + + - name: "${{ inputs.docker_image_name }}: Scanner Hadolint Dockerfile scan sarif format" + uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 + with: + dockerfile: "${{ env.DOCKER_FILE_PATH }}" + config: .github/configs/hadolint.yaml + format: sarif + output-file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + no-fail: true + failure-threshold: info + + - name: "${{ inputs.docker_image_name }}: Scanner Hadolint upload results to Security tab" + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + with: + sarif_file: "hadolint-${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + + - name: "${{ inputs.docker_image_name }}: Login to Docker Container Registry" + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 + if: ${{ env.DOCKER_REGISTRY_LOGIN == 'true' }} + with: + registry: "${{ env.DOCKER_REGISTRY }}" + username: "${{ secrets.docker_registry_login || env.GITHUB_ACTOR }}" + password: "${{ secrets.docker_registry_passkey || secrets.GITHUB_TOKEN }}" + + - name: "${{ inputs.docker_image_name }}: Build and push image" + uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0 + with: + load: true + push: "${{ env.DOCKER_IMAGE_PUSH }}" + outputs: type=docker + platforms: "${{ env.DOCKER_PLATFORMS }}" + file: "${{ env.DOCKER_FILE_PATH }}" + tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" + cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }} + cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }} + build-args: "${{ env.DOCKER_BUILD_ARGS }}" + + - name: "${{ inputs.docker_image_name }}: Scanner Trivy run vulnerability scanner on image" + uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 + with: + image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}" + format: "sarif" + output: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + + - name: "${{ inputs.docker_image_name }}: Scanner Trivy upload results to Security tab" + uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8 + with: + sarif_file: "${{ env.CONCURRENCY_GROUP }}-${{ env.DOCKER_IMAGE_NAME }}-${{ env.DOCKER_IMAGE_TAG }}.sarif" + + - name: "${{ inputs.docker_image_name }}: Scanner Hadolint Dockerfile scan tty output" + if: always() + uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 + with: + dockerfile: "${{ env.DOCKER_FILE_PATH }}" + config: .github/configs/hadolint.yaml + format: tty + failure-threshold: warning diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml index 90cfc600..4bbd6018 100644 --- a/.github/workflows/trivy.yml +++ b/.github/workflows/trivy.yml @@ -15,7 +15,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: @@ -42,7 +42,7 @@ jobs: skip-dirs: deployment #helm charts not supported exit-code: '0' format: 'sarif' - output: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif" + output: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" - name: "Trivy: Run vulnerability scanner for type=config (out=table)" if: always() @@ -52,26 +52,26 @@ jobs: skip-dirs: deployment #helm charts not supported exit-code: '0' format: 'table' - output: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.txt" + output: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.txt" - name: "Trivy: Upload scan results to GitHub Security tab" if: always() uses: github/codeql-action/upload-sarif@b611370bb5703a7efb587f9d136a52ea24c5c38c # v3.25.11 with: - sarif_file: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif" + sarif_file: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" - name: "Trivy: Upload scan results as artifacts (out=sarif)" uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # V4.4.3 if: always() with: - name: "trivy-config-scan-results-sarif-${{ github.event.pull_request.number || env.GITHUB_SHA }}" - path: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.sarif" + name: "trivy-config-scan-results-sarif-${{ github.event.pull_request.number || github.sha }}" + path: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.sarif" retention-days: 5 - name: "Trivy: Upload scan results as artifacts (out=table)" uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # V4.4.3 if: always() with: - name: "trivy-config-scan-results-table-${{ github.event.pull_request.number || env.GITHUB_SHA }}" - path: "trivy-config-scan-results-${{ github.event.pull_request.number || env.GITHUB_SHA }}.txt" + name: "trivy-config-scan-results-table-${{ github.event.pull_request.number || github.sha }}" + path: "trivy-config-scan-results-${{ github.event.pull_request.number || github.sha }}.txt" retention-days: 5 diff --git a/.github/workflows/ubuntu-build.yml b/.github/workflows/ubuntu-build.yml index e649dc2f..60f0b13f 100644 --- a/.github/workflows/ubuntu-build.yml +++ b/.github/workflows/ubuntu-build.yml @@ -21,7 +21,7 @@ permissions: contents: read concurrency: - group: ${{ github.workflow }}-${{ github.event.pull_request.number || env.GITHUB_SHA }} + group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }} cancel-in-progress: true jobs: @@ -85,27 +85,30 @@ jobs: - name: 'Build MCM SDK and Media Proxy' run: eval 'source scripts/common.sh && ./build.sh "${PREFIX_DIR}"' - - name: 'Build MCM FFmpeg plugin' + - name: 'Build FFmpeg 6.1 with MCM plugin' working-directory: ${{ github.workspace }}/ffmpeg-plugin run: | - ./configure-ffmpeg.sh && \ - ./build-ffmpeg.sh + ./configure-ffmpeg.sh "6.1" && \ + ./build-ffmpeg.sh "6.1" - - name: 'Scaner: Send to VirusTotal for analysis' + - name: 'Build FFmpeg 7.0 with MCM plugin' + working-directory: ${{ github.workspace }}/ffmpeg-plugin + run: | + ./configure-ffmpeg.sh "7.0" && \ + ./build-ffmpeg.sh "7.0" + + - name: 'Scanner: Send to VirusTotal for analysis' id: vt uses: cssnr/virustotal-action@331c320c79202fdaa7a30f16163390f8d09c3f45 # v1.2.0 with: github_token: ${{ secrets.GITHUB_TOKEN }} vt_api_key: ${{ secrets.VT_API_KEY }} file_globs: | - _install/usr/* - _install/usr/lib64/* - _install/usr/local/bin/* - _install/usr/local/lib/* - _install/usr/local/lib/x86_64-linux-gnu/* - _install/usr/local/lib/x86_64-linux-gnu/dpdk/* - _install/usr/local/lib/bpf/* + _build/mcm/lib/*.so* + _build/mcm/bin/* _install/usr/local/sbin/* + _build/ffmpeg-6-1/ffmpeg + _build/ffmpeg-7-0/ffmpeg - - name: 'Scaner: Print scan results' + - name: 'Scanner: Print scan results' run: echo ${{ steps.vt.outputs.results }} diff --git a/build.sh b/build.sh index 1bfd76e6..e3f299ed 100755 --- a/build.sh +++ b/build.sh @@ -24,12 +24,12 @@ cmake -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" \ -DBUILD_UNIT_TESTS="${BUILD_UNIT_TESTS}" \ -B "${MCM_BUILD_DIR}" -S "${SCRIPT_DIR}" cmake --build "${MCM_BUILD_DIR}" -j - -as_root make -C "${MCM_BUILD_DIR}" install +make -j "${NPROC}" -C "${MCM_BUILD_DIR}" if [[ $# -ne 0 ]]; then DESTDIR="${1:-$DESTDIR}" make -C "${MCM_BUILD_DIR}" install fi +as_root make -C "${MCM_BUILD_DIR}" install as_root ln -s /usr/lib64/libbpf.so.1 /usr/lib/x86_64-linux-gnu/libbpf.so.1 2>/dev/null || true as_root ldconfig diff --git a/ffmpeg-plugin/Dockerfile b/ffmpeg-plugin/Dockerfile index 5ebaba79..28a7175b 100644 --- a/ffmpeg-plugin/Dockerfile +++ b/ffmpeg-plugin/Dockerfile @@ -49,11 +49,11 @@ COPY . ${MCM_DIR} WORKDIR ${MCM_DIR} RUN ./sdk/build.sh && \ INSTALL_PREFIX="${PREFIX_DIR}/usr/local" ./sdk/build.sh && \ - ./ffmpeg-plugin/clone-and-patch-ffmpeg.sh && \ - ./ffmpeg-plugin/configure-ffmpeg.sh --enable-libx264 --enable-gpl --prefix="${PREFIX_DIR}/usr/local" + ./ffmpeg-plugin/clone-and-patch-ffmpeg.sh "${FFMPEG_VER}" && \ + ./ffmpeg-plugin/configure-ffmpeg.sh "${FFMPEG_VER}" --enable-libx264 --enable-gpl --prefix="${PREFIX_DIR}/usr/local" WORKDIR ${MCM_DIR}/ffmpeg-plugin -RUN ./build-ffmpeg.sh +RUN ./build-ffmpeg.sh "${FFMPEG_VER}" ARG IMAGE_CACHE_REGISTRY ARG IMAGE_NAME diff --git a/ffmpeg-plugin/configure-ffmpeg.sh b/ffmpeg-plugin/configure-ffmpeg.sh index 9a718ac5..12b00881 100755 --- a/ffmpeg-plugin/configure-ffmpeg.sh +++ b/ffmpeg-plugin/configure-ffmpeg.sh @@ -5,6 +5,10 @@ set -eo pipefail +if [[ $# -ne 0 ]]; then + FFMPEG_VER="${1:-${FFMPEG_VER}}" + shift +fi SCRIPT_DIR="$(readlink -f "$(dirname -- "${BASH_SOURCE[0]}")")" REPOSITORY_DIR="$(readlink -f "${SCRIPT_DIR}/..")" BUILD_DIR="${BUILD_DIR:-${REPOSITORY_DIR}/_build}" diff --git a/media-proxy/build.sh b/media-proxy/build.sh index 2cf3fd22..cb8c7206 100755 --- a/media-proxy/build.sh +++ b/media-proxy/build.sh @@ -19,10 +19,11 @@ BUILD_TYPE="${BUILD_TYPE:-Release}" INSTALL_PREFIX="${INSTALL_PREFIX:-/usr/local}" cmake -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" -B "${MCM_MEDIA_PROXY_DIR}" -S "${SCRIPT_DIR}" - -as_root make -C "${MCM_MEDIA_PROXY_DIR}" install +make -j "${NPROC}" -C "${MCM_MEDIA_PROXY_DIR}" if [[ $# -ne 0 ]]; then DESTDIR="${1:-$DESTDIR}" make -C "${MCM_MEDIA_PROXY_DIR}" install fi +as_root make -C "${MCM_MEDIA_PROXY_DIR}" install + ln -s "${MCM_MEDIA_PROXY_DIR}" "${SCRIPT_DIR}/build" diff --git a/sdk/build.sh b/sdk/build.sh index 03d12fca..0e2be5b0 100755 --- a/sdk/build.sh +++ b/sdk/build.sh @@ -20,10 +20,11 @@ BUILD_TYPE="${BUILD_TYPE:-Release}" INSTALL_PREFIX="${INSTALL_PREFIX:-/usr/local}" cmake -DCMAKE_BUILD_TYPE="${BUILD_TYPE}" -B "${MCM_SDK_DIR}" -S "${SCRIPT_DIR}" - -as_root make -C "${MCM_SDK_DIR}" install +make -j "${NPROC}" -C "${MCM_SDK_DIR}" if [[ $# -ne 0 ]]; then DESTDIR="${1:-$DESTDIR}" make -C "${MCM_SDK_DIR}" install fi +as_root make -C "${MCM_SDK_DIR}" install + ln -s "${MCM_SDK_DIR}" "${SCRIPT_DIR}/build"