Skip to content

Build

Build #101

Workflow file for this run

name: "Build"
on:
push:
branches:
- master
pull_request:
branches:
- master
schedule:
# Tuesday at 10. One day after the CircleCI scheduled upddate
# See: https://github.com/CircleCI-Public/cimg-base/blob/main/.circleci/schedule.json
- cron: '0 10 * * 2'
workflow_dispatch:
jobs:
build_push_and_check:
name: Build docker image, publish it and run vuln scanner against it
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
packages: write # for image publication to GitHub Packages
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # 3.3.0
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # 2.4.1
- name: Login to ghcr.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # 2.1.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build images
id: build
run: DOCKER_BUILDKIT=1 ./build
- name: Test images
run: ./build --test
- name: Push images
run: ./build --push
- name: Free Disk Space (Ubuntu) # Required by trivy to have enough space to scan full image
uses: jlumbroso/free-disk-space@76866dbe54312617f00798d1762df7f43def6e5c # v1.2.0
with:
large-packages: false # Temporary fix for https://github.com/jlumbroso/free-disk-space/issues/4
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
with:
image-ref: '${{ steps.build.outputs.LATEST_IMAGE_TAG }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'