119 lines
3.1 KiB
YAML
119 lines
3.1 KiB
YAML
name: build
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
|
|
pull_request:
|
|
branches:
|
|
- main
|
|
|
|
schedule:
|
|
# Re-build all images at 2am UTC every Monday (8pm CST/9pm CDT)
|
|
#
|
|
# This ensures we always start with a recent base image, which
|
|
# reduces wasted space due to written-over files in the writable
|
|
# layer, ensures packages are up-to-date (since many of these
|
|
# images install the latest versions of packages available at
|
|
# build time), and allow us to ensure that images continue to
|
|
# be buildable from source (no removed packages).
|
|
#
|
|
# See: https://crontab.guru/#0_2_*_*_1
|
|
- cron: "0 2 * * 1"
|
|
|
|
workflow_dispatch:
|
|
|
|
permissions:
|
|
actions: read
|
|
checks: none
|
|
contents: read
|
|
id-token: write
|
|
deployments: none
|
|
issues: none
|
|
packages: none
|
|
pull-requests: none
|
|
repository-projects: none
|
|
security-events: write
|
|
statuses: none
|
|
|
|
jobs:
|
|
# Quick checks, running linters, checking formatting, etc
|
|
quick:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Cancel previous runs
|
|
if: github.event_name == 'pull_request'
|
|
uses: styfle/cancel-workflow-action@0.12.1
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Node.js
|
|
uses: actions/setup-node@v4
|
|
with:
|
|
node-version: 20.x
|
|
|
|
- name: Install Node.js modules
|
|
run: yarn install
|
|
|
|
- name: Check formatting
|
|
run: yarn format:check
|
|
|
|
images:
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
name: images/ubuntu
|
|
steps:
|
|
- name: Cancel previous runs
|
|
if: github.event_name == 'pull_request'
|
|
uses: styfle/cancel-workflow-action@0.12.1
|
|
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Install Trivy using install script
|
|
run: |
|
|
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.37.1
|
|
|
|
- name: Set up Depot CLI
|
|
uses: depot/setup-action@v1
|
|
|
|
- name: Build ubuntu images
|
|
run: |
|
|
${{ github.workspace }}/scripts/build_images.sh \
|
|
--tag=ubuntu
|
|
|
|
- name: Scan ubuntu images
|
|
run: |
|
|
${{ github.workspace }}/scripts/scan_images.sh \
|
|
--tag=ubuntu \
|
|
--output-file=trivy-results-ubuntu.sarif
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: trivy-results-ubuntu.sarif
|
|
category: trivy-ubuntu
|
|
|
|
- name: Upload Trivy scan results as an artifact
|
|
uses: actions/upload-artifact@v4
|
|
with:
|
|
name: trivy-ubuntu
|
|
path: trivy-results-ubuntu.sarif
|
|
retention-days: 7
|
|
|
|
- name: Authenticate to Docker Hub
|
|
if: github.event_name != 'pull_request'
|
|
uses: docker/login-action@v3
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
|
|
- name: Push images to Docker Hub
|
|
if: github.event_name != 'pull_request'
|
|
run: |
|
|
${{ github.workspace }}/scripts/push_images.sh \
|
|
--tag=ubuntu
|