diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml deleted file mode 100644 index 27eb6a287..000000000 --- a/.github/workflows/docker-build.yml +++ /dev/null @@ -1,25 +0,0 @@ -name: Docker build - -on: - pull_request: - paths: - - Dockerfile - types: [opened, synchronize] - -jobs: - build: - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v4 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Build docker image - uses: docker/build-push-action@v6 - with: - secrets: github_token=${{ secrets.GITHUB_TOKEN }} - cache-from: type=gha - cache-to: type=gha - push: false diff --git a/.github/workflows/docker-test.yml b/.github/workflows/docker-test.yml index 857aa1f4d..81b289b11 100644 --- a/.github/workflows/docker-test.yml +++ b/.github/workflows/docker-test.yml @@ -1,6 +1,7 @@ -name: Docker test +name: Run Docker tests on: + pull_request: push: branches: main @@ -12,6 +13,8 @@ jobs: steps: - name: Checkout code uses: actions/checkout@v4 + with: + fetch-depth: 0 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 @@ -23,25 +26,39 @@ jobs: secrets: github_token=${{ secrets.GITHUB_TOKEN }} load: true cache-from: type=gha - cache-to: type=gha push: false + - name: Get TrivyDB data ## To avoid the trivy-db becoming outdated, we save the cache for one day + id: date + run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT + + - name: Restore TrivyDB cache + uses: actions/cache@v4 + with: + path: cache/db + key: trivy-cache-${{ steps.date.outputs.date }} + restore-keys: + trivy-cache- + - name: Export docker image as tar - run: docker save -o ${{ github.ref_name }}.tar ${{ steps.build.outputs.imageid }} + run: docker save -o ${{ steps.build.outputs.imageid }}.tar ${{ steps.build.outputs.imageid }} - name: Scan Docker image for CVEs uses: aquasecurity/trivy-action@0.24.0 with: - input: ${{ github.ref_name }}.tar + input: ${{ steps.build.outputs.imageid }}.tar format: 'sarif' output: 'trivy-results.sarif' limit-severities-for-sarif: true ignore-unfixed: true severity: 'CRITICAL,HIGH' github-pat: ${{ secrets.GITHUB_TOKEN }} + cache-dir: "./cache" + + - name: Change permissions for trivy.db + run: sudo chmod 0644 ./cache/db/trivy.db - name: Upload scan results to GitHub Security uses: github/codeql-action/upload-sarif@v2 - if: always() with: sarif_file: 'trivy-results.sarif'