chore(ci): fix security scans #1226
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Image CI | |
| on: | |
| push: | |
| branches-ignore: | |
| - renovate/** | |
| tags: | |
| - '*' | |
| pull_request: | |
| permissions: | |
| contents: read | |
| jobs: | |
| build: | |
| runs-on: ubuntu-24.04 | |
| name: Build, ${{ matrix.architecture }} | |
| strategy: | |
| matrix: | |
| architecture: [linux/amd64] | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Configure Docker build | |
| run: .github/bin/get-buildx-args | |
| - name: Build the Docker image | |
| run: docker buildx build $(.github/bin/get-buildx-args) | |
| buildx: | |
| runs-on: ubuntu-24.04-arm | |
| name: Build, ${{ matrix.architecture }} | |
| strategy: | |
| matrix: | |
| architecture: | |
| - linux/arm64 | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| if: matrix.architecture != 'linux/arm64' | |
| uses: docker/[email protected] | |
| with: | |
| platforms: ${{ matrix.architecture }} | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Configure Docker build | |
| run: .github/bin/get-buildx-args | |
| - name: Build the Docker image | |
| run: docker buildx build $(.github/bin/get-buildx-args) | |
| test: | |
| runs-on: ubuntu-24.04 | |
| name: Test, ${{ matrix.architecture }} | |
| needs: [build] | |
| strategy: | |
| matrix: | |
| architecture: [linux/amd64] | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| COMPOSE_PROJECT_NAME: wl | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Build the Docker image | |
| run: docker buildx build $(.github/bin/get-buildx-args load) | |
| - name: List Docker images | |
| run: docker image ls --all | |
| - name: Test the Docker image | |
| run: docker run --rm weblate/locale_lint:test --version | grep "version" | |
| anchore: | |
| runs-on: ubuntu-24.04 | |
| name: Anchore Container Scan, ${{ matrix.architecture }} | |
| needs: | |
| - build | |
| permissions: | |
| security-events: write | |
| strategy: | |
| matrix: | |
| architecture: [linux/amd64] | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Build the Docker image | |
| run: docker buildx build $(.github/bin/get-buildx-args load) | |
| - name: List Docker images | |
| run: docker image ls --all | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Anchore scan action | |
| uses: anchore/scan-action@v6 | |
| id: scan | |
| with: | |
| image: weblate/locale_lint:test | |
| fail-build: false | |
| - name: Upload Anchore Scan Report | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: Anchore scan SARIF | |
| path: ${{ steps.scan.outputs.sarif }} | |
| trivy: | |
| runs-on: ubuntu-24.04 | |
| name: Trivy Container Scan, ${{ matrix.architecture }} | |
| needs: | |
| - build | |
| permissions: | |
| security-events: write | |
| strategy: | |
| matrix: | |
| architecture: [linux/amd64] | |
| env: | |
| MATRIX_ARCHITECTURE: ${{ matrix.architecture }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache | |
| with: | |
| path: /tmp/.buildx-cache/${{ matrix.architecture }} | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-${{ matrix.architecture }} | |
| - name: Build the Docker image | |
| run: docker buildx build $(.github/bin/get-buildx-args load) | |
| - name: List Docker images | |
| run: docker image ls --all | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: weblate/locale_lint:test | |
| format: template | |
| template: '@/contrib/sarif.tpl' | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: Trivy scan SARIF | |
| path: trivy-results.sarif | |
| push_dockerhub: | |
| runs-on: ubuntu-24.04 | |
| name: Publish to Docker Hub | |
| needs: | |
| - test | |
| - buildx | |
| - anchore | |
| - trivy | |
| if: ${{ startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main') }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| with: | |
| platforms: all | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-arm64 | |
| with: | |
| path: /tmp/.buildx-cache/linux/arm64 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm64 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-amd64 | |
| with: | |
| path: /tmp/.buildx-cache/linux/amd64 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/amd64 | |
| - name: DockerHub login | |
| run: echo "${{ secrets.DOCKERHUB_ACCESS_TOKEN }}" | docker login --username "${{ secrets.DOCKERHUB_USERNAME }}" --password-stdin | |
| - name: Configure Docker build | |
| run: .github/bin/get-buildx-args publish | |
| - name: Publish the Docker images | |
| run: docker buildx build $(.github/bin/get-buildx-args publish) | |
| push_github: | |
| runs-on: ubuntu-24.04 | |
| name: Publish to GitHub | |
| permissions: | |
| packages: write | |
| needs: | |
| - test | |
| - buildx | |
| - anchore | |
| - trivy | |
| if: ${{ startsWith(github.ref, 'refs/tags/') || (github.ref == 'refs/heads/main') }} | |
| env: | |
| DOCKER_IMAGE: ghcr.io/weblateorg/locale_lint | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| with: | |
| platforms: all | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-arm64 | |
| with: | |
| path: /tmp/.buildx-cache/linux/arm64 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/arm64 | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| id: cache-amd64 | |
| with: | |
| path: /tmp/.buildx-cache/linux/amd64 | |
| key: ${{ runner.os }}-buildx-${{ github.sha }}-linux/amd64 | |
| - name: Login to GitHub Container Registry | |
| if: ${{ github.event_name != 'pull_request'}} | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Configure Docker build | |
| run: .github/bin/get-buildx-args publish | |
| - name: Publish the Docker images | |
| run: docker buildx build $(.github/bin/get-buildx-args publish) |