CI/CD #1733
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: CI/CD | |
'on': | |
pull_request: | |
push: | |
branches: | |
- master | |
schedule: | |
- cron: '0 0 * * *' | |
jobs: | |
hadolint: | |
name: Test dockerfile syntax | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the codebase. | |
uses: actions/checkout@main | |
- name: Install hadolint. | |
run: | | |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint | |
sudo chmod 755 /usr/local/bin/hadolint | |
env: | |
HADOLINT_VERSION: 2.12.0 | |
- name: Run hadolint. | |
run: hadolint Dockerfile | |
- name: Run hadolint on devel. | |
run: hadolint Dockerfile_devel | |
build: | |
name: Build and test docker | |
runs-on: ubuntu-latest | |
steps: | |
- name: Check out the codebase. | |
uses: actions/checkout@main | |
- name: Build docker image. | |
run: | | |
docker build --no-cache --tag ${GITHUB_REPOSITORY}:${GITHUB_RUN_ID} . | |
docker build --no-cache --tag ${GITHUB_REPOSITORY}:devel -f Dockerfile_devel . | |
- name: Run a container of created images. | |
run: | | |
BASECONTAINER=$(docker run --detach --privileged --cgroup-parent=docker.slice --cgroupns private --tmpfs /run --tmpfs /run/lock ${GITHUB_REPOSITORY}:${GITHUB_RUN_ID}) | |
DEVELCONTAINER=$(docker run --detach --privileged --cgroup-parent=docker.slice --cgroupns private --tmpfs /run --tmpfs /run/lock ${GITHUB_REPOSITORY}:devel) | |
sleep 5 | |
echo "BASECONTAINER=$BASECONTAINER" >> $GITHUB_ENV | |
echo "DEVELCONTAINER=$DEVELCONTAINER" >> $GITHUB_ENV | |
- name: Check if containers are still running. | |
run: | | |
docker ps -f id=${BASECONTAINER} | |
docker ps -f id=${DEVELCONTAINER} | |
- name: Check if the containers can be correctly stopped and removed. | |
run: | | |
docker stop ${BASECONTAINER} && docker rm -fv ${BASECONTAINER} | |
docker stop ${DEVELCONTAINER} && docker rm -fv ${DEVELCONTAINER} | |
- name: Run Trivy vulnerability scanner. | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ${{ github.repository }}:${{ github.run_id }} | |
exit-code: '1' | |
severity: 'CRITICAL,HIGH' | |
env: | |
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
- name: Run Trivy vulnerability scanner. | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: ${{ github.repository }}:devel | |
exit-code: '1' | |
severity: 'CRITICAL,HIGH' | |
env: | |
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
deploy: | |
if: ${{ github.ref == 'refs/heads/master' }} | |
needs: [hadolint, build] | |
name: Push to Quay | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@master | |
- name: Login to Quay | |
uses: docker/login-action@master | |
with: | |
registry: quay.io | |
username: ${{ secrets.QUAY_USERNAME }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: Push to Quay | |
uses: docker/build-push-action@master | |
with: | |
file: ./Dockerfile | |
pull: true | |
push: true | |
tags: quay.io/aminvakil/archlinux:latest | |
- name: Push to Quay (devel) | |
uses: docker/build-push-action@master | |
with: | |
file: ./Dockerfile_devel | |
pull: true | |
push: true | |
tags: quay.io/aminvakil/archlinux:devel |