-
Notifications
You must be signed in to change notification settings - Fork 0
111 lines (95 loc) · 3.46 KB
/
latest.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
---
name: CI/CD
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: '0 0 * * *'
jobs:
hadolint:
name: Test dockerfile syntax
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@main
- name: Install hadolint.
run: |
sudo curl -L https://github.com/hadolint/hadolint/releases/download/v$HADOLINT_VERSION/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint
sudo chmod 755 /usr/local/bin/hadolint
env:
HADOLINT_VERSION: 2.12.0
- name: Run hadolint.
run: hadolint Dockerfile
- name: Run hadolint on devel.
run: hadolint Dockerfile_devel
build:
name: Build and test docker
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@main
- name: Build docker image.
run: |
docker build --no-cache --tag ${GITHUB_REPOSITORY}:${GITHUB_RUN_ID} .
docker build --no-cache --tag ${GITHUB_REPOSITORY}:devel -f Dockerfile_devel .
- name: Run a container of created images.
run: |
BASECONTAINER=$(docker run --detach --privileged --cgroup-parent=docker.slice --cgroupns private --tmpfs /run --tmpfs /run/lock ${GITHUB_REPOSITORY}:${GITHUB_RUN_ID})
DEVELCONTAINER=$(docker run --detach --privileged --cgroup-parent=docker.slice --cgroupns private --tmpfs /run --tmpfs /run/lock ${GITHUB_REPOSITORY}:devel)
sleep 5
echo "BASECONTAINER=$BASECONTAINER" >> $GITHUB_ENV
echo "DEVELCONTAINER=$DEVELCONTAINER" >> $GITHUB_ENV
- name: Check if containers are still running.
run: |
docker ps -f id=${BASECONTAINER}
docker ps -f id=${DEVELCONTAINER}
- name: Check if the containers can be correctly stopped and removed.
run: |
docker stop ${BASECONTAINER} && docker rm -fv ${BASECONTAINER}
docker stop ${DEVELCONTAINER} && docker rm -fv ${DEVELCONTAINER}
- name: Run Trivy vulnerability scanner.
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ github.repository }}:${{ github.run_id }}
exit-code: '1'
severity: 'CRITICAL,HIGH'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
- name: Run Trivy vulnerability scanner.
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ github.repository }}:devel
exit-code: '1'
severity: 'CRITICAL,HIGH'
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
deploy:
if: ${{ github.ref == 'refs/heads/master' }}
needs: [hadolint, build]
name: Push to Quay
runs-on: ubuntu-latest
steps:
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@master
- name: Login to Quay
uses: docker/login-action@master
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- name: Push to Quay
uses: docker/build-push-action@master
with:
file: ./Dockerfile
pull: true
push: true
tags: quay.io/aminvakil/archlinux:latest
- name: Push to Quay (devel)
uses: docker/build-push-action@master
with:
file: ./Dockerfile_devel
pull: true
push: true
tags: quay.io/aminvakil/archlinux:devel