Merge pull request #141 from neicnordic/build_container_on_pr

Build container on pr

.github/workflows/build-and-scan-PR-container.yml

@@ -0,0 +1,52 @@
+name: build and scan PR container
+on:
+  pull_request:
+jobs:
+  build:
+    name: Build PR image
+    runs-on: ubuntu-22.04
+    permissions:
+      contents: read
+      packages: write
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Add Maven Github authentication
+        run: echo "<settings xmlns='http://maven.apache.org/SETTINGS/1.0.0' xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance' xsi:schemaLocation='http://maven.apache.org/SETTINGS/1.0.0 https://maven.apache.org/xsd/settings-1.0.0.xsd'> <servers> <server> <id>github-clearinghouse</id> <username>${{ github.actor }}</username> <password>${{ secrets.GITHUB_TOKEN }}</password> </server> <server> <id>github-tsd-file-api-client</id> <username>${{ github.actor }}</username> <password>${{ secrets.GITHUB_TOKEN }}</password> </server> </servers> </settings>" > settings.xml
+
+      - name: Log in to the Github Container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Build container
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          file: ./Dockerfile
+          push: true
+          tags: |
+            ghcr.io/${{ github.repository }}:PR${{ github.event.number }}
+            ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
+          labels: |
+            org.opencontainers.image.source=${{ github.event.repository.clone_url }}
+            org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
+            org.opencontainers.image.revision=${{ github.sha }}
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@8bd2f9fbda2109502356ff8a6a89da55b1ead252
+        with:
+          image-ref: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
+          format: "sarif"
+          hide-progress: true
+          ignore-unfixed: true
+          output: 'trivy-results.sarif'
+          severity: "CRITICAL,HIGH"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'

.github/workflows/ghcr-actions.yml

@@ -0,0 +1,40 @@
+# This workflow uses actions that are not certified by GitHub.
+# They are provided by a third-party and are governed by
+# separate terms of service, privacy policy, and support
+# documentation.
+
+name: ghcr actions
+
+on:
+  schedule:
+    - cron: '21 21 * * *'
+
+jobs:
+  clean-ghcr:
+    name: Delete old unused container images
+    runs-on: ubuntu-latest
+    permissions:
+      packages: write
+    steps:
+      - name: Delete 'PR' containers older than a week
+        uses: snok/[email protected]
+        with:
+          image-names: sda-doa
+          filter-tags: PR*, sha-*
+          cut-off: A week ago UTC
+          account-type: org
+          org-name: ${{ github.repository_owner }}
+          keep-at-least: 1
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Delete all containers older than treee months, using a wildcard
+        uses: snok/[email protected]
+        with:
+          image-names: sda-doa
+          filter-tags: v*
+          cut-off: Three months ago UTC
+          account-type: org
+          org-name: ${{ github.repository_owner }}
+          keep-at-least: 2
+          skip-tags: latest
+          token: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -15,7 +15,9 @@ RUN mvn clean install -DskipTests --no-transfer-progress
 
 FROM eclipse-temurin:20-jre-alpine
 
-RUN apk add --no-cache ca-certificates openssl
+RUN apk -U upgrade && \
+    apk add ca-certificates openssl && \
+    rm -rf /var/cache/apk/*
 
 COPY --from=builder /target/localega-doa-*.jar /localega-doa.jar