Skip to content

Merge pull request #87 from sir-gon/renovate/ubuntu-24.x #329

Merge pull request #87 from sir-gon/renovate/ubuntu-24.x

Merge pull request #87 from sir-gon/renovate/ubuntu-24.x #329

Workflow file for this run

---
name: Docker Image CI
on: # yamllint disable-line rule:truthy
push:
branches: ["main"]
pull_request:
# The branches below must be a subset of the branches above
branches: ["main"]
workflow_dispatch:
env:
IMAGE_NAME: algorithm-exercises-cpp
ARTIFACT_NAME: algorithm-exercises-cpp_${{ github.sha }}
jobs:
build:
name: "Build Docker images"
runs-on: ubuntu-24.04
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: "LINT: Build and push"
uses: docker/build-push-action@v6
with:
context: .
target: lint
outputs: |
type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_lint.tar
tags: |
${{ env.IMAGE_NAME }}:lint
- name: "LINT: Upload artifact"
uses: actions/upload-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_lint
path: /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
- name: "TEST: Build and push"
uses: docker/build-push-action@v6
with:
context: .
target: testing
outputs: |
type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_test.tar
tags: |
${{ env.IMAGE_NAME }}:test
- name: "TEST: Upload artifact"
uses: actions/upload-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_test
path: /tmp/${{ env.ARTIFACT_NAME }}_test.tar
- name: "PRODUCTION: Build and push"
uses: docker/build-push-action@v6
with:
context: .
target: production
outputs: |
type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_prod.tar
tags: |
${{ env.IMAGE_NAME }}:latest
${{ env.IMAGE_NAME }}:${{ github.sha }}
- name: "PRODUCTION: Upload artifact"
uses: actions/upload-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_prod
path: /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
lint:
name: "Run in docker: LINT"
runs-on: ubuntu-24.04
needs: build
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_lint
path: /tmp/
- name: Load image
run: |
docker load --input /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
docker image ls -a
- name: Run lint
run: >
docker
compose --profile lint
run --rm ${{ env.IMAGE_NAME }}-lint
make lint
test:
name: "Run in docker: TEST"
runs-on: ubuntu-24.04
needs: build
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_test
path: /tmp/
- name: Load image
run: |
docker load --input /tmp/${{ env.ARTIFACT_NAME }}_test.tar
docker image ls -a
- name: Run test
run: >
docker
compose --profile test
run --rm ${{ env.IMAGE_NAME }}-test
make test
security:
name: "Snyk Container"
runs-on: ubuntu-24.04
needs: build
permissions:
actions: read
contents: read
security-events: write
steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_prod
path: /tmp/
- name: Load image
run: |
docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
docker image ls -a
- name: Run Snyk to check Docker image for vulnerabilities
# Snyk can be used to break the build when it detects vulnerabilities.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/docker@master
env:
# yamllint disable rule:line-length
# In order to use the Snyk Action you will need to have a Snyk API token.
# See https://docs.snyk.io/integrations/ci-cd-integrations/github-actions-integration#getting-your-snyk-token
# or you can sign up for free at https://snyk.io/login
# yamllint enable rule:line-length
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ env.IMAGE_NAME }}:${{ github.sha }}
args: --file=Dockerfile
# yamllint disable rule:line-length
# https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
- name: Replace security-severity undefined for license-related findings
run: |
sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
# yamllint enable rule:line-length
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'snyk.sarif'
scan:
name: "Trivy"
runs-on: ubuntu-24.04
needs: build
permissions:
actions: read
contents: read
security-events: write
steps:
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: ${{ env.ARTIFACT_NAME }}_prod
path: /tmp/
- name: Load image
run: |
docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
docker image ls -a
- name: Run Trivy vulnerability scanner (cli report)
uses: aquasecurity/trivy-action@0.32.0
with:
image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'table'
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
- name: Run Trivy vulnerability scanner (sarif report)
uses: aquasecurity/trivy-action@0.32.0
with:
image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
format: 'sarif'
output: 'trivy-results.sarif'
env:
TRIVY_DB_REPOSITORY: ${{ vars.TRIVY_DB_REPOSITORY }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy