0
Fork 0
mirror of https://github.com/project-zot/zot.git synced 2025-01-06 22:40:28 -05:00
zot/.github/workflows/ci-cd.yml
Ramkumar Chinchani cff3be638f ci/cd: scan released images with trivy scanner
Signed-off-by: Ramkumar Chinchani <rchincha@cisco.com>
2022-03-17 19:13:49 -07:00

163 lines
5.8 KiB
YAML

on:
push:
branches:
- main
pull_request:
branches:
- main
release:
types:
- published
name: build-test
jobs:
build-test:
name: Build and test ZOT
runs-on: ubuntu-latest
steps:
- name: Run build and test
timeout-minutes: 60
run: |
echo "job deprecated"
build-test-arch:
name: Build and test ZOT
runs-on: ubuntu-latest
strategy:
matrix:
os: [linux, darwin]
arch: [amd64, arm64]
services:
s3mock:
image: ghcr.io/project-zot/localstack/localstack:0.13.2
env:
SERVICES: s3
ports:
- 4563-4599:4563-4599
- 9090:8080
steps:
- name: Install go
uses: actions/setup-go@v2
with:
go-version: 1.17.x
- name: Check out source code
uses: actions/checkout@v1
- name: Install dependencies
run: |
cd $GITHUB_WORKSPACE
go get -u github.com/swaggo/swag/cmd/swag
go mod download
sudo apt-get update
sudo apt-get install rpm
sudo apt install snapd
sudo apt-get install skopeo
curl -Lo notation.tar.gz https://github.com/notaryproject/notation/releases/download/v0.7.1-alpha.1/notation_0.7.1-alpha.1_linux_amd64.tar.gz
sudo tar xvzf notation.tar.gz -C /usr/bin notation
go get github.com/wadey/gocovmerge
- name: Run build and test
timeout-minutes: 60
run: |
echo "Building for $OS:$ARCH"
cd $GITHUB_WORKSPACE
if [[ $OS == "linux" && $ARCH == "amd64" ]]; then
make OS=$OS ARCH=$ARCH
else
make OS=$OS ARCH=$ARCH binary binary-minimal binary-debug cli bench exporter-minimal
fi
env:
S3MOCK_ENDPOINT: localhost:4566
AWS_ACCESS_KEY_ID: fake
AWS_SECRET_ACCESS_KEY: fake
OS: ${{ matrix.os }}
ARCH: ${{ matrix.arch }}
- name: Upload code coverage
uses: codecov/codecov-action@v2
- if: github.event_name == 'release' && github.event.action == 'published'
name: Publish artifacts on releases
uses: svenstaro/upload-release-action@v2
with:
repo_token: ${{ secrets.GITHUB_TOKEN }}
file: bin/z*
tag: ${{ github.ref }}
overwrite: true
file_glob: true
push-image:
if: github.event_name == 'release' && github.event.action== 'published'
name: Push Docker image to GitHub Packages
runs-on: ubuntu-latest
strategy:
matrix:
os: [linux, darwin]
arch: [amd64, arm64]
steps:
- name: Check out the repo
uses: actions/checkout@v2
- name: Log in to GitHub Docker Registry
uses: docker/login-action@v1
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build zot container image
uses: docker/build-push-action@v2
with:
build-args: |
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
OS=${{ matrix.os }}
ARCH=${{ matrix.arch }}
push: true
file: Dockerfile
tags: |
ghcr.io/${{ github.repository }}-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
ghcr.io/${{ github.repository }}-${{ matrix.os }}-${{ matrix.arch }}:latest
- name: Build zot-minimal container image
uses: docker/build-push-action@v2
with:
build-args: |
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
OS=${{ matrix.os }}
ARCH=${{ matrix.arch }}
push: true
file: Dockerfile-minimal
tags: |
ghcr.io/${{ github.repository }}-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
ghcr.io/${{ github.repository }}-minimal-${{ matrix.os }}-${{ matrix.arch }}:latest
- name: Build zot-exporter container image
uses: docker/build-push-action@v2
with:
build-args: |
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
OS=${{ matrix.os }}
ARCH=${{ matrix.arch }}
push: true
file: Dockerfile-zxp
tags: |
ghcr.io/${{ github.repository }}-zxp-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
ghcr.io/${{ github.repository }}-zxp-${{ matrix.os }}-${{ matrix.arch }}:latest
- name: Build zb container image
uses: docker/build-push-action@v2
with:
build-args: |
COMMIT=${{ github.event.release.tag_name }}-${{ github.sha }}
OS=${{ matrix.os }}
ARCH=${{ matrix.arch }}
push: true
file: Dockerfile-zb
tags: |
ghcr.io/${{ github.repository }}-zb-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}
ghcr.io/${{ github.repository }}-zb-${{ matrix.os }}-${{ matrix.arch }}:latest
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ github.repository }}-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Run Trivy vulnerability scanner (minimal)
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/${{ github.repository }}-minimal-${{ matrix.os }}-${{ matrix.arch }}:${{ github.event.release.tag_name }}'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'