133 lines
4.2 KiB
YAML
133 lines
4.2 KiB
YAML
name: Docker
|
|
|
|
on:
|
|
push:
|
|
branches: ["master"]
|
|
schedule:
|
|
- cron: '0 22 1 * *'
|
|
|
|
env:
|
|
IMAGENAME: pihole-exporter
|
|
GHCR: ghcr.io
|
|
DOCKER: docker.io
|
|
|
|
jobs:
|
|
test:
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Set up Go 1.22
|
|
uses: actions/setup-go@v5
|
|
with:
|
|
go-version: 1.22
|
|
id: go
|
|
- uses: actions/checkout@v4
|
|
- name: Get dependencies
|
|
run: |
|
|
go get -v -t -d ./...
|
|
if [ -f Gopkg.toml ]; then
|
|
curl https://raw.githubusercontent.com/golang/dep/master/install.sh | sh
|
|
dep ensure
|
|
fi
|
|
- name: Build
|
|
run: go build -v .
|
|
- name: Run docker tests
|
|
run: |
|
|
if [ -f docker-compose.test.yml ]; then
|
|
docker-compose --file docker-compose.test.yml build
|
|
docker-compose --file docker-compose.test.yml run sut
|
|
else
|
|
docker build . --file Dockerfile
|
|
fi
|
|
|
|
golangci-lint:
|
|
name: golangci-lint
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Check out code into the Go module directory
|
|
uses: actions/checkout@v4
|
|
- name: Perform Go lint
|
|
uses: reviewdog/action-golangci-lint@v1
|
|
with:
|
|
fail_on_error: true
|
|
golangci_lint_flags: "--config=.github/.golangci.yml ."
|
|
|
|
vulnerability-scan:
|
|
needs:
|
|
- test
|
|
- golangci-lint
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Perform vulnerability scan
|
|
uses: ShiftLeftSecurity/scan-action@master
|
|
|
|
build-and-push:
|
|
needs:
|
|
- test
|
|
- golangci-lint
|
|
- vulnerability-scan
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@v3
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@v3
|
|
- name: Log in to the Github container registry
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.GHCR }}
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@v3
|
|
with:
|
|
registry: ${{ env.DOCKER }}
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
- name: Get current date
|
|
id: date
|
|
run: echo "::set-output name=date::$(date +'%Y-%m-%d')"
|
|
- name: Build and push
|
|
uses: docker/build-push-action@v5
|
|
with:
|
|
context: .
|
|
platforms: linux/386,linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64
|
|
push: true
|
|
tags: |
|
|
${{ env.GHCR }}/${{ github.repository_owner }}/${{ env.IMAGENAME }}:latest
|
|
${{ env.GHCR }}/${{ github.repository_owner }}/${{ env.IMAGENAME }}:${{ steps.date.outputs.date }}
|
|
${{ env.DOCKER }}/${{ github.repository_owner }}/${{ env.IMAGENAME }}:latest
|
|
${{ env.DOCKER }}/${{ github.repository_owner }}/${{ env.IMAGENAME }}:${{ steps.date.outputs.date }}
|
|
- name: Push description and readme to Docker Hub
|
|
uses: peter-evans/dockerhub-description@v4
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_TOKEN }}
|
|
repository: ${{ secrets.DOCKERHUB_USERNAME }}/${{ env.IMAGENAME }}
|
|
short-description: ${{ github.event.repository.description }}
|
|
readme-filepath: ./README.md
|
|
|
|
image-vulnerability-scan:
|
|
runs-on: ubuntu-latest
|
|
needs:
|
|
- build-and-push
|
|
steps:
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: '${{ env.GHCR }}/${{ github.repository_owner }}/${{ env.IMAGENAME }}:latest'
|
|
format: 'sarif'
|
|
output: 'trivy-results.sarif'
|
|
exit-code: '1'
|
|
ignore-unfixed: true
|
|
vuln-type: 'os,library'
|
|
severity: 'CRITICAL,HIGH'
|
|
env:
|
|
TRIVY_USERNAME: ${{ github.actor }}
|
|
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@v2
|
|
if: always()
|
|
with:
|
|
sarif_file: 'trivy-results.sarif' |