ci: add grype security checks before release and in pr (#175)
Some checks failed
Release Workflow / determine-release-type (push) Has been cancelled
Release Workflow / build-images (push) Has been cancelled
Release Workflow / publish-release (push) Has been cancelled

* ci: add grype security checks before release and in pr

* ci: only build for amd64 in local build
This commit is contained in:
Nico 2025-12-18 18:02:34 +01:00 committed by GitHub
parent cac4c84df5
commit 55e68544f8
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 66 additions and 3 deletions

35
.github/workflows/ci.yml vendored Normal file
View file

@ -0,0 +1,35 @@
name: Checks
permissions:
contents: read
security-events: write
on:
pull_request:
branches:
- main
push:
branches:
- main
jobs:
ci:
timeout-minutes: 15
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v5
with:
fetch-depth: 0
ref: ${{ github.ref }}
- name: Scan current project
id: scan
uses: anchore/scan-action@v7
with:
path: "."
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: ${{ steps.scan.outputs.sarif }}

View file

@ -7,6 +7,11 @@ on:
- "v*.*.*-beta.*"
- "v*.*.*-alpha.*"
permissions:
contents: read
packages: write
security-events: write
jobs:
determine-release-type:
runs-on: ubuntu-latest
@ -57,6 +62,31 @@ jobs:
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build docker image
uses: docker/build-push-action@v6
with:
context: .
target: production
platforms: linux/amd64
push: false
load: true
tags: local/zerobyte:ci
build-args: |
APP_VERSION=${{ needs.determine-release-type.outputs.tagname }}
- name: Scan new image for vulnerabilities
uses: anchore/scan-action@v7
id: scan
with:
image: local/zerobyte:ci
fail-build: true
severity-cutoff: critical
- name: upload Anchore scan report
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
- name: Docker meta
id: meta
uses: docker/metadata-action@v5
@ -70,7 +100,7 @@ jobs:
flavor: |
latest=${{ needs.determine-release-type.outputs.release_type == 'release' }}
- name: Build and push images
- name: Push images to GitHub Container Registry
uses: docker/build-push-action@v6
with:
context: .
@ -81,8 +111,6 @@ jobs:
labels: ${{ steps.meta.outputs.labels }}
build-args: |
APP_VERSION=${{ needs.determine-release-type.outputs.tagname }}
cache-from: type=registry,ref=ghcr.io/nicotsx/zerobyte:buildcache
cache-to: type=registry,ref=ghcr.io/nicotsx/zerobyte:buildcache,mode=max
publish-release:
runs-on: ubuntu-latest