diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml new file mode 100644 index 00000000..acb4c335 --- /dev/null +++ b/.github/workflows/ci.yml @@ -0,0 +1,35 @@ +name: Checks + +permissions: + contents: read + security-events: write + +on: + pull_request: + branches: + - main + push: + branches: + - main + +jobs: + ci: + timeout-minutes: 15 + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v5 + with: + fetch-depth: 0 + ref: ${{ github.ref }} + + - name: Scan current project + id: scan + uses: anchore/scan-action@v7 + with: + path: "." + + - name: upload Anchore scan SARIF report + uses: github/codeql-action/upload-sarif@v4 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index ba22c458..222e97c3 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -7,6 +7,11 @@ on: - "v*.*.*-beta.*" - "v*.*.*-alpha.*" +permissions: + contents: read + packages: write + security-events: write + jobs: determine-release-type: runs-on: ubuntu-latest @@ -57,6 +62,31 @@ jobs: username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} + - name: Build docker image + uses: docker/build-push-action@v6 + with: + context: . + target: production + platforms: linux/amd64 + push: false + load: true + tags: local/zerobyte:ci + build-args: | + APP_VERSION=${{ needs.determine-release-type.outputs.tagname }} + + - name: Scan new image for vulnerabilities + uses: anchore/scan-action@v7 + id: scan + with: + image: local/zerobyte:ci + fail-build: true + severity-cutoff: critical + + - name: upload Anchore scan report + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + - name: Docker meta id: meta uses: docker/metadata-action@v5 @@ -70,7 +100,7 @@ jobs: flavor: | latest=${{ needs.determine-release-type.outputs.release_type == 'release' }} - - name: Build and push images + - name: Push images to GitHub Container Registry uses: docker/build-push-action@v6 with: context: . @@ -81,8 +111,6 @@ jobs: labels: ${{ steps.meta.outputs.labels }} build-args: | APP_VERSION=${{ needs.determine-release-type.outputs.tagname }} - cache-from: type=registry,ref=ghcr.io/nicotsx/zerobyte:buildcache - cache-to: type=registry,ref=ghcr.io/nicotsx/zerobyte:buildcache,mode=max publish-release: runs-on: ubuntu-latest