Malcolm/.github/workflows/docker-build-push-scan.yml at main · Code-at-Java/Malcolm · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
name: docker-build-push-scan

on:
  workflow_call:
    inputs:
      service:
        required: true
        type: string
      dockerfile:
        required: true
        type: string
      extra_build_args:
        required: false
        type: string
    secrets:
      maxmind_license_key:
        required: false
      maxmind_alternate_url:
        required: false

jobs:
  docker:
    runs-on: ${{ matrix.os }}
    permissions:
      actions: write
      packages: write
      contents: read
      security-events: write
    strategy:
      fail-fast: false
      matrix:
        include:
          - os: ubuntu-24.04
            arch: amd64
            platform: linux/amd64
          - os: ubuntu-24.04-arm
            arch: arm64
            platform: linux/arm64

    steps:
      -
        name: Cancel previous run in progress
        uses: styfle/cancel-workflow-action@0.13.0
        with:
          ignore_sha: true
          all_but_latest: true
          access_token: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Checkout
        uses: actions/checkout@v4
        with:
          submodules: 'recursive'
      -
        name: Generate build timestamp
        shell: bash
        run: echo "btimestamp=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
        id: generate_build_timestamp
      -
        name: Extract branch name
        shell: bash
        run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
        id: extract_branch
      -
        name: Generate arch tag suffix
        shell: bash
        run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' || ( echo -n '-' ; echo "${{ matrix.platform }}" | cut -d '/' -f 2) )" >> $GITHUB_OUTPUT
        id: arch_tag_suffix
      -
        name: Extract commit SHA
        shell: bash
        run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
        id: extract_commit_sha
      -
        name: Extract Malcolm version
        shell: bash
        run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose-dev.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT
        id: extract_malcolm_version
      -
        name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver-opts: |
            image=moby/buildkit:master
      -
        name: Log in to registry
        uses: docker/login-action@v3
        with:
          registry: ghcr.io
          username: ${{ github.repository_owner }}
          password: ${{ secrets.GITHUB_TOKEN }}
      -
        name: Build and push
        uses: docker/build-push-action@v6
        with:
          context: .
          file: ${{ inputs.dockerfile }}
          build-args: |
            TARGETPLATFORM=${{ matrix.platform }}
            MALCOLM_VERSION=${{ steps.extract_malcolm_version.outputs.mversion }}
            BUILD_DATE=${{ steps.generate_build_timestamp.outputs.btimestamp }}
            VCS_REVISION=${{ steps.extract_commit_sha.outputs.sha }}
            GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
            ${{ secrets.maxmind_license_key && format('MAXMIND_GEOIP_DB_LICENSE_KEY={0}', secrets.maxmind_license_key) || '' }}
            ${{ secrets.maxmind_alternate_url && format('MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL={0}', secrets.maxmind_alternate_url) || '' }}
            ${{ inputs.extra_build_args || '' }}
          push: true
          provenance: false
          platforms: ${{ matrix.platform }}
          tags: ghcr.io/${{ github.repository_owner }}/malcolm/${{ inputs.service }}:${{ steps.extract_branch.outputs.branch }}${{ steps.arch_tag_suffix.outputs.archtag }}
      -
        name: Run Trivy vulnerability scanner
        if: ${{ matrix.platform == 'linux/amd64' }}
        id: trivy-scan
        uses: aquasecurity/trivy-action@0.29.0
        env:
          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
        with:
          scan-type: 'image'
          scanners: 'vuln'
          image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/${{ inputs.service }}:${{ steps.extract_branch.outputs.branch }}${{ steps.arch_tag_suffix.outputs.archtag }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'HIGH,CRITICAL'
          vuln-type: 'os,library'
          hide-progress: true
          ignore-unfixed: true
          exit-code: '0'
      -
        name: Upload Trivy scan results to GitHub Security tab
        if: ${{ matrix.platform == 'linux/amd64' }}
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: 'trivy-results.sarif'