@@ -8,28 +8,127 @@ on: # yamllint disable-line rule:truthy
88 pull_request :
99 branches : ["main"]
1010
11+ env :
12+ IMAGE_NAME : algorithm-exercises-ts
13+ ARTIFACT_NAME : algorithm-exercises-ts_${{ github.sha }}
14+
1115jobs :
1216
1317 build :
14- name : " Build & Test in Docker"
18+ name : " Build Docker images"
19+ runs-on : ubuntu-latest
20+ steps :
21+ - uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
22+
23+ - name : Set up Docker Buildx
24+ uses : docker/setup-buildx-action@v3
25+
26+ - name : " LINT: Build and push"
27+ uses : docker/build-push-action@v6
28+ with :
29+ context : .
30+ target : lint
31+ outputs : |
32+ type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_lint.tar
33+ tags : |
34+ ${{ env.IMAGE_NAME }}:lint
35+ name : " LINT: Upload artifact"
36+ uses : actions/upload-artifact@v4
37+ with :
38+ name : ${{ env.ARTIFACT_NAME }}_lint
39+ path : /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
40+
41+ - name : " TEST: Build and push"
42+ uses : docker/build-push-action@v6
43+ with :
44+ context : .
45+ target : testing
46+ outputs : |
47+ type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_test.tar
48+ tags : |
49+ ${{ env.IMAGE_NAME }}:test
50+ name : " TEST: Upload artifact"
51+ uses : actions/upload-artifact@v4
52+ with :
53+ name : ${{ env.ARTIFACT_NAME }}_test
54+ path : /tmp/${{ env.ARTIFACT_NAME }}_test.tar
55+
56+ - name : " PRODUCTION: Build and push"
57+ uses : docker/build-push-action@v6
58+ with :
59+ context : .
60+ target : production
61+ outputs : |
62+ type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_prod.tar
63+ tags : |
64+ ${{ env.IMAGE_NAME }}:latest
65+ ${{ env.IMAGE_NAME }}:${{ github.sha }}
66+ name : " PRODUCTION: Upload artifact"
67+ uses : actions/upload-artifact@v4
68+ with :
69+ name : ${{ env.ARTIFACT_NAME }}_prod
70+ path : /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
71+
72+ lint :
73+ name : " Run in docker: LINT"
74+ runs-on : ubuntu-latest
75+ needs : build
76+ steps :
77+ - name : Download artifact
78+ uses : actions/download-artifact@v4
79+ with :
80+ name : ${{ env.ARTIFACT_NAME }}_lint
81+ path : /tmp/
1582
83+ - name : Load image
84+ run : |
85+ docker load --input /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
86+ docker image ls -a
87+
88+ name : Run lint
89+ run : |
90+ docker run --rm ${{ env.IMAGE_NAME }}:lint make lint
91+
92+ test :
93+ name : " Run in docker: TEST"
1694 runs-on : ubuntu-latest
95+ needs : build
96+ steps :
97+ - name : Download artifact
98+ uses : actions/download-artifact@v4
99+ with :
100+ name : ${{ env.ARTIFACT_NAME }}_test
101+ path : /tmp/
102+
103+ - name : Load image
104+ run : |
105+ docker load --input /tmp/${{ env.ARTIFACT_NAME }}_test.tar
106+ docker image ls -a
17107
108+ name : Run test
109+ run : |
110+ docker run --rm ${{ env.IMAGE_NAME }}:test make test
111+
112+ security :
113+ name : " Snyk Container"
114+ runs-on : ubuntu-latest
115+ needs : build
116+ permissions :
117+ contents : write
118+ pull-requests : write
119+ repository-projects : write
18120 steps :
19121 - uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
20- - name : Build the Docker image
21- run : make compose/rebuild
22- - name : Lint in Docker image
23- run : make compose/lint
24- - name : Test in Docker image
25- run : make compose/test
26- - name : Run in Docker image
27- run : make compose/run
28- - name : Tag Docker image
29- run : >
30- docker tag
31- algorithm-exercises-ts:latest
32- algorithm-exercises-ts:${{ github.sha }}
122+ - name : Download artifact
123+ uses : actions/download-artifact@v4
124+ with :
125+ name : ${{ env.ARTIFACT_NAME }}_prod
126+ path : /tmp/
127+
128+ - name : Load image
129+ run : |
130+ docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
131+ docker image ls -a
33132
34133name : Run Snyk to check Docker image for vulnerabilities
35134 # Snyk can be used to break the build when it detects vulnerabilities.
@@ -44,11 +143,47 @@ jobs:
44143 # yamllint enable rule:line-length
45144 SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
46145 with :
47- image : algorithm-exercises-ts:latest
146+ image : ${{ env.IMAGE_NAME }}:${{ github.sha }}
48147 args : --file=Dockerfile
49- # yamllint disable rule:comments-indentation
50- # - name: Upload result to GitHub Code Scanning
51- # uses: github/codeql-action/upload-sarif@v2
52- # with:
53- # sarif_file: snyk.sarif
54- # yamllint enable rule:comments-indentation
148+ # yamllint disable rule:line-length
149+ # https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
150+ - name : Replace security-severity undefined for license-related findings
151+ run : |
152+ sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
153+ sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
154+ # yamllint enable rule:line-length
155+ - name : Upload result to GitHub Code Scanning
156+ uses : github/codeql-action/upload-sarif@v3
157+ with :
158+ sarif_file : ' snyk.sarif'
159+ scan :
160+ name : " Trivy"
161+ runs-on : ubuntu-latest
162+ needs : build
163+ permissions :
164+ contents : write
165+ pull-requests : write
166+ repository-projects : write
167+ steps :
168+ - name : Download artifact
169+ uses : actions/download-artifact@v4
170+ with :
171+ name : ${{ env.ARTIFACT_NAME }}_prod
172+ path : /tmp/
173+
174+ - name : Load image
175+ run : |
176+ docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
177+ docker image ls -a
178+
179+ name : Run Trivy vulnerability scanner
180+ uses :
aquasecurity/[email protected] 181+ with :
182+ image-ref : ${{ env.IMAGE_NAME }}:${{ github.sha }}
183+ format : ' sarif'
184+ output : ' trivy-results.sarif'
185+
186+ - name : Upload Trivy scan results to GitHub Security tab
187+ uses : github/codeql-action/upload-sarif@v3
188+ with :
189+ sarif_file : ' trivy-results.sarif'
0 commit comments