name: "Build: Validate"
permissions:
contents: read
packages: write
on:
workflow_call:
workflow_dispatch:
workflow_run:
workflows: ["Build Swarm Loadbalancer"]
types:
- completed
env:
CANDIDATE_IMAGE: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
jobs:
validate-install-report:
name: Run Install Report
runs-on: ${{ vars.RUNS_ON || 'ubuntu-latest' }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- name: "Pull Candidate Image"
run: docker pull ${{ env.CANDIDATE_IMAGE }}
- name: "Run Install Report"
run: docker run --rm ${{ env.CANDIDATE_IMAGE }} /usr/bin/install-report
validate-dive-report:
name: Run Dive
runs-on: ${{ vars.RUNS_ON || 'ubuntu-latest' }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- name: "Pull Candidate Image"
run: docker pull ${{ env.CANDIDATE_IMAGE }}
- name: "Generate Dive Config"
run: |
{
echo "rules:"
echo "lowestEfficiency: 0.95"
echo "highestWastedBytes: 20MB"
echo "highestUserWastedPercent: 0.20"
} > ${{ github.workspace }}/.dive-ci.yml
# Use Dive to inspect the image for junk
- name: "Dive"
uses: yuichielectric/dive-action@0.0.3
with:
image: ${{ env.CANDIDATE_IMAGE }}
config-file: ${{ github.workspace }}/.dive-ci.yml
validate-vulnerability-report:
name: Run Trivy
runs-on: ${{ vars.RUNS_ON || 'ubuntu-latest' }}
steps:
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
- name: "Pull Candidate Image"
run: docker pull ${{ env.CANDIDATE_IMAGE }}
# Inspect the container for security vulnerabilities
- name: "Post-Build: Trivy"
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.CANDIDATE_IMAGE }}
format: table
exit-code: 1
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"