65 lines
2.1 KiB
YAML
65 lines
2.1 KiB
YAML
name: "Build: Validate"
|
|
|
|
permissions:
|
|
contents: read
|
|
packages: write
|
|
|
|
on:
|
|
workflow_call:
|
|
workflow_dispatch:
|
|
workflow_run:
|
|
workflows: ["Build Swarm Loadbalancer"]
|
|
types:
|
|
- completed
|
|
|
|
env:
|
|
CANDIDATE_IMAGE: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
|
|
|
|
jobs:
|
|
validate-install-report:
|
|
name: Run Install Report
|
|
runs-on: ${{ vars.RUNS_ON || 'ubuntu-latest' }}
|
|
steps:
|
|
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
|
|
- name: "Pull Candidate Image"
|
|
run: docker pull ${{ env.CANDIDATE_IMAGE }}
|
|
- name: "Run Install Report"
|
|
run: docker run --rm ${{ env.CANDIDATE_IMAGE }} /usr/bin/install-report
|
|
validate-dive-report:
|
|
name: Run Dive
|
|
runs-on: ${{ vars.RUNS_ON || 'ubuntu-latest' }}
|
|
steps:
|
|
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
|
|
- name: "Pull Candidate Image"
|
|
run: docker pull ${{ env.CANDIDATE_IMAGE }}
|
|
- name: "Generate Dive Config"
|
|
run: |
|
|
{
|
|
echo "rules:"
|
|
echo "lowestEfficiency: 0.95"
|
|
echo "highestWastedBytes: 20MB"
|
|
echo "highestUserWastedPercent: 0.20"
|
|
} > ${{ github.workspace }}/.dive-ci.yml
|
|
# Use Dive to inspect the image for junk
|
|
- name: "Dive"
|
|
uses: yuichielectric/dive-action@0.0.3
|
|
with:
|
|
image: ${{ env.CANDIDATE_IMAGE }}
|
|
config-file: ${{ github.workspace }}/.dive-ci.yml
|
|
validate-vulnerability-report:
|
|
name: Run Trivy
|
|
runs-on: ${{ vars.RUNS_ON || 'ubuntu-latest' }}
|
|
steps:
|
|
- run: docker login ghcr.io -u ${{ github.repository_owner }} -p ${{ secrets.GITHUB_TOKEN }}
|
|
- name: "Pull Candidate Image"
|
|
run: docker pull ${{ env.CANDIDATE_IMAGE }}
|
|
# Inspect the container for security vulnerabilities
|
|
- name: "Post-Build: Trivy"
|
|
uses: aquasecurity/trivy-action@master
|
|
with:
|
|
image-ref: ${{ env.CANDIDATE_IMAGE }}
|
|
format: table
|
|
exit-code: 1
|
|
ignore-unfixed: true
|
|
vuln-type: "os,library"
|
|
severity: "CRITICAL,HIGH"
|