From f887cda64f7d0b8ec7d2a457e5914bc759e39bd7 Mon Sep 17 00:00:00 2001 From: Peter Muriuki Date: Mon, 30 Sep 2024 15:34:41 +0300 Subject: [PATCH] Update gh actions --- .github/workflows/cd-test.yml | 4 +- .github/workflows/docker-docs.yml | 6 +- .github/workflows/docker-publish.yml | 89 +++++++++++++++------------- 3 files changed, 54 insertions(+), 45 deletions(-) diff --git a/.github/workflows/cd-test.yml b/.github/workflows/cd-test.yml index 5d609804a..8fa7dad40 100644 --- a/.github/workflows/cd-test.yml +++ b/.github/workflows/cd-test.yml @@ -38,12 +38,12 @@ jobs: run: yarn lerna:prepublish - name: Run all tests - run: yarn test --verbose --collectCoverage=true --forceExit --detectOpenHandles + run: yarn test --verbose --collectCoverage=true --forceExit env: NODE_OPTIONS: --max_old_space_size=5120 - name: Upload coverage to Codecov - uses: codecov/codecov-action@v2 + uses: codecov/codecov-action@v4 with: token: ${{ secrets.CODECOV_TOKEN }} directory: ./coverage diff --git a/.github/workflows/docker-docs.yml b/.github/workflows/docker-docs.yml index f3572b180..bd110563c 100644 --- a/.github/workflows/docker-docs.yml +++ b/.github/workflows/docker-docs.yml @@ -5,16 +5,16 @@ on: paths: - "docs/fhir-web-docker-deployment.md" branches: - - master + - main jobs: update-docker-hub-documentation: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 - name: Update Docker Hub ReadMe - uses: peter-evans/dockerhub-description@v3 + uses: peter-evans/dockerhub-description@v4 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 5c02e8b17..7a78a1b29 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -7,7 +7,7 @@ on: # Publish `master` as Docker `master` tag. # See also https://github.com/crazy-max/ghaction-docker-meta#basic branches: - - master + - main # Publish `v1.2.3` tags as releases. tags: @@ -31,7 +31,7 @@ jobs: if: github.event_name == 'pull_request' steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: submodules: recursive @@ -43,63 +43,72 @@ jobs: if: github.event_name == 'push' || github.event_name == 'workflow_dispatch' steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v4 with: submodules: recursive -# - name: Set up QEMU -# uses: docker/setup-qemu-action@v1 - - - name: Cache Docker layers - uses: actions/cache@v2 - with: - path: /tmp/.buildx-cache - key: ${{ runner.os }}-buildx-${{ github.sha }} - restore-keys: | - ${{ runner.os }}-buildx- + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v1 + uses: docker/setup-buildx-action@v3 - - name: Docker meta - id: docker_meta - uses: crazy-max/ghaction-docker-meta@v1 + - name: Extract metadata for Docker + id: meta + uses: docker/metadata-action@v5 with: - images: opensrp/web - tag-custom: ${{ github.event.inputs.customTag }} + images: | + opensrp/web + tags: | + type=ref,event=branch,key=main,tag=latest + type=ref,event=branch,pattern=release/*,group=1 + type=ref,event=tag + type=sha + # Add a custom tag if provided through workflow_dispatch input + type=raw,value=${{ github.event.inputs.customTag }} - name: Login to DockerHub - uses: docker/login-action@v1 + uses: docker/login-action@v3 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} - - name: Login to GitHub Container Registry - uses: docker/login-action@v1 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - name: Push to Docker Image Repositories - uses: docker/build-push-action@v2 + uses: docker/build-push-action@v6 id: docker_build with: push: true -# platforms: linux/amd64,linux/arm64 + platforms: linux/amd64,linux/arm64 tags: | ${{ steps.docker_meta.outputs.tags }} - ghcr.io/${{ steps.docker_meta.outputs.tags }} - cache-from: type=local,src=/tmp/.buildx-cache - cache-to: type=local,dest=/tmp/.buildx-cache-new - - # Temp fix - # https://github.com/docker/build-push-action/issues/252 - # https://github.com/moby/buildkit/issues/1896 - - name: Move cache - run: | - rm -rf /tmp/.buildx-cache - mv /tmp/.buildx-cache-new /tmp/.buildx-cache + cache-from: type=gha,scope=${{ github.workflow }} + cache-to: type=gha,mode=max,scope=${{ github.workflow }} - name: Image digest run: echo ${{ steps.docker_build.outputs.digest }} + + - name: Scan Docker Image with Docker Scout and Save Report + id: scout + run: | + # Save the Docker Scout report as JSON and Markdown + docker scout cves ${{ steps.meta.outputs.tags }} --output json > scout-report.json + docker scout cves ${{ steps.meta.outputs.tags }} --output markdown > scout-report.md + + - name: Check Docker Scout Scan Result + id: check-scout-result + run: | + # Check if any vulnerabilities are reported in the JSON output + if grep -q '"severity":' scout-report.json; then + echo "Vulnerabilities found in Docker Scout report." + echo "found_vulnerabilities=true" >> $GITHUB_ENV + else + echo "No vulnerabilities found." + echo "found_vulnerabilities=false" >> $GITHUB_ENV + + - name: Create GitHub Issue for Vulnerabilities + if: env.found_vulnerabilities == 'true' + uses: peter-evans/create-issue-from-file@v4 + with: + title: "Docker Scout Vulnerability Report for Image ${{ steps.meta.outputs.tags }}" + content-filepath: scout-report.md + labels: bug, security