-
Notifications
You must be signed in to change notification settings - Fork 79
83 lines (79 loc) · 2.86 KB
/
docker-build-test.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#This action test builds EMHASS Docker images, in each architecture.
name: "Test Building Docker Image"
on:
push:
branches: [master,testing]
pull_request:
branches: [master,testing]
workflow_dispatch:
permissions:
actions: read
security-events: write
contents: read
jobs:
build:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
platform:
[
{ target_arch: amd64, os_version: debian },
{ target_arch: aarch64, os_version: debian },
]
steps:
- name: Checkout the repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push by digest
id: build
uses: docker/build-push-action@v5
with:
context: .
platforms: ${{ matrix.platform.buildx }}
build-args: |
TARGETARCH=${{ matrix.platform.target_arch }}
os_version=${{ matrix.platform.os_version }}
load: true
- name: Test Image #Assume Docker fail with FileNotFound secrets_emhass.yaml error
run: docker run --rm -it ${{ steps.build.outputs.imageid }} | grep -q secrets_emhass.yaml && echo 0 || echo 1
# # Google OSV-Scanner
# # Extract Debian and Python packadge list stored in Image
# - name: Export Debian package list
# run: mkdir OSV && docker run --rm --entrypoint '/bin/cat' ${{ steps.build.outputs.imageid }} /var/lib/dpkg/status >> ./OSV/${{ matrix.platform.target_arch }}.status
# - name: Export Python package list
# run: docker run --rm --entrypoint '/bin/cat' ${{ steps.build.outputs.imageid }} uv.lock >> ./OSV/${{ matrix.platform.target_arch }}.lock
# - name: Upload package list as digest
# uses: actions/upload-artifact@v4
# with:
# name: ${{ matrix.platform.target_arch }}-packages
# path: ./OSV/*
# if-no-files-found: error
# retention-days: 1
# osv-scan:
# needs:
# - build
# strategy:
# fail-fast: false
# matrix:
# platform:
# [
# { target_arch: amd64 },
# { target_arch: aarch64 }
# ]
# # Check Docker image debian and python packages list for known vulnerabilities
# uses: "geoderp/osv-scanner-action/.github/workflows/[email protected]"
# with:
# download-artifact: "${{ matrix.platform.target_arch }}-packages"
# matrix-property: "${{ matrix.platform.target_arch }}-"
# fail-on-vuln: false
# scan-args: |-
# --lockfile=dpkg-status:./${{ matrix.platform.target_arch }}.status
# --lockfile=poetry.lock:./${{matrix.platform.target_arch }}.lock
# permissions:
# security-events: write
# contents: read
# actions: read