Update Dockerfile #52
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Dev Branch Build Multi-Arch | |
| on: | |
| push: | |
| branches: | |
| - 'dev-*.*.*' | |
| jobs: | |
| extract-version: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| version: ${{ steps.get-version.outputs.version }} | |
| steps: | |
| - name: Extract version from branch name | |
| id: get-version | |
| run: | | |
| BRANCH_NAME=${GITHUB_REF#refs/heads/} | |
| VERSION=${BRANCH_NAME#dev-} | |
| echo "version=$VERSION" >> $GITHUB_OUTPUT | |
| stage-1a-secrets-scan: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Run Gitleaks | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| stage-1b-staticcheck: | |
| needs: stage-1a-secrets-scan | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.22.5 | |
| - name: Install staticcheck | |
| run: | | |
| go install honnef.co/go/tools/cmd/staticcheck@latest | |
| echo "Staticcheck version:" | |
| staticcheck --version | |
| - name: List Go files | |
| run: | | |
| echo "Go files in the ./src directory:" | |
| find ./src -name "*.go" | |
| - name: Run staticcheck | |
| run: | | |
| echo "Running staticcheck on ./src..." | |
| staticcheck -f text ./src/... > staticcheck_results.txt 2>&1 || true | |
| echo "Staticcheck complete. Results:" | |
| cat staticcheck_results.txt | |
| if [ -s staticcheck_results.txt ]; then | |
| echo "Staticcheck found issues. Please review the output above." | |
| exit 1 | |
| else | |
| echo "No issues found by staticcheck." | |
| fi | |
| - name: Check Go environment | |
| if: ${{ failure() }} | |
| run: | | |
| echo "Go version:" | |
| go version | |
| echo "Go environment:" | |
| go env | |
| - name: Upload staticcheck results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: staticcheck-results | |
| path: staticcheck_results.txt | |
| stage-1c-gosec: | |
| needs: stage-1b-staticcheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.22.5 | |
| - name: Install gosec | |
| run: go install github.com/securego/gosec/v2/cmd/gosec@latest | |
| - name: Run gosec | |
| run: | | |
| gosec -fmt=json -out=gosec-results.json ./src/... || true | |
| echo "Gosec execution completed" | |
| - name: Display gosec results | |
| run: | | |
| echo "Gosec results:" | |
| if [ -f gosec-results.json ]; then | |
| cat gosec-results.json | |
| if jq -e '.Issues | length > 0' gosec-results.json > /dev/null; then | |
| echo "Gosec found security issues. Please review the results." | |
| else | |
| echo "No security issues found by gosec." | |
| fi | |
| else | |
| echo "gosec-results.json file not found. Gosec may have failed to run properly." | |
| exit 1 | |
| fi | |
| - name: List directory contents | |
| run: ls -la | |
| - name: Upload gosec results | |
| uses: actions/upload-artifact@v4 | |
| if: always() | |
| with: | |
| name: gosec-results | |
| path: gosec-results.json | |
| stage-1d-build-go-binary: | |
| needs: [stage-1b-staticcheck, stage-1c-gosec] | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| arch: [amd64, arm64] | |
| exclude: | |
| - os: macos-latest | |
| arch: amd64 | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up Go | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: 1.22.5 | |
| - name: Build Go binary | |
| env: | |
| GOOS: ${{ matrix.os == 'ubuntu-latest' && 'linux' || 'darwin' }} | |
| GOARCH: ${{ matrix.arch }} | |
| run: | | |
| go build -o inframon-${{ matrix.os == 'ubuntu-latest' && 'linux' || 'darwin' }}-${{ matrix.arch }} ./src | |
| - name: Generate SHA256 checksum | |
| run: | | |
| if [ "${{ matrix.os }}" == "ubuntu-latest" ]; then | |
| sha256sum inframon-linux-${{ matrix.arch }} > inframon-linux-${{ matrix.arch }}.sha256 | |
| else | |
| shasum -a 256 inframon-darwin-${{ matrix.arch }} > inframon-darwin-${{ matrix.arch }}.sha256 | |
| fi | |
| echo "SHA256 checksum for inframon-${{ matrix.os == 'ubuntu-latest' && 'linux' || 'darwin' }}-${{ matrix.arch }}:" | |
| cat inframon-${{ matrix.os == 'ubuntu-latest' && 'linux' || 'darwin' }}-${{ matrix.arch }}.sha256 | |
| - name: Upload binary and checksum as artifacts | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: inframon-${{ matrix.os == 'ubuntu-latest' && 'linux' || 'darwin' }}-${{ matrix.arch }} | |
| path: | | |
| inframon-${{ matrix.os == 'ubuntu-latest' && 'linux' || 'darwin' }}-${{ matrix.arch }} | |
| inframon-${{ matrix.os == 'ubuntu-latest' && 'linux' || 'darwin' }}-${{ matrix.arch }}.sha256 | |
| stage-2a-validate-checksum: | |
| needs: stage-1d-build-go-binary | |
| strategy: | |
| matrix: | |
| os: [ubuntu-latest, macos-latest] | |
| arch: [amd64, arm64] | |
| exclude: | |
| - os: macos-latest | |
| arch: amd64 | |
| runs-on: ${{ matrix.os }} | |
| steps: | |
| - name: Download binary and checksum | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: inframon-${{ matrix.os == 'ubuntu-latest' && 'linux' || 'darwin' }}-${{ matrix.arch }} | |
| - name: Validate checksum | |
| run: | | |
| echo "Validating checksum for inframon-${{ matrix.os == 'ubuntu-latest' && 'linux' || 'darwin' }}-${{ matrix.arch }}" | |
| if [ "${{ matrix.os }}" == "ubuntu-latest" ]; then | |
| sha256sum -c inframon-linux-${{ matrix.arch }}.sha256 | |
| else | |
| shasum -a 256 -c inframon-darwin-${{ matrix.arch }}.sha256 | |
| fi | |
| stage-2b-package-docker-image: | |
| needs: stage-2a-validate-checksum | |
| strategy: | |
| matrix: | |
| arch: [amd64, arm64] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Download binary | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: inframon-linux-${{ matrix.arch }} | |
| - name: Build Docker image | |
| run: | | |
| docker buildx build --platform linux/${{ matrix.arch }} \ | |
| -t inframon:dev-${{ matrix.arch }} \ | |
| --build-arg BINARY=inframon-linux-${{ matrix.arch }} \ | |
| --load . | |
| - name: Save Docker image | |
| run: | | |
| docker save inframon:dev-${{ matrix.arch }} > inframon-dev-${{ matrix.arch }}.tar | |
| - name: Upload Docker image artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-image-${{ matrix.arch }} | |
| path: inframon-dev-${{ matrix.arch }}.tar | |
| stage-2c-security-scan: | |
| needs: stage-2b-package-docker-image | |
| strategy: | |
| matrix: | |
| arch: [amd64, arm64] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download Docker image artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: docker-image-${{ matrix.arch }} | |
| - name: Load Docker image | |
| run: | | |
| docker load < inframon-dev-${{ matrix.arch }}.tar | |
| - name: Verify image exists | |
| run: | | |
| docker image ls | |
| - name: Install Trivy | |
| run: | | |
| sudo apt-get install wget apt-transport-https gnupg lsb-release | |
| wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add - | |
| echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list | |
| sudo apt-get update | |
| sudo apt-get install trivy | |
| - name: Run Trivy vulnerability scanner | |
| run: | | |
| mkdir -p scan_results | |
| trivy image --exit-code 0 --severity HIGH,CRITICAL --format table \ | |
| --output scan_results/trivy-results-${{ matrix.arch }}.txt \ | |
| inframon:dev-${{ matrix.arch }} | |
| echo "Vulnerabilities found for ${{ matrix.arch }}:" | |
| cat scan_results/trivy-results-${{ matrix.arch }}.txt | |
| - name: Generate SBOM | |
| run: | | |
| mkdir -p sbom_reports | |
| trivy image --format json \ | |
| --output sbom_reports/sbom-${{ matrix.arch }}.json \ | |
| inframon:dev-${{ matrix.arch }} | |
| - name: Upload scan results and SBOM | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: security-scan-results-${{ matrix.arch }} | |
| path: | | |
| scan_results/trivy-results-${{ matrix.arch }}.txt | |
| sbom_reports/sbom-${{ matrix.arch }}.json | |
| stage-2d-push-images: | |
| needs: [stage-2c-security-scan, extract-version] | |
| strategy: | |
| matrix: | |
| arch: [amd64, arm64] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Download Docker image artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: docker-image-${{ matrix.arch }} | |
| - name: Load Docker image | |
| run: | | |
| docker load < inframon-dev-${{ matrix.arch }}.tar | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GH_CR }} | |
| - name: Tag and push Docker image | |
| run: | | |
| docker tag inframon:dev-${{ matrix.arch }} ghcr.io/${{ github.repository_owner }}/inframon:dev-${{ matrix.arch }} | |
| docker push ghcr.io/${{ github.repository_owner }}/inframon:dev-${{ matrix.arch }} | |
| stage-2e-create-multiarch-manifest: | |
| needs: [stage-2d-push-images, extract-version] | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Log in to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GH_CR }} | |
| - name: Create and push multi-arch manifest | |
| run: | | |
| docker manifest create ghcr.io/${{ github.repository_owner }}/inframon:dev \ | |
| ghcr.io/${{ github.repository_owner }}/inframon:dev-amd64 \ | |
| ghcr.io/${{ github.repository_owner }}/inframon:dev-arm64 | |
| docker manifest push ghcr.io/${{ github.repository_owner }}/inframon:dev |