@@ -8,30 +8,127 @@ on: # yamllint disable-line rule:truthy
88 pull_request :
99 branches : ["main"]
1010
11- permissions : read-all
11+ env :
12+ IMAGE_NAME : algorithm-exercises-java
13+ ARTIFACT_NAME : algorithm-exercises-java_${{ github.sha }}
1214
1315jobs :
1416
1517 build :
16- name : Build & Test in Docker
18+ name : " Build Docker images"
19+ runs-on : ubuntu-latest
20+ steps :
21+ - uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
22+
23+ - name : Set up Docker Buildx
24+ uses : docker/setup-buildx-action@v3
25+
26+ - name : " LINT: Build and push"
27+ uses : docker/build-push-action@v6
28+ with :
29+ context : .
30+ target : lint
31+ outputs : |
32+ type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_lint.tar
33+ tags : |
34+ ${{ env.IMAGE_NAME }}:lint
35+ name : " LINT: Upload artifact"
36+ uses : actions/upload-artifact@v4
37+ with :
38+ name : ${{ env.ARTIFACT_NAME }}_lint
39+ path : /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
40+
41+ - name : " TEST: Build and push"
42+ uses : docker/build-push-action@v6
43+ with :
44+ context : .
45+ target : testing
46+ outputs : |
47+ type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_test.tar
48+ tags : |
49+ ${{ env.IMAGE_NAME }}:test
50+ name : " TEST: Upload artifact"
51+ uses : actions/upload-artifact@v4
52+ with :
53+ name : ${{ env.ARTIFACT_NAME }}_test
54+ path : /tmp/${{ env.ARTIFACT_NAME }}_test.tar
1755
56+ - name : " PRODUCTION: Build and push"
57+ uses : docker/build-push-action@v6
58+ with :
59+ context : .
60+ target : production
61+ outputs : |
62+ type=docker,dest=/tmp/${{ env.ARTIFACT_NAME }}_prod.tar
63+ tags : |
64+ ${{ env.IMAGE_NAME }}:latest
65+ ${{ env.IMAGE_NAME }}:${{ github.sha }}
66+ name : " PRODUCTION: Upload artifact"
67+ uses : actions/upload-artifact@v4
68+ with :
69+ name : ${{ env.ARTIFACT_NAME }}_prod
70+ path : /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
71+
72+ lint :
73+ name : " Run in docker: LINT"
1874 runs-on : ubuntu-latest
75+ needs : build
76+ steps :
77+ - name : Download artifact
78+ uses : actions/download-artifact@v4
79+ with :
80+ name : ${{ env.ARTIFACT_NAME }}_lint
81+ path : /tmp/
82+
83+ - name : Load image
84+ run : |
85+ docker load --input /tmp/${{ env.ARTIFACT_NAME }}_lint.tar
86+ docker image ls -a
1987
88+ name : Run lint
89+ run : |
90+ docker run --rm ${{ env.IMAGE_NAME }}:lint make lint
91+
92+ test :
93+ name : " Run in docker: TEST"
94+ runs-on : ubuntu-latest
95+ needs : build
96+ steps :
97+ - name : Download artifact
98+ uses : actions/download-artifact@v4
99+ with :
100+ name : ${{ env.ARTIFACT_NAME }}_test
101+ path : /tmp/
102+
103+ - name : Load image
104+ run : |
105+ docker load --input /tmp/${{ env.ARTIFACT_NAME }}_test.tar
106+ docker image ls -a
107+
108+ name : Run test
109+ run : |
110+ docker run --rm ${{ env.IMAGE_NAME }}:test make test
111+
112+ security :
113+ name : " Snyk Container"
114+ runs-on : ubuntu-latest
115+ needs : build
116+ permissions :
117+ actions : read
118+ contents : read
119+ security-events : write
20120 steps :
21121 - uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
22- - name : Build the Docker image
23- run : make compose/rebuild
24- - name : Lint in Docker image
25- run : make compose/lint
26- - name : Test in Docker image
27- run : make compose/test
28- - name : Run in Docker image
29- run : make compose/run
30- - name : Tag Docker image
31- run : >
32- docker tag
33- algorithm-exercises-java:latest
34- algorithm-exercises-java:${{ github.sha }}
122+ - name : Download artifact
123+ uses : actions/download-artifact@v4
124+ with :
125+ name : ${{ env.ARTIFACT_NAME }}_prod
126+ path : /tmp/
127+
128+ - name : Load image
129+ run : |
130+ docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
131+ docker image ls -a
35132
36133name : Run Snyk to check Docker image for vulnerabilities
37134 # Snyk can be used to break the build when it detects vulnerabilities.
@@ -46,11 +143,47 @@ jobs:
46143 # yamllint enable rule:line-length
47144 SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
48145 with :
49- image : algorithm-exercises-java:latest
146+ image : ${{ env.IMAGE_NAME }}:${{ github.sha }}
50147 args : --file=Dockerfile
51- # yamllint disable rule:comments-indentation
52- # - name: Upload result to GitHub Code Scanning
53- # uses: github/codeql-action/upload-sarif@v2
54- # with:
55- # sarif_file: snyk.sarif
56- # yamllint enable rule:comments-indentation
148+ # yamllint disable rule:line-length
149+ # https://github.com/github/codeql-action/issues/2187#issuecomment-2043220400
150+ - name : Replace security-severity undefined for license-related findings
151+ run : |
152+ sed -i 's/"security-severity": "undefined"/"security-severity": "0"/g' snyk.sarif
153+ sed -i 's/"security-severity": "null"/"security-severity": "0"/g' snyk.sarif
154+ # yamllint enable rule:line-length
155+ - name : Upload result to GitHub Code Scanning
156+ uses : github/codeql-action/upload-sarif@v3
157+ with :
158+ sarif_file : ' snyk.sarif'
159+ scan :
160+ name : " Trivy"
161+ runs-on : ubuntu-latest
162+ needs : build
163+ permissions :
164+ actions : read
165+ contents : read
166+ security-events : write
167+ steps :
168+ - name : Download artifact
169+ uses : actions/download-artifact@v4
170+ with :
171+ name : ${{ env.ARTIFACT_NAME }}_prod
172+ path : /tmp/
173+
174+ - name : Load image
175+ run : |
176+ docker load --input /tmp/${{ env.ARTIFACT_NAME }}_prod.tar
177+ docker image ls -a
178+
179+ name : Run Trivy vulnerability scanner
180+ uses :
aquasecurity/[email protected] 181+ with :
182+ image-ref : ${{ env.IMAGE_NAME }}:${{ github.sha }}
183+ format : ' sarif'
184+ output : ' trivy-results.sarif'
185+
186+ - name : Upload Trivy scan results to GitHub Security tab
187+ uses : github/codeql-action/upload-sarif@v3
188+ with :
189+ sarif_file : ' trivy-results.sarif'
0 commit comments