[CONFIG] [Gihub Actions] Docker running in splitted jobs.

Gonzalo Diaz · Gonzalo Diaz · commit a08b5ea48cc6 · 2024-07-09T17:34:36.000-04:00
diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml
@@ -12,27 +12,11 @@ env:
   IMAGE_NAME: algorithm-exercises-js
 
 jobs:
-
-  build:
-    name: "Build & Test in Docker"
-
+  security:
+    name: "Snyk Container"
     runs-on: ubuntu-latest
-
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
-      - name: Build the Docker image
-        run: make compose/rebuild
-      - name: Lint in Docker image
-        run: make compose/lint
-      - name: Test in Docker image
-        run: make compose/test
-      - name: Run in Docker image
-        run: make compose/run
-      - name: Tag Docker image
-        run: >
-          docker tag
-          ${{ env.IMAGE_NAME }}:latest
-          ${{ env.IMAGE_NAME }}:${{ github.sha }}
 
       - name: Run Snyk to check Docker image for vulnerabilities
         # Snyk can be used to break the build when it detects vulnerabilities.
@@ -49,9 +33,122 @@ jobs:
         with:
           image: ${{ env.IMAGE_NAME }}:${{ github.sha }}
           args: --file=Dockerfile
-        # yamllint disable rule:comments-indentation
-        # - name: Upload result to GitHub Code Scanning
-        #   uses: github/codeql-action/upload-sarif@v2
-        #   with:
-        #     sarif_file: snyk.sarif
-        # yamllint enable rule:comments-indentation
+
+  build:
+    name: "Build & Test in Docker"
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
+
+      # - name: Build the Docker image
+      #   run: make compose/rebuild
+      # - name: Image List
+      #   run: docker image ls -a
+      # - name: Lint in Docker image
+      #   run: make compose/lint
+      # - name: Test in Docker image
+      #   run: make compose/test
+      # - name: Run in Docker image
+      #   run: make compose/run
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: "LINT: Build and push"
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: lint
+          outputs: |
+            type=docker,dest=/tmp/${{ env.IMAGE_NAME }}_${{ github.sha }}_lint.tar
+          tags: |
+            ${{ env.IMAGE_NAME }}:lint
+      - name: "LINT: Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.IMAGE_NAME }}_${{ github.sha }}_lint
+          path: /tmp/${{ env.IMAGE_NAME }}_${{ github.sha }}_lint.tar
+
+      - name: "TEST: Build and push"
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: testing
+          outputs: |
+            type=docker,dest=/tmp/${{ env.IMAGE_NAME }}_${{ github.sha }}_test.tar
+          tags: |
+            ${{ env.IMAGE_NAME }}:test
+      - name: "TEST: Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.IMAGE_NAME }}_${{ github.sha }}_test
+          path: /tmp/${{ env.IMAGE_NAME }}_${{ github.sha }}_test.tar
+
+      - name: "PRODUCTION: Build and push"
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          target: production
+          outputs: |
+            type=docker,dest=/tmp/${{ env.IMAGE_NAME }}_${{ github.sha }}_prod.tar
+          tags: |
+            ${{ env.IMAGE_NAME }}:latest
+            ${{ env.IMAGE_NAME }}:${{ github.sha }}
+      - name: "PRODUCTION: Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: ${{ env.IMAGE_NAME }}_${{ github.sha }}_prod
+          path: /tmp/${{ env.IMAGE_NAME }}_${{ github.sha }}_prod.tar
+
+  lint:
+    name: "Run in docker: LINT"
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.IMAGE_NAME }}_${{ github.sha }}_prod
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.IMAGE_NAME }}_${{ github.sha }}_prod.tar
+          docker image ls -a
+
+      - name: Run lint
+        run: |
+          make compose/lint
+
+  scan:
+    name: "Trivy"
+    runs-on: ubuntu-latest
+    needs: build
+    steps:
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: ${{ env.IMAGE_NAME }}_${{ github.sha }}_prod
+          path: /tmp/
+
+      - name: Load image
+        run: |
+          docker load --input /tmp/${{ env.IMAGE_NAME }}_${{ github.sha }}_prod.tar
+          docker image ls -a
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@0.20.0
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:${{ github.sha }}
+          format: 'table'
+          exit-code: '1'
+          ignore-unfixed: true
+          vuln-type: 'os,library'
+          severity: 'CRITICAL,HIGH'
+
+      # yamllint disable rule:comments-indentation
+      # - name: Upload Trivy scan results to GitHub Security tab
+      #   uses: github/codeql-action/upload-sarif@v2
+      #   with:
+      #     sarif_file: 'trivy-results.sarif'
+      # yamllint enable rule:comments-indentation
