[DMS-92] Basic eTag creation (#381) #80
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: On Config Pull Request - Dockerfile | |
| on: | |
| push: | |
| branches: | |
| - main | |
| pull_request: | |
| branches: | |
| - main | |
| paths: | |
| - "src/config/Dockerfile" | |
| - ".github/workflows/on-config-pullrequest-dockerfile.yml" | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| DOCKER_USERNAME: ${{ vars.DOCKER_USERNAME }} | |
| DOCKER_HUB_TOKEN: ${{ secrets.DOCKER_HUB_TOKEN }} | |
| permissions: read-all | |
| jobs: | |
| docker-analysis: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| pull-requests: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| dockerfile: | |
| [ | |
| { name: "dms-config", path: "src/config/Dockerfile" } | |
| ] | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | |
| name: Run Linter on ${{ matrix.dockerfile.name }} Dockerfile | |
| with: | |
| dockerfile: ${{ matrix.dockerfile.path }} | |
| failure-threshold: error | |
| # DL3022 warning: `COPY --from` should reference a previously defined `FROM` alias | |
| # ... this rule does not work well when the "from" is an additional _context_. | |
| ignore: DL-3022 | |
| - name: Log in to Docker Hub | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| username: ${{ env.DOCKER_USERNAME }} | |
| password: ${{ env.DOCKER_HUB_TOKEN }} | |
| - name: Build | |
| run: | | |
| path=${{matrix.dockerfile.path}} | |
| folder=${path%/*} | |
| cd $folder | |
| dockerfile=$(echo ${{matrix.dockerfile.path}} | awk -F"/" '{print $NF}') | |
| docker buildx build -f $dockerfile -t ${{ matrix.dockerfile.name }} . --build-context parentdir=../ | |
| - name: Analyze | |
| uses: docker/scout-action@67eb1afe777307506aaecb9acd9a0e0389cb99ae # v1.5.0 | |
| with: | |
| command: cves | |
| image: local://${{ matrix.dockerfile.name }} | |
| sarif-file: sarif-${{ matrix.dockerfile.name }}.output.json | |
| - name: Results | |
| run: | | |
| results=$(cat sarif-${{ matrix.dockerfile.name }}.output.json) | |
| errors=$(echo $results | jq '[.runs[].results[] | select(.level == "error")] | length') | |
| warnings=$(echo $results | jq '[.runs[].results[] | select(.level == "warning")] | length') | |
| notes=$(echo $results | jq '[.runs[].results[] | select(.level == "note")] | length') | |
| if [[ $errors -gt 0 ]] | |
| then | |
| echo "::warning::There are $errors issues, see sarif file for details" | |
| fi | |
| # - name: Upload SARIF result into Security tab | |
| # if: always() | |
| # id: upload-sarif | |
| # uses: github/codeql-action/upload-sarif@cf7e9f23492505046de9a37830c3711dd0f25bb3 #codeql-bundle-v2.16.2 | |
| # with: | |
| # sarif_file: sarif-${{ matrix.dockerfile.name }}.output.json | |
| # This sarif file sometimes does not upload correctly. Upload directly | |
| # into the job output. Mild concern: making security analysis publicly | |
| # visible. But, anyone with a Docker Hub account could run this same | |
| # analysis, so not doing this would be security through obscurity. | |
| - name: Upload Sarif File as Artifact | |
| if: always() | |
| uses: actions/upload-artifact@26f96dfa697d77e81fd5907df203aa23a56210a8 # v4.3.0 | |
| with: | |
| name: Docker Scout analysis | |
| overwrite: true | |
| path: sarif-${{ matrix.dockerfile.name }}.output.json |