fix: remove hardcoded home paths (#4161) #5922
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # =============================================================== | |
| # Docker Security Scan Workflow | |
| # =============================================================== | |
| # | |
| # This workflow builds the container image locally and generates an SBOM | |
| # artifact for review: | |
| # 1. Build image locally (no push required) | |
| # 2. Generate SBOM with Syft | |
| # 3. Upload SBOM artifact | |
| # | |
| # Runs on both PRs and pushes to catch issues early. | |
| # | |
| # =============================================================== | |
| name: Docker Security Scan | |
| on: | |
| push: | |
| branches: ["main"] | |
| paths: | |
| - 'Containerfile' | |
| - 'Containerfile.lite' | |
| - 'crates/**' | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - 'a2a-agents/go/a2a-echo-agent/**' | |
| - 'mcp-servers/python/python_sandbox_server/docker/**' | |
| - 'docker-compose.yml' | |
| - 'docker-compose-embedded.yml' | |
| - 'docker-compose-verbose-logging.yml' | |
| - 'mcpgateway/**' | |
| - 'plugins/**' | |
| - 'pyproject.toml' | |
| - '.github/workflows/docker-scan.yml' | |
| pull_request: | |
| types: [opened, synchronize, ready_for_review] | |
| branches: ["main"] | |
| paths: | |
| - 'Containerfile' | |
| - 'Containerfile.lite' | |
| - 'crates/**' | |
| - 'Cargo.toml' | |
| - 'Cargo.lock' | |
| - 'a2a-agents/go/a2a-echo-agent/**' | |
| - 'mcp-servers/python/python_sandbox_server/docker/**' | |
| - 'docker-compose.yml' | |
| - 'docker-compose-embedded.yml' | |
| - 'docker-compose-verbose-logging.yml' | |
| - 'mcpgateway/**' | |
| - 'plugins/**' | |
| - 'pyproject.toml' | |
| - '.github/workflows/docker-scan.yml' | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| env: | |
| IMAGE_NAME: mcp-context-forge-scan | |
| jobs: | |
| container-smoke: | |
| if: github.event_name != 'pull_request' || !github.event.pull_request.draft | |
| name: Container Smoke (${{ matrix.name }}) | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - name: main | |
| context: . | |
| file: Containerfile | |
| tag: mcp-context-forge-main-smoke:scan | |
| - name: a2a-echo-agent | |
| context: a2a-agents/go/a2a-echo-agent | |
| file: a2a-agents/go/a2a-echo-agent/Dockerfile | |
| tag: mcp-context-forge-a2a-echo-agent:scan | |
| - name: python-sandbox | |
| context: mcp-servers/python/python_sandbox_server | |
| file: mcp-servers/python/python_sandbox_server/docker/Dockerfile.sandbox | |
| tag: mcp-context-forge-python-sandbox:scan | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Build container locally | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: ${{ matrix.context }} | |
| file: ${{ matrix.file }} | |
| platforms: linux/amd64 | |
| push: false | |
| load: true | |
| tags: ${{ matrix.tag }} | |
| # --------------------------------------------------------------- | |
| # Build image and generate SBOM | |
| # --------------------------------------------------------------- | |
| scan: | |
| if: github.event_name != 'pull_request' || !github.event.pull_request.draft | |
| name: Security Scan | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Build image locally | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: . | |
| file: Containerfile.lite | |
| platforms: linux/amd64 | |
| push: false | |
| load: true | |
| tags: ${{ env.IMAGE_NAME }}:scan | |
| cache-from: type=gha,scope=scan-build-amd64 | |
| cache-to: type=gha,mode=max,scope=scan-build-amd64 | |
| - name: Generate SBOM (Syft) | |
| run: | | |
| docker run --rm \ | |
| -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v "${PWD}:/work" \ | |
| anchore/syft:v1.42.3 \ | |
| "docker:${IMAGE_NAME}:scan" -o spdx-json=/work/sbom.spdx.json | |
| - name: Upload SBOM | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4 | |
| with: | |
| name: sbom | |
| path: sbom.spdx.json | |
| retention-days: 30 | |
| rust-enabled-build: | |
| if: github.event_name != 'pull_request' || !github.event.pull_request.draft | |
| name: Rust-enabled container smoke | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 60 | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5 | |
| with: | |
| persist-credentials: false | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3 | |
| - name: Build Rust-enabled image locally | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6 | |
| with: | |
| context: . | |
| file: Containerfile.lite | |
| platforms: linux/amd64 | |
| push: false | |
| load: false | |
| build-args: | | |
| ENABLE_RUST=true | |
| cache-from: type=gha,scope=scan-build-rust-amd64 | |
| cache-to: type=gha,mode=max,scope=scan-build-rust-amd64 |