mconf-ci-jobs/.github/workflows/lb-push-scan-image.yml at c027ab7a24ae2e83a7ad9e73023406ce7b324758 · mconf/mconf-ci-jobs · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
name: Push new tag

on:
  workflow_dispatch:
  workflow_call:

permissions:
  contents: read

jobs:
  build-push-scan:
    name: Build, Push and Scan Docker
    runs-on: [self-hosted, ubuntu-22.04]
    timeout-minutes: 30
    steps:
      - name: Check out Source Repository
        uses: actions/checkout@v6

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Login to DockerHub
        uses: docker/login-action@v3
        with:
          username: daileon
          password: ${{ secrets.REGISTRY_ACCESS_TOKEN }}

      - name: Calculate Docker Tag
        id: tag
        run: |
          if [ "${{ github.event_name }}" == "pull_request" ]; then
          # Replace / with - to avoid conflict
            TAG=$(echo "${{ github.head_ref }}" | sed 's/\//-/g')
          else
            TAG="${{github.ref_name}}"
          fi
          echo "IMAGE=${{github.repository}}:$TAG" >> "$GITHUB_OUTPUT"

      - name: Generate Docker Metadata
        id: meta
        uses: docker/metadata-action@v5
        with:
          images: ${{ steps.tag.outputs.IMAGE }}

      - name: Install SSH Agent
        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        run: sudo apt-get update && sudo apt-get install -y openssh-client

      - name: Configure Git to Access Private Modules
        if: ${{ secrets.SSH_PRIVATE_KEY != '' }}
        uses: webfactory/ssh-agent@v0.8.0
        with:
          ssh-private-key: ${{ secrets.SSH_PRIVATE_KEY }}

      - name: Build and Push Docker Image
        uses: docker/build-push-action@v6
        with:
          ssh: ${{ env.SSH_AUTH_SOCK != '' && format('default={0}', env.SSH_AUTH_SOCK) || '' }}
          push: ${{ startsWith(github.ref, 'refs/tags/') }}
          load: true
          tags: ${{ steps.tag.outputs.IMAGE }}
          context: .
          platforms: linux/amd64
          cache-from: type=gha
          cache-to: type=gha,mode=max
          labels: |
            ${{ steps.meta.outputs.labels }}

      - name: Generate Unique Identifier
        id: generate-uuid
        run: echo "UUID=$(cat /proc/sys/kernel/random/uuid)" >> "$GITHUB_ENV"

      - name: Run Trivy on Docker Image
        uses: aquasecurity/trivy-action@master
        with:
          image-ref: ${{ steps.tag.outputs.IMAGE }}
          ignore-unfixed: true
          format: "json"
          output: "/tmp/${{ env.UUID }}.json"
          severity: "CRITICAL,HIGH"

      - name: Upload Trivy results to Trivy Explorer
        id: upload_trivy
        run: |
          RESPONSE=$(curl -s -H "Content-Type: application/json" -H "Authorization: ${{secrets.TRIVY_EXPLORER_AUTH_TOKEN}}" --data "@/tmp/${{ env.UUID }}.json" ${{secrets.TRIVY_EXPLORER_URL}})
          echo "Response: $RESPONSE"
          REPORT_URL=$(echo "$RESPONSE" | jq -r '.url')
          echo "report_url=$REPORT_URL" >> "$GITHUB_OUTPUT"

      - name: Add Report Link to Job Summary
        run: |
          echo "Trivy Scan Report" >> "$GITHUB_STEP_SUMMARY"
          echo "A new security scan report has been generated. You can view it here:" >> "$GITHUB_STEP_SUMMARY"
          echo "[View Detailed Report](${{ steps.upload_trivy.outputs.report_url }})" >> "$GITHUB_STEP_SUMMARY"