updates for security issues #87
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Container | |
| on: | |
| push: | |
| # Publish `main` as Docker `latest` image. | |
| branches: | |
| - main | |
| - master | |
| # Publish `v1.2.3` tags as releases. | |
| tags: | |
| - '**' # All tags kick off a new container build Save history ad 5.0.x etc | |
| # Run tests for any PRs. | |
| pull_request: | |
| env: | |
| BUILD_PLATFORM: | | |
| linux/arm/v6 | |
| linux/arm/v7 | |
| linux/arm64 | |
| linux/amd64 | |
| # Enable Docker Buildkit | |
| DOCKER_BUILDKIT: 1 | |
| IMAGE_NAME: fritzbox_exporter | |
| jobs: | |
| lint: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Lint Dockerfile | |
| uses: hadolint/hadolint-action@v3.0.0 | |
| with: | |
| dockerfile: Dockerfile | |
| prepare: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' | |
| needs: lint | |
| # Map a step output to a job output | |
| outputs: | |
| DOCKER_REPOSITORY: ${{ steps.tag_image.outputs.DOCKER_REPOSITORY }} | |
| DOCKER_TAG: ${{ steps.tag_image.outputs.DOCKER_TAG }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Tag Image | |
| id: tag_image | |
| run: | | |
| DOCKER_REPOSITORY=ghcr.io/${{ github.repository }} | |
| # Change all uppercase to lowercase | |
| DOCKER_REPOSITORY=$(echo $DOCKER_REPOSITORY | tr '[A-Z]' '[a-z]') | |
| DOCKER_TAG=${{ github.ref_name }} | |
| # Use Docker `latest` tag convention | |
| [ "$DOCKER_TAG" == "master" ] && DOCKER_TAG=latest | |
| [ "$DOCKER_TAG" == "main" ] && DOCKER_TAG=latest | |
| echo DOCKER_REPOSITORY=$DOCKER_REPOSITORY | |
| echo DOCKER_TAG=$DOCKER_TAG | |
| echo "DOCKER_REPOSITORY=${DOCKER_REPOSITORY}" >> $GITHUB_OUTPUT | |
| echo "DOCKER_TAG=${DOCKER_TAG}" >> $GITHUB_OUTPUT | |
| # Build and push image to GitHub Packages. | |
| # See also https://docs.docker.com/docker-hub/builds/ | |
| build: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' | |
| needs: [prepare] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| id: buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Image and Export | |
| uses: docker/build-push-action@v6 | |
| with: | |
| build-args: REPO=${{ github.repository }} | |
| context: . | |
| cache-from: | | |
| type=gha,scope=build-${{ github.ref_name }} | |
| type=gha,scope=build-main | |
| cache-to: type=gha,mode=max,scope=build-${{ github.ref_name }} | |
| file: Dockerfile | |
| platforms: ${{ env.BUILD_PLATFORM }} | |
| outputs: type=oci,dest=/tmp/image.tar | |
| target: runtime-image | |
| - name: Upload image artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-image | |
| path: /tmp/image.tar | |
| retention-days: 1 | |
| # Load artifact and push to registry | |
| push: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' | |
| needs: [prepare, build] | |
| steps: | |
| - name: Download image artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: docker-image | |
| path: /tmp | |
| - name: Install skopeo | |
| run: | | |
| sudo apt-get update | |
| sudo apt-get install -y skopeo | |
| - name: Log into registry | |
| run: echo "${{ secrets.GITHUB_TOKEN }}" | skopeo login ghcr.io -u ${{ github.actor }} --password-stdin | |
| - name: Push OCI image to registry | |
| run: | | |
| skopeo copy --all \ | |
| oci-archive:/tmp/image.tar \ | |
| docker://${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.DOCKER_TAG }} | |
| skopeo copy --all \ | |
| oci-archive:/tmp/image.tar \ | |
| docker://${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ github.sha }} | |
| skopeo copy --all \ | |
| oci-archive:/tmp/image.tar \ | |
| docker://${{ needs.prepare.outputs.DOCKER_REPOSITORY }}/fritzbox_exporter:${{ needs.prepare.outputs.DOCKER_TAG }} | |
| skopeo copy --all \ | |
| oci-archive:/tmp/image.tar \ | |
| docker://${{ needs.prepare.outputs.DOCKER_REPOSITORY }}/fritzbox_exporter:${{ github.sha }} | |
| - name: Inspect image | |
| if: success() | |
| run: | | |
| docker buildx imagetools inspect ${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ needs.prepare.outputs.DOCKER_TAG }} | |
| docker buildx imagetools inspect ${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ github.sha }} | |
| test: | |
| runs-on: ubuntu-latest | |
| if: github.event_name == 'push' | |
| needs: [prepare, push] | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: "${{ needs.prepare.outputs.DOCKER_REPOSITORY }}:${{ github.sha }}" | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'MEDIUM,HIGH,CRITICAL' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' |