javascript.gr/.github/workflows/main.yml at master · adreaskar/javascript.gr · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
name: GitHub Action for CI/CD

on:
    push:
        branches: ['master']

jobs:
    # First Job: Build a test image ===========================================
    build-test-image:
        name: Build an image for testing
        runs-on: ubuntu-latest

        permissions:
            packages: write

        steps:
            - name: Checkout git repo
              uses: actions/checkout@v6
              with:
                  fetch-depth: 0

            - name: Set up Docker Buildx
              uses: docker/setup-buildx-action@v3

            - name: Login to Docker Hub
              uses: docker/login-action@v3
              with:
                  username: ${{ secrets.DOCKERHUB_USERNAME }}
                  password: ${{ secrets.DOCKERHUB_TOKEN }}

            - name: Login to ghcr.io registry
              uses: docker/login-action@v3
              with:
                  registry: ghcr.io
                  username: ${{ github.actor }}
                  password: ${{ secrets.GITHUB_TOKEN }}

            - name: Build and Push to GHCR
              uses: docker/build-push-action@v6
              with:
                  push: true
                  tags: ghcr.io/adreaskar/javascriptgr:${{ github.run_id }}
                  cache-from: type=gha
                  cache-to: type=gha,mode=max
                  platforms: linux/amd64

    # Second Job: Unit Testing ================================================
    unit-testing:
        name: Unit tests in docker container
        needs: [build-test-image]
        runs-on: ubuntu-latest

        permissions:
            packages: read

        steps:
            - name: Login to ghcr.io registry
              uses: docker/login-action@v3
              with:
                  registry: ghcr.io
                  username: ${{ github.actor }}
                  password: ${{ secrets.GITHUB_TOKEN }}

            - name: Unit Testing in container
              run: |
                  docker run --rm ghcr.io/adreaskar/javascriptgr:${{ github.run_id }} /bin/sh -c "test -d /opt/docusaurus/build && echo 'SUCCESS: Build folder found'"

    # Third Job: San for image vunerabilities =================================
    scan-image:
        name: Scan image with Trivy
        needs: [build-test-image]
        runs-on: ubuntu-latest

        permissions:
            contents: read # for actions/checkout to fetch code
            packages: read # needed to pull docker image to ghcr.io
            security-events: write # for github/codeql-action/upload-sarif to upload SARIF results

        steps:
            - name: Checkout git repo
              uses: actions/checkout@v6

            - name: Login to Docker Hub
              uses: docker/login-action@v3
              with:
                  username: ${{ secrets.DOCKERHUB_USERNAME }}
                  password: ${{ secrets.DOCKERHUB_TOKEN }}

            - name: Login to ghcr.io registry
              uses: docker/login-action@v3
              with:
                  registry: ghcr.io
                  username: ${{ github.actor }}
                  password: ${{ secrets.GITHUB_TOKEN }}

            - name: Pull image to scan
              run: docker pull ghcr.io/adreaskar/javascriptgr:"$GITHUB_RUN_ID"

            - name: Run Trivy for all CVEs (non-blocking)
              uses: aquasecurity/trivy-action@master
              with:
                  image-ref: ghcr.io/adreaskar/javascriptgr:${{ github.run_id }}
                  exit-code: 0
                  format: 'sarif'
                  output: 'trivy-results.sarif'
                  ignore-unfixed: true
                  vuln-type: 'os,library'

            # - name: Run Trivy for HIGH,CRITICAL CVEs and report (blocking)
            #   uses: aquasecurity/trivy-action@master
            #   with:
            #       image-ref: ghcr.io/adreaskar/javascriptgr:${{ github.run_id }}
            #       exit-code: 1
            #       ignore-unfixed: true
            #       vuln-type: 'os,library'
            #       severity: 'HIGH,CRITICAL'
            #       format: 'sarif'
            #       output: 'trivy-results.sarif'

            - name: Upload Trivy scan results to GitHub Security tab
              uses: github/codeql-action/upload-sarif@v4
              if: always()
              with:
                  sarif_file: 'trivy-results.sarif'

    # Final Job: Build final image ============================================
    build-final-image:
        name: Build final docker image
        needs: [unit-testing, scan-image]
        runs-on: ubuntu-latest

        permissions:
            packages: write # needed to push docker image to ghcr.io
            pull-requests: write # needed to create and update comments in PRs

        steps:
            - name: Checkout git repo
              uses: actions/checkout@v6
              with:
                  fetch-depth: 0

            - name: Set up Docker Buildx
              uses: docker/setup-buildx-action@v3

            - name: Login to Docker Hub
              uses: docker/login-action@v3
              with:
                  username: ${{ secrets.DOCKERHUB_USERNAME }}
                  password: ${{ secrets.DOCKERHUB_TOKEN }}

            - name: Build and push to dockerhub
              uses: docker/build-push-action@v5
              with:
                  context: .
                  push: true
                  tags: adreaskar/javascriptgr:latest
                  cache-from: type=gha
                  cache-to: type=gha,mode=max