-
Notifications
You must be signed in to change notification settings - Fork 0
159 lines (137 loc) · 5.4 KB
/
build.yaml
File metadata and controls
159 lines (137 loc) · 5.4 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
name: Build
on:
push:
branches: [ "master" ]
pull_request:
branches: [ "master" ]
env:
CARGO_TERM_COLOR: always
RUST_BACKTRACE: 1
permissions:
contents: read # Required to checkout the code
jobs:
check:
name: Check
permissions:
contents: read # Required to checkout the code
uses: TimSchoenle/actions/.github/workflows/rust-cargo-check.yaml@db5bbe354aa20b8a5cf9800f689160c4c0f75256 # workflows-rust-cargo-check-v1.1.4
coverage:
name: Coverage
permissions:
contents: read # Required to checkout the code
uses: TimSchoenle/actions/.github/workflows/rust-coverage-codecov.yaml@da2570ccadc26a91e57c290c18082cff8e4345bb # workflows-rust-coverage-codecov-v1.0.3
secrets:
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
test:
name: Test
permissions:
contents: read # Required to checkout the code
uses: TimSchoenle/actions/.github/workflows/rust-test.yaml@d681dc1bc16b10592a57a57d2845acbe97adb131 # workflows-rust-test-v1.0.1
fmt:
name: Auto Format
uses: TimSchoenle/actions/.github/workflows/rust-auto-format.yaml@a7d92c33bdf0a2820fdecc6da9c986d5b9c36995 # workflows-rust-auto-format-v1.1.2
secrets:
APP_ID: ${{ secrets.ACTIONS_MAINTENANCE_APP_ID }}
PRIVATE_KEY: ${{ secrets.ACTIONS_MAINTENANCE_PRIVATE_KEY }}
clippy:
name: Clippy
permissions:
contents: read # Required to checkout the code
checks: write # Required to annotate the commit with clippy warnings
uses: TimSchoenle/actions/.github/workflows/rust-clippy.yaml@0139849aaaac592ebf44af62ca1b469632172737 # workflows-rust-clippy-v1.1.2
docker-build-test:
name: Docker Build and Test
runs-on: ubuntu-latest
needs: check
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-docker
cancel-in-progress: true
permissions:
contents: read # Required to checkout the code
security-events: write # Required to upload Trivy scan results
pull-requests: write # Required to comment on PRs with image size
steps:
- name: Harden Runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Set up QEMU
uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3
- name: Build Docker image
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6
with:
context: .
push: false
load: true
tags: cloudflare-access-webhook-redirect:test
build-args: |
version=test
release=test
vendor=Timmi6790
VERSION=test
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Test Docker image runs
run: |
docker run --rm cloudflare-access-webhook-redirect:test --version || true
docker run --rm cloudflare-access-webhook-redirect:test --help || true
- name: Check image size
id: size-check
run: |
SIZE=$(docker image inspect cloudflare-access-webhook-redirect:test --format='{{.Size}}' | awk '{print int($1/1024/1024)}')
echo "size=${SIZE}" >> $GITHUB_OUTPUT
echo "Image size: ${SIZE}MB"
if [ $SIZE -gt 150 ]; then
echo "::warning::Image size (${SIZE}MB) exceeds 150MB threshold"
fi
- name: Scan Docker image for vulnerabilities
uses: aquasecurity/trivy-action@e368e328979b113139d6f9068e03accaed98a518 # v0.34.1
with:
image-ref: cloudflare-access-webhook-redirect:test
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
- name: Upload Trivy results to GitHub Security
uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
if: always()
with:
sarif_file: 'trivy-results.sarif'
- name: Comment image size on PR
uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8
if: github.event_name == 'pull_request'
env:
SIZE: ${{ steps.size-check.outputs.size }}
with:
script: |
const size = process.env.SIZE;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: `🐳 Docker image size: **${size}MB**`
});
dependency-review:
name: Dependency Review
runs-on: ubuntu-latest
needs: check
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}-dependency-review
cancel-in-progress: true
if: github.event_name == 'pull_request'
steps:
- name: Harden Runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
with:
persist-credentials: false
- name: Dependency Review
uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4