This repository was archived by the owner on Dec 30, 2025. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 0
389 lines (360 loc) · 16.1 KB
/
ci.yml
File metadata and controls
389 lines (360 loc) · 16.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
# ==============================================================================
# IRC.ATL.CHAT - DOCKER INFRASTRUCTURE LINTING
# ==============================================================================
#
# This workflow handles Docker and infrastructure validation for the IRC server
# project. It runs comprehensive linting on Dockerfiles, Docker Compose files,
# and performs security scanning to ensure infrastructure quality.
#
# WORKFLOW FEATURES:
# ------------------
# 1. Smart file change detection to skip unnecessary jobs
# 2. Parallel execution for different linting categories
# 3. Comprehensive Docker linting with Hadolint
# 4. Docker Compose syntax validation with modern docker compose
# 5. Security vulnerability scanning with Trivy
# 6. Efficient execution with conditional job running
#
# SECURITY FEATURES:
# ------------------
# - Minimal permissions following principle of least privilege
# - Security scanning only on pull requests to avoid resource waste
# - SARIF output integration with GitHub Security tab
# - No sensitive data exposure in logs
#
# ==============================================================================
name: Docker Infrastructure CI
# TRIGGER CONFIGURATION
# Runs on pushes to main/develop and all pull requests
# Manual trigger available for testing workflow changes
on:
push:
branches: [ main, develop ]
pull_request:
branches: [ main, develop ]
# Manual trigger for debugging and testing workflow changes
workflow_dispatch:
# CONCURRENCY CONTROL
# Prevents multiple CI runs on the same branch to save resources
# Cancels in-progress runs for PRs but allows main branch runs to complete
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
# ============================================================================
# DOCKERFILE LINTING - Static Analysis and Best Practices
# ============================================================================
# Purpose: Ensures Docker best practices and security through Hadolint
# Tools: Hadolint with SARIF output for GitHub Security integration
# Optimization: Only runs when Docker files change or on manual trigger
# ============================================================================
dockerfile-lint:
name: Dockerfile Linting
runs-on: ubuntu-latest
permissions:
contents: read # Required for checkout
security-events: write # Required for SARIF upload
actions: read # Required for GitHub token
steps:
# REPOSITORY CHECKOUT
# Full history not needed for linting current state
- name: Checkout Repository
uses: actions/checkout@v4
# SMART CHANGE DETECTION
# Detects Docker file changes to skip unnecessary runs
# Includes all Dockerfile variants and related files
- name: Detect Docker file changes
uses: tj-actions/changed-files@v46
id: docker_changes
with:
files: |
**/Dockerfile*
**/.dockerignore
docker-compose*.yml
docker-compose*.yaml
# EARLY TERMINATION FOR UNCHANGED FILES
# Skips Hadolint setup if no relevant files changed
# workflow_dispatch always runs for manual testing
- name: Skip if no Docker changes
if: steps.docker_changes.outputs.any_changed != 'true' && github.event_name != 'workflow_dispatch'
run: |
echo "✅ No Docker files changed, skipping Dockerfile linting"
echo "💡 To force run checks, use workflow_dispatch trigger"
# DOCKERFILE DISCOVERY
# Finds all Dockerfiles in the repository for comprehensive linting
- name: Find Dockerfiles
if: steps.docker_changes.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
id: dockerfiles
run: |
# Find all Dockerfiles in the repository
dockerfiles=$(find . -name "Dockerfile*" -type f | grep -v ".git")
if [ -n "$dockerfiles" ]; then
echo "found=true" >> $GITHUB_OUTPUT
echo "files<<EOF" >> $GITHUB_OUTPUT
echo "$dockerfiles" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
echo "Found Dockerfiles:"
echo "$dockerfiles"
else
echo "found=false" >> $GITHUB_OUTPUT
echo "No Dockerfiles found"
fi
# HADOLINT SECURITY ANALYSIS
# Comprehensive linting with SARIF output for GitHub Security
# Ignores specific rules that may conflict with multi-stage builds
- name: Lint Dockerfiles with Hadolint (Security Report)
if: steps.dockerfiles.outputs.found == 'true'
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: './Dockerfile'
failure-threshold: warning
format: sarif
output-file: hadolint-results.sarif
# SECURITY INTEGRATION
# Uploads results to GitHub Security tab for centralized view
# Always runs if Dockerfiles found, even if linting fails
- name: Upload Hadolint results to GitHub Security
if: steps.dockerfiles.outputs.found == 'true' && always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: hadolint-results.sarif
# CONSOLE OUTPUT FOR IMMEDIATE FEEDBACK
# Provides immediate feedback in workflow logs
# Helps developers see issues without navigating to Security tab
- name: Lint Dockerfiles with Hadolint (Console Output)
if: steps.dockerfiles.outputs.found == 'true'
uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: './Dockerfile'
failure-threshold: warning
# ============================================================================
# DOCKER COMPOSE LINTING - Syntax and Configuration Validation
# ============================================================================
# Purpose: Ensures Docker Compose files are syntactically correct and follow best practices
# Tools: Docker Compose config validation and yamllint for YAML syntax
# Optimization: Only runs when Compose files change or on manual trigger
# ============================================================================
docker-compose-lint:
name: Docker Compose Linting
runs-on: ubuntu-latest
permissions:
contents: read
steps:
# REPOSITORY CHECKOUT
# Shallow clone sufficient for validation current state
- name: Checkout Repository
uses: actions/checkout@v4
# SMART CHANGE DETECTION
# Only runs when Docker Compose files change
# Improves CI performance for non-compose changes
- name: Detect Docker Compose changes
uses: tj-actions/changed-files@v46
id: compose_changes
with:
files: |
docker-compose*.yml
docker-compose*.yaml
compose*.yml
compose*.yaml
# EARLY TERMINATION FOR UNCHANGED FILES
# Skips validation setup if no compose files changed
- name: Skip if no Docker Compose changes
if: steps.compose_changes.outputs.any_changed != 'true' && github.event_name != 'workflow_dispatch'
run: |
echo "✅ No Docker Compose files changed, skipping Docker Compose linting"
echo "💡 To force run checks, use workflow_dispatch trigger"
# DOCKER COMPOSE FILE DISCOVERY
# Finds all Docker Compose files in the repository
- name: Find Docker Compose files
if: steps.compose_changes.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
id: compose-files
run: |
# Find all docker-compose files in the repository
compose_files=$(find . -name "docker-compose*.yml" -o -name "docker-compose*.yaml" -o -name "compose*.yml" -o -name "compose*.yaml" | grep -v ".git")
if [ -n "$compose_files" ]; then
echo "found=true" >> $GITHUB_OUTPUT
echo "files<<EOF" >> $GITHUB_OUTPUT
echo "$compose_files" >> $GITHUB_OUTPUT
echo "EOF" >> $GITHUB_OUTPUT
echo "Found Docker Compose files:"
echo "$compose_files"
else
echo "found=false" >> $GITHUB_OUTPUT
echo "No Docker Compose files found"
fi
# DOCKER COMPOSE SYNTAX VALIDATION
# Uses modern docker compose v2 for syntax validation
# Validates without starting services using --quiet flag
- name: Validate Docker Compose syntax
if: steps.compose-files.outputs.found == 'true'
run: |
# Validate each docker-compose file using modern docker compose
echo "${{ steps.compose-files.outputs.files }}" | while IFS= read -r file; do
if [ -n "$file" ]; then
echo "Validating $file..."
if docker compose -f "$file" config --quiet; then
echo "✅ $file is valid"
else
echo "❌ $file has syntax errors"
exit 1
fi
fi
done
# YAML LINTING FOR BEST PRACTICES
# Uses yamllint for comprehensive YAML syntax checking
# Provides additional validation beyond Docker Compose syntax
- name: YAML linting with yamllint
if: steps.compose-files.outputs.found == 'true'
run: |
# Install yamllint for YAML syntax validation
sudo apt-get update && sudo apt-get install -y yamllint
# Create yamllint config for Docker Compose specifics
cat > .yamllint.yml << EOF
extends: default
rules:
line-length:
max: 120 # Longer lines acceptable for Docker commands
comments-indentation: disable # Docker Compose has specific comment styles
truthy:
allowed-values: ['true', 'false', 'yes', 'no'] # Docker Compose uses various boolean formats
EOF
# Validate each docker-compose file with yamllint
echo "${{ steps.compose-files.outputs.files }}" | while IFS= read -r file; do
if [ -n "$file" ]; then
echo "Running yamllint on $file..."
yamllint -c .yamllint.yml "$file"
fi
done
# ============================================================================
# DOCKER SECURITY SCANNING - Vulnerability Assessment
# ============================================================================
# Purpose: Scans Docker images for security vulnerabilities using Trivy
# Scope: Only runs on pull requests to avoid unnecessary resource usage
# Tools: Trivy scanner with SARIF output for GitHub Security integration
# ============================================================================
docker-security-scan:
name: Docker Security Scanning
runs-on: ubuntu-latest
permissions:
contents: read # Required for checkout
security-events: write # Required for SARIF upload
actions: read # Required for GitHub token
# EXECUTION CONTROL
# Only run on pull requests to avoid resource waste on every push
# Manual trigger available for security audits
if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch'
steps:
# REPOSITORY CHECKOUT
# Full history not needed for security scanning
- name: Checkout Repository
uses: actions/checkout@v4
# SMART CHANGE DETECTION FOR DOCKER FILES
# Only scan if Docker-related files changed
- name: Detect Docker changes for security scan
uses: tj-actions/changed-files@v46
id: security_changes
with:
files: |
**/Dockerfile*
docker-compose*.yml
docker-compose*.yaml
# EARLY TERMINATION FOR UNCHANGED DOCKER FILES
# Skip security scan if no Docker files changed (unless manual trigger)
- name: Skip if no Docker changes
if: steps.security_changes.outputs.any_changed != 'true' && github.event_name != 'workflow_dispatch'
run: |
echo "✅ No Docker files changed, skipping security scan"
echo "💡 To force run security scan, use workflow_dispatch trigger"
# DOCKER IMAGE BUILD
# Build image for security scanning with proper error handling
- name: Build Docker image for security scanning
if: steps.security_changes.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
run: |
if [ -f "Dockerfile" ]; then
echo "Building Docker image for security scanning..."
docker build -t irc-security-scan:latest .
echo "✅ Docker image built successfully"
else
echo "❌ No Dockerfile found in root directory"
echo "Security scan requires a Dockerfile to analyze"
exit 1
fi
# TRIVY SECURITY SCAN WITH SARIF OUTPUT
# Comprehensive vulnerability scanning with GitHub Security integration
- name: Run Trivy vulnerability scanner (SARIF)
if: steps.security_changes.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
uses: aquasecurity/trivy-action@master
with:
image-ref: 'irc-security-scan:latest'
format: 'sarif'
output: 'trivy-results.sarif'
# SECURITY RESULTS UPLOAD
# Upload security findings to GitHub Security tab
# Always runs if scan executed, even if vulnerabilities found
- name: Upload Trivy scan results to GitHub Security
if: (steps.security_changes.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch') && always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
# CONSOLE OUTPUT FOR IMMEDIATE FEEDBACK
# Provides immediate feedback in workflow logs with severity filtering
# Focuses on actionable vulnerabilities (CRITICAL, HIGH with fixes available)
- name: Run Trivy vulnerability scanner (Console Output)
if: steps.security_changes.outputs.any_changed == 'true' || github.event_name == 'workflow_dispatch'
uses: aquasecurity/trivy-action@master
with:
image-ref: 'irc-security-scan:latest'
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
# ==============================================================================
# WORKFLOW BEST PRACTICES IMPLEMENTED
# ==============================================================================
#
# 1. PERFORMANCE OPTIMIZATION:
# - Smart change detection to skip unnecessary work
# - Parallel job execution across linting categories
# - Early termination for unchanged files
# - Conditional security scanning only on PRs
#
# 2. SECURITY & PERMISSIONS:
# - Minimal required permissions for each job
# - SARIF integration with GitHub Security tab
# - No sensitive data exposure in validation
# - Comprehensive vulnerability scanning
#
# 3. MAINTAINABILITY:
# - Clear job names and comprehensive documentation
# - Consistent error handling and reporting
# - Version pinning for reproducible builds
# - Configurable yamllint rules for Docker Compose
#
# 4. DEVELOPER EXPERIENCE:
# - Clear skip messages explaining why jobs didn't run
# - Both Security tab and console output for findings
# - Manual trigger option for debugging and testing
# - Comprehensive validation across all Docker files
#
# 5. INFRASTRUCTURE FOCUS:
# - Docker best practices enforcement with Hadolint
# - Modern docker compose v2 validation
# - YAML syntax validation for configuration files
# - Security vulnerability assessment for images
#
# USAGE EXAMPLES:
# ---------------
# Manual trigger:
# GitHub UI → Actions → Docker Infrastructure CI → Run workflow
#
# Force run all checks:
# Uses workflow_dispatch trigger to bypass change detection
#
# View security results:
# Check Security tab for vulnerability reports and SARIF data
#
# View linting results:
# Check Actions tab for detailed logs and console output
#
# ==============================================================================