@@ -12,9 +12,11 @@ permissions:
1212 actions : read
1313
1414jobs :
15- devcontainer-test :
15+ build :
1616 runs-on : ubuntu-latest
17- name : Test Devcontainer Build
17+ name : Build and Validate
18+ outputs :
19+ image-name : ${{ steps.build.outputs.image-name }}
1820 steps :
1921 - name : Checkout
2022 uses : actions/checkout@v4
2527 - name : Validate docker-compose.yml
2628 run : docker compose -f .devcontainer/docker-compose.yml config
2729
28- - name : Build and test devcontainer
30+ - name : Lint Dockerfile
31+ 32+ with :
33+ dockerfile : .devcontainer/Dockerfile
34+
35+ - name : Check for secrets
36+ uses : gitleaks/gitleaks-action@v2
37+ env :
38+ GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
39+
40+ - name : Build Docker image
41+ id : build
42+ run : |
43+ IMAGE_NAME="dev-template:${{ github.sha }}"
44+ docker build -t "$IMAGE_NAME" .devcontainer/
45+ echo "image-name=$IMAGE_NAME" >> $GITHUB_OUTPUT
46+
47+ name : Save Docker image as artifact
48+ run : |
49+ docker save ${{ steps.build.outputs.image-name }} | gzip > dev-template.tar.gz
50+
51+ name : Upload Docker image artifact
52+ uses : actions/upload-artifact@v4
53+ with :
54+ name : docker-image
55+ path : dev-template.tar.gz
56+
57+ test :
58+ runs-on : ubuntu-latest
59+ name : Test Devcontainer
60+ needs : build
61+ steps :
62+ - name : Checkout
63+ uses : actions/checkout@v4
64+
65+ - name : Download Docker image artifact
66+ uses : actions/download-artifact@v4
67+ with :
68+ name : docker-image
69+
70+ - name : Load Docker image
71+ run : |
72+ docker load < dev-template.tar.gz
73+
74+ name : Test devcontainer functionality
2975 uses :
devcontainers/[email protected] 3076 with :
3177 runCmd : |
@@ -43,18 +89,24 @@ jobs:
4389security-scan :
4490 runs-on : ubuntu-latest
4591 name : Security and SBOM Analysis
92+ needs : build
4693 steps :
4794 - name : Checkout
4895 uses : actions/checkout@v4
4996
50- - name : Build Docker image for scanning
97+ - name : Download Docker image artifact
98+ uses : actions/download-artifact@v4
99+ with :
100+ name : docker-image
101+
102+ - name : Load Docker image
51103 run : |
52- docker build -t dev-template:latest .devcontainer/
104+ docker load < dev-template.tar.gz
53105
54106name : Run Trivy vulnerability scanner
55107 uses : aquasecurity/trivy-action@master
56108 with :
57- image-ref : ' dev-template:latest '
109+ image-ref : ' ${{ needs.build.outputs.image-name }} '
58110 format : ' sarif'
59111 output : ' trivy-results.sarif'
60112
@@ -69,38 +121,12 @@ jobs:
69121 - name : Generate SBOM
70122 uses : anchore/sbom-action@v0
71123 with :
72- image : ' dev-template:latest '
124+ image : ' ${{ needs.build.outputs.image-name }} '
73125 format : ' spdx-json'
74126 output-file : ' sbom.spdx.json'
75127
76128 - name : Upload SBOM as artifact
77129 uses : actions/upload-artifact@v4
78130 with :
79131 name : sbom
80- path : sbom.spdx.json
81-
82- lint-and-validate :
83- runs-on : ubuntu-latest
84- name : Lint and Validate Configuration
85- steps :
86- - name : Checkout
87- uses : actions/checkout@v4
88-
89- - name : Validate devcontainer.json
90- uses :
devcontainers/[email protected] 91- with :
92- runCmd : devcontainer read-configuration --workspace-folder .
93-
94- - name : Lint Dockerfile
95- 96- with :
97- dockerfile : .devcontainer/Dockerfile
98-
99- - name : Validate docker-compose.yml
100- run : |
101- docker compose -f .devcontainer/docker-compose.yml config
102-
103- name : Check for secrets
104- uses : gitleaks/gitleaks-action@v2
105- env :
106- GITHUB_TOKEN : ${{ secrets.GITHUB_TOKEN }}
132+ path : sbom.spdx.json
0 commit comments