implement basic automatic security audit

rcambrj · rcambrj · commit c4ffbfc52f4f · 2025-10-07T14:45:27.000+02:00
diff --git a/.github/workflows/build-and-release.yaml b/.github/workflows/build-and-release.yaml
@@ -22,9 +22,63 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
+  codeql-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - uses: actions/dependency-review-action@v4
+
+      - uses: github/codeql-action/init@v3
+        with:
+          languages: actions,go
+      - uses: github/codeql-action/analyze@v3
+
+  go-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v5
+
+      - name: Install Go
+        uses: actions/setup-go@v5
+        with:
+          go-version-file: go.mod
+
+      - name: Check Go dependencies
+        uses: golang/govulncheck-action@v1
+        with:
+          go-package: ./...
+          output-format: sarif
+          output-file: govulncheck.sarif
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: govulncheck.sarif
+
+      - name: Check Go source code
+        uses: securego/gosec@master
+        with:
+          args: '-no-fail -fmt sarif -out gosec.sarif ./...'
+      - name: Upload SARIF file
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: gosec.sarif
+
+  nix-audit:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check Nix flake inputs
+        uses: DeterminateSystems/flake-checker-action@main
+        with:
+          send-statistics: false
+
   build-go:
+    needs: [ codeql-audit, go-audit, nix-audit ]
     runs-on: ubuntu-latest
     strategy:
       matrix:
@@ -68,8 +122,10 @@ jobs:
         with:
           name: multigres-operator-${{matrix.arch}}
           path: dist/*
+          if-no-files-found: error
+          retention-days: 7
 
-  build-push-container:
+  build-container:
     needs: [ build-go ]
     runs-on: ubuntu-latest
     steps:
@@ -82,13 +138,6 @@ jobs:
       - name: Setup Docker buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log into registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Extract container metadata
         id: meta
         uses: docker/metadata-action@v5
@@ -106,22 +155,67 @@ jobs:
           pattern: multigres-operator-*
           path: dist/
 
-      - name: Build and push container image
-        id: build-and-push
+      - name: Build container image
         uses: docker/build-push-action@v5
         with:
           context: .
           file: Containerfile
           platforms: linux/${{ join(fromJson(inputs.architectures), ',linux/') }}
-          push: ${{ inputs.push-container-image }}
+          push: false
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           provenance: false
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          outputs: type=docker,dest=container-image.tar
+
+      - name: Upload image artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: container-image-tar
+          path: container-image.tar
+          if-no-files-found: error
+          retention-days: 7
+
+  container-audit:
+    needs: [ build-container ]
+    runs-on: ubuntu-latest
+    steps: []
+
+  push-container:
+    needs: [ container-audit ]
+    runs-on: ubuntu-latest
+    if: ${{ inputs.push-container-image }}
+    steps:
+      - name: Download image artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: container-image-tar
+          path: .
+
+      - name: Log into registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Push to registry
+        run: |
+          IMAGE="ghcr.io/${{ github.repository }}"
+          docker load --input container-image.tar
+          docker push "$IMAGE:${{ github.sha }}"
+          if [ "${{ github.ref }}" = "refs/heads/main" ]; then
+            docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:latest"
+            docker push "$IMAGE:latest"
+          fi
+          if [ "${{ github.ref_type }}" = "tag" ]; then
+            docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:${{ github.ref_name }}"
+            docker push "$IMAGE:${{ github.ref_name }}"
+          fi
 
   create-release:
-    needs: [ build-go ]
+    needs: [ container-audit ]
     runs-on: ubuntu-latest
     if: ${{ inputs.create-release }}
     steps:
diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml
@@ -9,6 +9,7 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
   run:
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -6,6 +6,7 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
   run:
diff --git a/.github/workflows/tags.yaml b/.github/workflows/tags.yaml
@@ -8,6 +8,7 @@ on:
 permissions:
   contents: write
   packages: write
+  security-events: write
 
 jobs:
   run:
