Skip to content

Commit

Permalink
feat(CI): Added scanning of dev docker images and M1 macos build support
Browse files Browse the repository at this point in the history
  • Loading branch information
@SaptarshiSarkar12
SaptarshiSarkar12 committed Feb 21, 2024
1 parent 8d4a077 commit 1f9a567
Show file tree
Hide file tree
Showing 3 changed files with 60 additions and 23 deletions.
27 changes: 22 additions & 5 deletions .github/workflows/build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ jobs:
name: Build [${{ matrix.os }}, ${{ matrix.mode }}]
strategy:
matrix:
os: ["windows-latest", "macos-latest", "ubuntu-latest"]
os: ["windows-latest", "macos-latest", "ubuntu-latest", "macos-14"] # macos-14 has arm64 architecture, others have amd64
mode: ["CLI", "GUI"]
fail-fast: false
runs-on: ${{ matrix.os }}
Expand All @@ -53,21 +53,38 @@ jobs:
cache: 'maven'
- name: Package Drifty CLI for ${{ matrix.os }} with GraalVM
if: ${{ matrix.mode == 'CLI' }}
run: mvn -P build-drifty-cli-for-${{ matrix.os }} package
shell: bash
run: |
if ${{ matrix.os == 'macos-latest' || matrix.os == 'macos-14' }}; then
mvn -P build-drifty-cli-for-macos-latest package -rf :CLI
else
mvn -P build-drifty-cli-for-${{ matrix.os }} package -rf :CLI
fi
- name: Set Up Maven version 3.8.8 # For GUI build issues, maven version 3.8.8 needs to be used
if: ${{ matrix.mode == 'GUI' }}
uses: stCarolas/setup-maven@v5
with:
maven-version: 3.8.8
- name: Build platform-specific C object for missing jdk libraries
if: ${{ matrix.mode == 'GUI' }}
run: gcc -c config/missing_symbols.c -o config/missing_symbols-${{ matrix.os }}.o
shell: bash
run: |
if ${{ matrix.os == 'macos-latest' || matrix.os == 'macos-14' }}; then
gcc -c config/missing_symbols.c -o config/missing_symbols-macos-latest.o
else
gcc -c config/missing_symbols.c -o config/missing_symbols-${{ matrix.os }}.o
fi
- name: Install dependency modules for GUI
if: ${{ matrix.mode == 'GUI' }}
run: mvn -U clean install
- name: Package Drifty GUI for ${{ matrix.os }} with GluonFX maven plugin
if: ${{ matrix.mode == 'GUI' }}
run: mvn -P build-drifty-gui-for-${{ matrix.os }} gluonfx:build gluonfx:package -rf :GUI
run: |
if ${{ matrix.os == 'macos-latest' || matrix.os == 'macos-14' }}; then
mvn -P build-drifty-gui-for-macos-latest gluonfx:build gluonfx:package -rf :GUI
else
mvn -P build-drifty-gui-for-${{ matrix.os }} gluonfx:build gluonfx:package -rf :GUI
fi
- name: Create Application Type specific folders
run: |
mkdir build
Expand Down Expand Up @@ -96,7 +113,7 @@ jobs:
mv "GUI/target/gluonfx/x86_64-windows/Drifty-GUI.exe" build/GUI
fi
- name: Categorise build artifacts for macOS
if: ${{ matrix.os == 'macos-latest' }}
if: ${{ matrix.os == 'macos-latest' || matrix.os == 'macos-14' }}
run: |
if ${{ matrix.mode == 'CLI' }}; then
mv "CLI/target/CLI/macos/Drifty CLI" "CLI/target/CLI/macos/Drifty-CLI_macos"
Expand Down
45 changes: 34 additions & 11 deletions .github/workflows/dev-docker-build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,22 +5,45 @@ on:
paths-ignore:
- "Website/**"
- "*.md"
pull_request:
pull_request_target:
paths-ignore:
- "Website/**"
- "*.md"
workflow_dispatch:

jobs:
build:
build-and-scan:
name: Build and Scan [drifty-${{ matrix.image_name_suffix }}, ${{ matrix.os }}]
runs-on: ubuntu-latest
if: github.repository == 'SaptarshiSarkar12/Drifty'
strategy:
matrix:
os: [ 'ubuntu-latest', 'macos-14' ] # ubuntu-latest and macos-14 has amd64 and arm64 architecture respectively.
image_name_suffix: [ 'base', 'runner', 'cli', 'gui' ]
fail-fast: false
permissions:
security-events: write
steps:
- uses: actions/checkout@v4
- name: Build the base image
run: docker compose build base
- name: Build the runner image
run: docker compose build runner
- name: Build the CLI image
run: docker compose build cli
- name: Build the GUI image
run: docker compose build gui
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Build Docker image
run: docker compose build ${{ matrix.image_name_suffix }}
- name: Run Trivy security scan
uses: aquasecurity/trivy-action@0.17.0
continue-on-error: true
with:
image-ref: drifty-${{ matrix.image_name_suffix }}
format: 'sarif'
exit-code: 1
vuln-type: os,library
ignore-unfixed: true
output: 'trivy-report.sarif'
hide-progress: false
scanners: vuln,secret,misconfig
- name: Upload Trivy security scan results
if: always()
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: trivy-report.sarif
11 changes: 4 additions & 7 deletions .github/workflows/docker-publish.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -151,18 +151,16 @@ jobs:
cache-from: type=gha
cache-to: type=gha,mode=max
file: Docker/prod/${{ matrix.filename }}
platforms: linux/amd64,linux/arm64,linux/arm/v7
platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6

- name: Generate short commit SHA
if: github.event_name != 'pull_request_target'
run: echo "SHORT_SHA=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV
- name: Build same image with different tag # cached build, so, will be faster
run: docker build -t ${{ matrix.image_name }} -f Docker/prod/${{ matrix.filename }} build/${{ matrix.docker_context }}

- name: Run Trivy security scan
uses: aquasecurity/trivy-action@0.17.0
if: github.event_name != 'pull_request_target'
continue-on-error: true
with:
image-ref: ${{ env.REGISTRY }}/saptarshisarkar12/${{ matrix.image_name }}:sha-${{ env.SHORT_SHA }}
image-ref: ${{ matrix.image_name }}
format: 'sarif'
exit-code: 1
vuln-type: os,library
Expand All @@ -172,7 +170,6 @@ jobs:
scanners: vuln,secret,misconfig

- name: Upload Trivy security scan results
if: github.event_name != 'pull_request_target'
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: trivy-report.sarif

0 comments on commit 1f9a567

Please sign in to comment.