diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d205a1d36..8e9201698 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -27,7 +27,7 @@ jobs: name: Build [${{ matrix.os }}, ${{ matrix.mode }}] strategy: matrix: - os: ["windows-latest", "macos-latest", "ubuntu-latest"] + os: ["windows-latest", "macos-latest", "ubuntu-latest", "macos-14"] # macos-14 has arm64 architecture, others have amd64 mode: ["CLI", "GUI"] fail-fast: false runs-on: ${{ matrix.os }} @@ -53,7 +53,13 @@ jobs: cache: 'maven' - name: Package Drifty CLI for ${{ matrix.os }} with GraalVM if: ${{ matrix.mode == 'CLI' }} - run: mvn -P build-drifty-cli-for-${{ matrix.os }} package + shell: bash + run: | + if ${{ matrix.os == 'macos-latest' || matrix.os == 'macos-14' }}; then + mvn -P build-drifty-cli-for-macos-latest package -rf :CLI + else + mvn -P build-drifty-cli-for-${{ matrix.os }} package -rf :CLI + fi - name: Set Up Maven version 3.8.8 # For GUI build issues, maven version 3.8.8 needs to be used if: ${{ matrix.mode == 'GUI' }} uses: stCarolas/setup-maven@v5 @@ -61,13 +67,24 @@ jobs: maven-version: 3.8.8 - name: Build platform-specific C object for missing jdk libraries if: ${{ matrix.mode == 'GUI' }} - run: gcc -c config/missing_symbols.c -o config/missing_symbols-${{ matrix.os }}.o + shell: bash + run: | + if ${{ matrix.os == 'macos-latest' || matrix.os == 'macos-14' }}; then + gcc -c config/missing_symbols.c -o config/missing_symbols-macos-latest.o + else + gcc -c config/missing_symbols.c -o config/missing_symbols-${{ matrix.os }}.o + fi - name: Install dependency modules for GUI if: ${{ matrix.mode == 'GUI' }} run: mvn -U clean install - name: Package Drifty GUI for ${{ matrix.os }} with GluonFX maven plugin if: ${{ matrix.mode == 'GUI' }} - run: mvn -P build-drifty-gui-for-${{ matrix.os }} gluonfx:build gluonfx:package -rf :GUI + run: | + if ${{ matrix.os == 'macos-latest' || matrix.os == 'macos-14' }}; then + mvn -P build-drifty-gui-for-macos-latest gluonfx:build gluonfx:package -rf :GUI + else + mvn -P build-drifty-gui-for-${{ matrix.os }} gluonfx:build gluonfx:package -rf :GUI + fi - name: Create Application Type specific folders run: | mkdir build @@ -96,7 +113,7 @@ jobs: mv "GUI/target/gluonfx/x86_64-windows/Drifty-GUI.exe" build/GUI fi - name: Categorise build artifacts for macOS - if: ${{ matrix.os == 'macos-latest' }} + if: ${{ matrix.os == 'macos-latest' || matrix.os == 'macos-14' }} run: | if ${{ matrix.mode == 'CLI' }}; then mv "CLI/target/CLI/macos/Drifty CLI" "CLI/target/CLI/macos/Drifty-CLI_macos" diff --git a/.github/workflows/dev-docker-build.yml b/.github/workflows/dev-docker-build.yml index 15c0eb595..3960ff3ad 100644 --- a/.github/workflows/dev-docker-build.yml +++ b/.github/workflows/dev-docker-build.yml @@ -5,22 +5,45 @@ on: paths-ignore: - "Website/**" - "*.md" - pull_request: + pull_request_target: paths-ignore: - "Website/**" - "*.md" workflow_dispatch: jobs: - build: + build-and-scan: + name: Build and Scan [drifty-${{ matrix.image_name_suffix }}, ${{ matrix.os }}] runs-on: ubuntu-latest + if: github.repository == 'SaptarshiSarkar12/Drifty' + strategy: + matrix: + os: [ 'ubuntu-latest', 'macos-14' ] # ubuntu-latest and macos-14 has amd64 and arm64 architecture respectively. + image_name_suffix: [ 'base', 'runner', 'cli', 'gui' ] + fail-fast: false + permissions: + security-events: write steps: - - uses: actions/checkout@v4 - - name: Build the base image - run: docker compose build base - - name: Build the runner image - run: docker compose build runner - - name: Build the CLI image - run: docker compose build cli - - name: Build the GUI image - run: docker compose build gui \ No newline at end of file + - name: Checkout repository + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.sha }} + - name: Build Docker image + run: docker compose build ${{ matrix.image_name_suffix }} + - name: Run Trivy security scan + uses: aquasecurity/trivy-action@0.17.0 + continue-on-error: true + with: + image-ref: drifty-${{ matrix.image_name_suffix }} + format: 'sarif' + exit-code: 1 + vuln-type: os,library + ignore-unfixed: true + output: 'trivy-report.sarif' + hide-progress: false + scanners: vuln,secret,misconfig + - name: Upload Trivy security scan results + if: always() + uses: github/codeql-action/upload-sarif@main + with: + sarif_file: trivy-report.sarif \ No newline at end of file diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index 9a91a724f..38bbe9153 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -151,18 +151,16 @@ jobs: cache-from: type=gha cache-to: type=gha,mode=max file: Docker/prod/${{ matrix.filename }} - platforms: linux/amd64,linux/arm64,linux/arm/v7 + platforms: linux/amd64,linux/arm64,linux/arm/v7,linux/arm/v6 - - name: Generate short commit SHA - if: github.event_name != 'pull_request_target' - run: echo "SHORT_SHA=$(git rev-parse --short ${{ github.sha }})" >> $GITHUB_ENV + - name: Build same image with different tag # cached build, so, will be faster + run: docker build -t ${{ matrix.image_name }} -f Docker/prod/${{ matrix.filename }} build/${{ matrix.docker_context }} - name: Run Trivy security scan uses: aquasecurity/trivy-action@0.17.0 - if: github.event_name != 'pull_request_target' continue-on-error: true with: - image-ref: ${{ env.REGISTRY }}/saptarshisarkar12/${{ matrix.image_name }}:sha-${{ env.SHORT_SHA }} + image-ref: ${{ matrix.image_name }} format: 'sarif' exit-code: 1 vuln-type: os,library @@ -172,7 +170,6 @@ jobs: scanners: vuln,secret,misconfig - name: Upload Trivy security scan results - if: github.event_name != 'pull_request_target' uses: github/codeql-action/upload-sarif@main with: sarif_file: trivy-report.sarif \ No newline at end of file