This repository has been archived by the owner on Aug 25, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 1
146 lines (142 loc) · 4.89 KB
/
ci.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
name: Build and test spark image
on:
pull_request:
types: [opened, ready_for_review, reopened, synchronize]
push:
branches:
- master
tags:
- v*
permissions:
actions: read
contents: read
security-events: write
jobs:
build:
runs-on: ubuntu-latest
env:
# list of Docker images to use as base name for tags
IMAGE_REPO: quay.io/basisai/workload-standard
outputs:
image-tags: ${{ env.IMAGE_REPO }}:${{ steps.docker_meta.outputs.version }}
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v3
with:
images: ${{ env.IMAGE_REPO }}
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Set up Docker Context for Buildx
id: buildx-context
run: |
docker context create builders
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
endpoint: builders
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Login to Quay
if: github.event_name != 'pull_request'
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Build and push
if: ${{ github.event_name == 'pull_request' }}
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfile
# platforms: linux/amd64,linux/arm64,linux/386
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
outputs: type=docker,dest=/tmp/workload-standard-${{ github.sha }}.tar
- name: Build and push
if: ${{ github.event_name != 'pull_request' }}
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfile
# platforms: linux/amd64,linux/arm64,linux/386
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Upload artifact
if: ${{ github.event_name == 'pull_request' }}
uses: actions/upload-artifact@v2
with:
name: docker-image
path: /tmp/workload-standard-${{ github.sha }}.tar
retention-days: 1
scan:
runs-on: ubuntu-latest
needs: build
strategy:
matrix:
include:
- severity: "MEDIUM,HIGH"
exit-code: "0"
- severity: "CRITICAL"
exit-code: "1"
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Set up Docker Context for Buildx
id: buildx-context
run: |
docker context create builders
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
with:
endpoint: builders
- name: Download artifact
if: ${{ github.event_name == 'pull_request' }}
uses: actions/download-artifact@v2
with:
name: docker-image
path: tmp
# Ignore the CVE-2019-17571 about log4j version 1 until Spark 3.3 releases with log4j version 2
- name: Generate .trivyignore
run: echo "CVE-2019-17571" > .trivyignore
- name: Run Trivy vulnerability scanner for ${{ matrix.severity }} severity
if: ${{ github.event_name == 'pull_request' }}
uses: aquasecurity/trivy-action@master
with:
input: tmp/workload-standard-${{ github.sha }}.tar
format: 'table'
exit-code: ${{ matrix.exit-code }}
ignore-unfixed: true
vuln-type: 'os,library'
severity: ${{ matrix.severity }}
continue-on-error: true
- name: Run Trivy vulnerability scanner for ${{ matrix.severity }} severity
if: ${{ github.event_name != 'pull_request' }}
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ needs.build.outputs.image-tags }}
format: 'sarif'
output: 'trivy-results-${{ matrix.severity }}.sarif'
exit-code: ${{ matrix.exit-code }}
ignore-unfixed: true
vuln-type: 'os,library'
severity: ${{ matrix.severity }}
continue-on-error: true
- name: Upload Trivy scan results to GitHub Security tab
if: ${{ github.event_name != 'pull_request' }}
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results-${{ matrix.severity }}.sarif'