add build workflow

2024-11-22 00:01:32 -05:00 · 2021-06-02 19:11:41 +02:00 · 2021-06-02 19:11:41 +02:00 · 7c2dd73b51
commit 7c2dd73b51
parent 8f702852b4
1 changed files with 51 additions and 0 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -0,0 +1,51 @@
+name: build
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [ main ]
+  schedule:
+    # Build the image regularly (each Friday)
+    - cron: '13 21 * * 5'
+
+jobs:
+  build:
+    name: Build, scan & push
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v2
+
+      - name: Build an image from Dockerfile
+        run: |
+          docker build \
+              -t ghcr.io/wonderfall/synapse \
+              -t ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6) \
+              -t ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4) \
+              .
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: 'ghcr.io/wonderfall/synapse'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          vuln-type: "os"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Docker login
+        run: >-
+          echo "${{ secrets.GHCR_TOKEN }}"
+          | docker login -u "${{ github.actor }}" --password-stdin ghcr.io
+          
+      - name: Push image to GitHub
+        run: |
+          docker push ghcr.io/wonderfall/synapse
+          docker push ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c6)
+          docker push ghcr.io/wonderfall/synapse:$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c4)