mirror of
https://github.com/tommytran732/Synapse-Docker
synced 2024-11-24 01:01:33 -05:00
Update workflow and remove Quay
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
7985baa1e3
commit
b450470d52
38
.github/workflows/build.yml
vendored
38
.github/workflows/build.yml
vendored
@ -9,8 +9,8 @@ on:
|
|||||||
paths-ignore:
|
paths-ignore:
|
||||||
- '**.md'
|
- '**.md'
|
||||||
schedule:
|
schedule:
|
||||||
# Build the image regularly (each Saturday)
|
# Build the image daily
|
||||||
- cron: '0 22 * * 6'
|
- cron: '0 0 * * *'
|
||||||
|
|
||||||
env:
|
env:
|
||||||
REGISTRY: ghcr.io
|
REGISTRY: ghcr.io
|
||||||
@ -29,11 +29,6 @@ jobs:
|
|||||||
- name: Checkout code
|
- name: Checkout code
|
||||||
uses: actions/checkout@v4
|
uses: actions/checkout@v4
|
||||||
|
|
||||||
- name: Extract version for tags
|
|
||||||
run: |
|
|
||||||
echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile)" >> $GITHUB_ENV
|
|
||||||
echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c5)" >> $GITHUB_ENV
|
|
||||||
|
|
||||||
- name: Install cosign
|
- name: Install cosign
|
||||||
if: github.event_name != 'pull_request'
|
if: github.event_name != 'pull_request'
|
||||||
uses: sigstore/cosign-installer@v3
|
uses: sigstore/cosign-installer@v3
|
||||||
@ -56,8 +51,6 @@ jobs:
|
|||||||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||||
tags: |
|
tags: |
|
||||||
latest
|
latest
|
||||||
${{ env.FULL_VERSION }}
|
|
||||||
${{ env.MAJOR_VERSION }}
|
|
||||||
|
|
||||||
- name: Build and push Docker image
|
- name: Build and push Docker image
|
||||||
id: build-and-push
|
id: build-and-push
|
||||||
@ -74,9 +67,11 @@ jobs:
|
|||||||
env:
|
env:
|
||||||
TAGS: ${{ steps.meta.outputs.tags }}
|
TAGS: ${{ steps.meta.outputs.tags }}
|
||||||
|
|
||||||
scan:
|
trivy:
|
||||||
name: Scan current image & report results
|
name: Scan current image with Trivy
|
||||||
needs: build
|
needs: build
|
||||||
|
permissions:
|
||||||
|
security-events: write
|
||||||
runs-on: "ubuntu-latest"
|
runs-on: "ubuntu-latest"
|
||||||
steps:
|
steps:
|
||||||
- name: Run Trivy vulnerability scanner
|
- name: Run Trivy vulnerability scanner
|
||||||
@ -93,3 +88,24 @@ jobs:
|
|||||||
uses: github/codeql-action/upload-sarif@v3
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
with:
|
with:
|
||||||
sarif_file: 'trivy-results.sarif'
|
sarif_file: 'trivy-results.sarif'
|
||||||
|
category: 'trivy'
|
||||||
|
|
||||||
|
grype:
|
||||||
|
name: Scan current image with Grype
|
||||||
|
needs: build
|
||||||
|
permissions:
|
||||||
|
security-events: write
|
||||||
|
runs-on: "ubuntu-latest"
|
||||||
|
steps:
|
||||||
|
- name: Run Grype vulnerability scanner
|
||||||
|
uses: anchore/scan-action@v3
|
||||||
|
id: grype
|
||||||
|
with:
|
||||||
|
image: "ghcr.io/tommytran732/synapse"
|
||||||
|
fail-build: false
|
||||||
|
|
||||||
|
- name: Upload Grype scan results to GitHub Security tab
|
||||||
|
uses: github/codeql-action/upload-sarif@v3
|
||||||
|
with:
|
||||||
|
sarif_file: ${{ steps.grype.outputs.sarif }}
|
||||||
|
category: grype
|
27
.github/workflows/scan.yml
vendored
27
.github/workflows/scan.yml
vendored
@ -1,27 +0,0 @@
|
|||||||
name: Scan
|
|
||||||
|
|
||||||
on:
|
|
||||||
workflow_dispatch:
|
|
||||||
schedule:
|
|
||||||
# Scan the image regularly (once a day)
|
|
||||||
- cron: '0 23 * * *'
|
|
||||||
|
|
||||||
jobs:
|
|
||||||
scan:
|
|
||||||
name: Scan current image & report results
|
|
||||||
runs-on: "ubuntu-latest"
|
|
||||||
steps:
|
|
||||||
- name: Run Trivy vulnerability scanner
|
|
||||||
uses: aquasecurity/trivy-action@master
|
|
||||||
with:
|
|
||||||
image-ref: 'ghcr.io/tommytran732/synapse'
|
|
||||||
format: 'template'
|
|
||||||
template: '@/contrib/sarif.tpl'
|
|
||||||
output: 'trivy-results.sarif'
|
|
||||||
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
|
||||||
vuln-type: "os,library"
|
|
||||||
|
|
||||||
- name: Upload Trivy scan results to GitHub Security tab
|
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
|
||||||
with:
|
|
||||||
sarif_file: 'trivy-results.sarif'
|
|
@ -5,16 +5,15 @@
|
|||||||
[Synapse](https://github.com/matrix-org/synapse) is a [Matrix](https://matrix.org/) implementation written in Python.
|
[Synapse](https://github.com/matrix-org/synapse) is a [Matrix](https://matrix.org/) implementation written in Python.
|
||||||
|
|
||||||
### Notes
|
### Notes
|
||||||
- Prebuilt images are available at `ghcr.io/tommytran732/synapse` and `quay.io/tommytran732/synapse`.
|
- Prebuilt images are available at `ghcr.io/tommytran732/synapse`.
|
||||||
- Don't trust random images: build yourself if you can.
|
- Don't trust random images: build yourself if you can.
|
||||||
- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/TommyTran732/Synapse-Docker/blob/main/Dockerfile#L1-L4).
|
- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/TommyTran732/Synapse-Docker/blob/main/Dockerfile#L1-L4).
|
||||||
- Images from `ghcr.io` are built every week and scanned every day for critical vulnerabilities with Trivy. I recommend that you use these images.
|
|
||||||
- Images from `quay.io` are built on every push event and scanned for vulnerabilities with Clair.
|
|
||||||
|
|
||||||
### Features & usage
|
### Features & usage
|
||||||
- Drop-in replacement for the [official image](https://github.com/matrix-org/synapse/tree/develop/docker).
|
- Drop-in replacement for the [official image](https://github.com/matrix-org/synapse/tree/develop/docker).
|
||||||
- Unprivileged image: you should check your volumes permissions (eg `/data`), default UID/GID is 991.
|
- Unprivileged image: you should check your volumes permissions (eg `/data`), default UID/GID is 991.
|
||||||
- Based on the latest [Alpine](https://alpinelinux.org/) containers which provide more recent packages while having less attack surface.
|
- Based on the latest [Alpine](https://alpinelinux.org/) containers which provide more recent packages while having less attack surface.
|
||||||
|
- Daily rebuilds keeping the image up-to-date.
|
||||||
- Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.
|
- Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.
|
||||||
- [Mjolnir module](https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md) support.
|
- [Mjolnir module](https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md) support.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user