Update workflow and remove Quay

Signed-off-by: Tommy <contact@tommytran.io>
2024-10-18 04:35:12 -04:00 · 2024-06-12 03:23:19 -07:00 · 2024-06-12 03:23:19 -07:00 · b450470d52
commit b450470d52
parent 7985baa1e3
3 changed files with 29 additions and 41 deletions
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@ -9,8 +9,8 @@ on:
    paths-ignore:
      - '**.md'
  schedule:
-    # Build the image regularly (each Saturday)
-    - cron: '0 22 * * 6'
+    # Build the image daily
+    - cron: '0 0 * * *'

 env:
  REGISTRY: ghcr.io
@ -29,11 +29,6 @@ jobs:
      - name: Checkout code
        uses: actions/checkout@v4

-      - name: Extract version for tags
-        run: |
-          echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile)" >> $GITHUB_ENV
-          echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c5)" >> $GITHUB_ENV
-
      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@v3
@ -56,8 +51,6 @@ jobs:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          tags: |
            latest
-            ${{ env.FULL_VERSION }}
-            ${{ env.MAJOR_VERSION }}

      - name: Build and push Docker image
        id: build-and-push
@ -74,9 +67,11 @@ jobs:
        env:
          TAGS: ${{ steps.meta.outputs.tags }}

-  scan:
-    name: Scan current image & report results
+  trivy:
+    name: Scan current image with Trivy
    needs: build
+    permissions:
+      security-events: write
    runs-on: "ubuntu-latest"
    steps:
      - name: Run Trivy vulnerability scanner
@ -93,3 +88,24 @@ jobs:
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: 'trivy-results.sarif'
+          category: 'trivy'
+
+  grype:
+    name: Scan current image with Grype
+    needs: build
+    permissions:
+      security-events: write
+    runs-on: "ubuntu-latest"
+    steps:
+      - name: Run Grype vulnerability scanner
+        uses: anchore/scan-action@v3
+        id: grype
+        with:
+          image: "ghcr.io/tommytran732/synapse"
+          fail-build: false
+
+      - name: Upload Grype scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: ${{ steps.grype.outputs.sarif }}
+          category: grype
--- a/.github/workflows/scan.yml
+++ b/.github/workflows/scan.yml
@ -1,27 +0,0 @@
-name: Scan
-
-on:
-  workflow_dispatch:
-  schedule:
-    # Scan the image regularly (once a day)
-    - cron: '0 23 * * *'
-
-jobs:
-  scan:
-    name: Scan current image & report results
-    runs-on: "ubuntu-latest"
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: 'ghcr.io/tommytran732/synapse'
-          format: 'template'
-          template: '@/contrib/sarif.tpl'
-          output: 'trivy-results.sarif'
-          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
-          vuln-type: "os,library"
-
-      - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
--- a/README.md
+++ b/README.md
@ -5,16 +5,15 @@
 [Synapse](https://github.com/matrix-org/synapse) is a [Matrix](https://matrix.org/) implementation written in Python.

 ### Notes
- Prebuilt images are available at `ghcr.io/tommytran732/synapse` and `quay.io/tommytran732/synapse`.
+- Prebuilt images are available at `ghcr.io/tommytran732/synapse`.
 - Don't trust random images: build yourself if you can.
 - Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/TommyTran732/Synapse-Docker/blob/main/Dockerfile#L1-L4).
- Images from `ghcr.io` are built every week and scanned every day for critical vulnerabilities with Trivy. I recommend that you use these images.
- Images from `quay.io` are built on every push event and scanned for vulnerabilities with Clair.

 ### Features & usage
 - Drop-in replacement for the [official image](https://github.com/matrix-org/synapse/tree/develop/docker).
 - Unprivileged image: you should check your volumes permissions (eg `/data`), default UID/GID is 991.
 - Based on the latest [Alpine](https://alpinelinux.org/) containers which provide more recent packages while having less attack surface.
+- Daily rebuilds keeping the image up-to-date.
 - Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.
 - [Mjolnir module](https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md) support.