Merge pull request #30 from mottljan/feature/add-github-actions

Add GitHub actions

Author: mottljan

.github/actions/common-preflight-check/action.yml

@@ -0,0 +1,36 @@
+name: Common preflight check
+description: Action that contains common checks like building and testing the image. Requires login to dhi.io for getting hardened base image.
+
+inputs:
+  image-tag:
+    description: "Tag of the Ackee Android GitLab builder image"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Build image
+      shell: bash
+      env:
+        # Required for building the image
+        IMAGE_TAG: ${{ inputs.image-tag }}
+      # Run shai-hulud detector in paranoid mode to perform more thorough checks
+      run: docker compose build --build-arg SHAI_HULUD_DETECTOR_MODE=--paranoid
+
+    - name: Test image
+      shell: bash
+      env:
+        # Required for testing the image
+        IMAGE_TAG: ${{ inputs.image-tag }}
+      # Give others write permission so the unprivileged user inside a container can write to the folder during Gradle build
+      run: |
+        chmod -R o+w image-test-app
+        docker compose run --rm gitlab-builder-android
+
+    - name: Image lint
+      # dockle is cool and targets exactly what we want to check but looks kinda dead right now. So
+      # far better than nothing but we might need to explore alternative options in the future.
+      uses: erzz/dockle-action@v1
+      with:
+        image: ackee/gitlab-builder-android:${{ inputs.image-tag }}
+        exit-code: 1

.github/actions/login/action.yml

@@ -0,0 +1,27 @@
+name: Login
+description: Action that performs login to Docker Hub and dhi.io
+
+inputs:
+  user-name:
+    description: "Docker Hub user name"
+    required: true
+  token:
+    description: "Docker Hub PAT"
+    required: true
+
+runs:
+  using: "composite"
+  steps:
+    - name: Login to Docker Hub
+      uses: docker/login-action@v3
+      with:
+        registry: docker.io
+        username: ${{ inputs.user-name }}
+        password: ${{ inputs.token }}
+
+    - name: Login to dhi.io
+      uses: docker/login-action@v3
+      with:
+        registry: dhi.io
+        username: ${{ inputs.user-name }}
+        password: ${{ inputs.token }}

.github/workflows/deploy.yml

@@ -0,0 +1,29 @@
+name: Deploy
+
+on:
+  push:
+    tags:
+      - v*
+
+jobs:
+  deploy:
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+
+        # We need to login to dhi.io for getting hardened base image and to Docker Hub for pushing the image
+      - name: Login
+        uses: ./.github/actions/login
+        with:
+          user-name: ${{ secrets.DOCKER_HUB_USERNAME }}
+          token: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Preflight checks
+        uses: ./.github/actions/common-preflight-check
+        with:
+          image-tag: ${{ github.ref_name }}
+
+      - name: Push image
+        shell: bash
+        run: docker compose push

.github/workflows/pull_request.yml

@@ -0,0 +1,41 @@
+name: Pull request
+
+on:
+  pull_request:
+    types:
+      - opened
+      - synchronize
+
+jobs:
+  pull_request:
+    runs-on: ubuntu-24.04
+    permissions:
+      # Allows docker/scout-action to write a comment to PR
+      pull-requests: write
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+
+        # We need to login to dhi.io for getting hardened base image and to Docker Hub for using Docker Scout
+      - name: Login
+        uses: ./.github/actions/login
+        with:
+          user-name: ${{ secrets.DOCKER_HUB_USERNAME }}
+          token: ${{ secrets.DOCKER_HUB_TOKEN }}
+
+      - name: Preflight checks
+        uses: ./.github/actions/common-preflight-check
+        with:
+          image-tag: "pr"
+
+        # We run Docker Scout to check for CVEs only in the PR because we just want to see a report of
+        # vulnerabilities without failing the build (and this behaviour is useless for deploy workflow).
+        # We don't want to ever fail even on critical fixable CVEs because they can come from transitive
+        # dependencies that we don't control and can't usually reliably patch.
+      - name: Docker Scout
+        uses: docker/scout-action@v1
+        with:
+          command: "cves"
+          only-severities: "critical,high"
+          # Report only CVEs that have a fix available
+          only-fixed: true

.gitignore

@@ -1 +1 @@
-.idea/
+.DS_Store