-
Notifications
You must be signed in to change notification settings - Fork 1
130 lines (115 loc) · 4.13 KB
/
ci.yaml
File metadata and controls
130 lines (115 loc) · 4.13 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
name: CI
on:
push:
branches: [ "main" ]
# Publish semver tags as releases.
tags: [ 'v*.*.*' ]
pull_request:
branches: [ "main" ]
env:
REGISTRY: docker.io
DOCKER_USERNAME: argentinaluiz
IMAGE_NAME: argentinaluiz/docker-prod-test
SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
jobs:
ci:
runs-on: ubuntu-latest
permissions:
contents: read # Ler o conteúdo do repositório
packages: write # Permitir publicar pacotes no GitHub Packages
pull-requests: write # Permitir criar e atualizar pull requests
security-events: write # Enviar eventos de segurança para o Github Security
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log into registry ${{ env.REGISTRY }}
uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_TOKEN }}
- name: Build for CI
id: build-ci
uses: docker/build-push-action@v5.0.0
with:
context: ./src/ci/nestjs-project
file: ./src/ci/nestjs-project/Dockerfile.prod
push: false
load: true # driver docker-container
target: ci
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:ci
cache-from: type=gha
cache-to: type=gha,mode=max
secrets: |
github_token=${{ secrets.MY_GITHUB_TOKEN }}
- name: Up containers
run: docker compose -f ./src/ci/nestjs-project/compose.ci.yaml up -d --wait-timeout 10
- name: Run tests
run: echo "Running tests..."
- name: Build for analysis
id: build-for-analysis
uses: docker/build-push-action@v5.0.0
with:
context: ./src/ci/nestjs-project
file: ./src/ci/nestjs-project/Dockerfile.prod
push: false
load: true
tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
cache-from: type=gha
cache-to: type=gha,mode=max
secrets: |
github_token=${{ secrets.MY_GITHUB_TOKEN }}
- name: Analyze for critical and high CVEs
id: docker-scout-cves
uses: docker/scout-action@v1
with:
command: cves
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
only-severities: critical,high
only-fixed: true
summary: true # publicar github actions e pull request
exit-code: true
- name: Analyze for all CVEs
id: docker-scout-all-cves
uses: docker/scout-action@v1
with:
command: cves
image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
summary: true
sarif-file: sarif.output.json
- name: Upload SARIF result
id: upload-sarif
if: ${{ github.event_name != 'pull_request' }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: sarif.output.json
- name: Extract Docker metadata
id: meta
if: ${{ github.event_name != 'pull_request' }}
uses: docker/metadata-action@v5.0.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
labels: |
org.opencontainers.image.revision=${{ env.SHA }}
tags: |
type=edge,branch=$repo.default_branch
type=semver,pattern=v{{version}}
type=sha,prefix=,suffix=,format=short
- name: Build final
id: build-final
if: ${{ github.event_name != 'pull_request' }}
uses: docker/build-push-action@v5.0.0
with:
context: ./src/ci/nestjs-project
file: ./src/ci/nestjs-project/Dockerfile.prod
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: mode=max
sbom: true
secrets: |
github_token=${{ secrets.MY_GITHUB_TOKEN }}