build #654
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: | |
- main | |
pull_request: | |
branches: | |
- main | |
schedule: | |
# Re-build all images at 2am UTC every Monday (8pm CST/9pm CDT) | |
# | |
# This ensures we always start with a recent base image, which | |
# reduces wasted space due to written-over files in the writable | |
# layer, ensures packages are up-to-date (since many of these | |
# images install the latest versions of packages available at | |
# build time), and allow us to ensure that images continue to | |
# be buildable from source (no removed packages). | |
# | |
# See: https://crontab.guru/#0_2_*_*_1 | |
- cron: "0 2 * * 1" | |
workflow_dispatch: | |
permissions: | |
actions: read | |
checks: none | |
contents: read | |
deployments: none | |
issues: none | |
packages: none | |
pull-requests: none | |
repository-projects: none | |
security-events: write | |
statuses: none | |
jobs: | |
# Quick checks, running linters, checking formatting, etc | |
quick: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Cancel previous runs | |
if: github.event_name == 'pull_request' | |
uses: styfle/[email protected] | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Node.js | |
uses: actions/setup-node@v3 | |
with: | |
node-version: 16.x | |
- name: Install Node.js modules | |
run: yarn install | |
- name: Check formatting | |
run: yarn format:check | |
images: | |
runs-on: ubuntu-latest-8-cores | |
strategy: | |
fail-fast: false | |
name: images/ubuntu | |
steps: | |
- name: Cancel previous runs | |
if: github.event_name == 'pull_request' | |
uses: styfle/[email protected] | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Install Trivy using install script | |
run: | | |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.37.1 | |
- name: Build ubuntu images | |
run: | | |
${{ github.workspace }}/scripts/build_images.sh \ | |
--tag=ubuntu | |
- name: Scan ubuntu images | |
run: | | |
${{ github.workspace }}/scripts/scan_images.sh \ | |
--tag=ubuntu \ | |
--output-file=trivy-results-ubuntu.sarif | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: trivy-results-ubuntu.sarif | |
category: trivy-ubuntu | |
- name: Upload Trivy scan results as an artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: trivy-ubuntu | |
path: trivy-results-ubuntu.sarif | |
retention-days: 7 | |
- name: Authenticate to Docker Hub | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@v2 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Push images to Docker Hub | |
if: github.event_name != 'pull_request' | |
run: | | |
${{ github.workspace }}/scripts/push_images.sh \ | |
--tag=ubuntu |