Add grype vulnerability scanner to CI #43
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: | |
| pull_request: | |
| paths-ignore: | |
| - 'cli' | |
| - 'cloud' | |
| - 'frontend' | |
| push: | |
| branches: | |
| - 'main' | |
| - 'next' | |
| paths-ignore: | |
| - 'cli' | |
| - 'cloud' | |
| - 'frontend' | |
| tags: | |
| - 'v*' | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| packages: write | |
| contents: read | |
| env: | |
| PNPM_VERSION: 9 | |
| NODE_VERSION: 18 | |
| CARTESI_MACHINE_IMAGE_NAME: bug-buster-machine | |
| CARTESI_NODE_IMAGE_NAME: bug-buster-node | |
| REGISTRY: ghcr.io/${{ github.repository_owner }} | |
| steps: | |
| - name: Check out repository | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| id: setup_buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Expose GitHub Runtime | |
| uses: crazy-max/ghaction-github-runtime@v3 | |
| - name: Build bounty examples | |
| run: make bounties | |
| env: | |
| BUILDX_BUILDER: ${{ steps.setup_buildx.outputs.name }} | |
| - name: Extract metadata from Git refs and GitHub events | |
| id: extract_metadata | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ${{ env.REGISTRY }}/${{ env.CARTESI_MACHINE_IMAGE_NAME }} | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build machine image | |
| id: build_machine | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| load: true | |
| builder: ${{ steps.setup_buildx.outputs.name }} | |
| tags: ${{ steps.extract_metadata.outputs.tags }} | |
| labels: ${{ steps.extract_metadata.outputs.labels }} | |
| annotations: ${{ steps.extract_metadata.outputs.annotations }} | |
| cache-from: type=gha,scope=cartesi-machine-image | |
| cache-to: type=gha,mode=max,scope=cartesi-machine-image | |
| - name: Setup pnpm | |
| uses: pnpm/action-setup@v3 | |
| with: | |
| version: ${{ env.PNPM_VERSION }} | |
| - name: Setup Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version: ${{ env.NODE_VERSION }} | |
| cache: pnpm | |
| - name: Install Node.js dependencies | |
| run: pnpm i | |
| - name: Scan image | |
| id: scan | |
| uses: anchore/scan-action@v3 | |
| with: | |
| image: ${{ steps.build_machine.outputs.imageid }} | |
| fail-build: false | |
| - name: Inspect action SARIF report | |
| run: cat ${{ steps.scan.outputs.sarif }} | |
| - name: Upload vulnerability report | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| - name: Build Cartesi Machine image | |
| env: | |
| IMAGE_ID: ${{ steps.build_machine.outputs.imageid }} | |
| run: | | |
| pnpm exec cartesi build --from-image "$IMAGE_ID" | |
| - name: Build Cartesi Node image | |
| id: build_node | |
| run: | | |
| pnpm exec cartesi deploy build --json | \ | |
| jq -r '"image=\(.image)"' >> "$GITHUB_OUTPUT" | |
| - name: Create tags for Cartesi Node image | |
| env: | |
| METADATA_JSON: ${{ steps.extract_metadata.outputs.json }} | |
| CARTESI_NODE_IMAGE: ${{ steps.build_node.outputs.image }} | |
| run: | | |
| echo "$METADATA_JSON" | \ | |
| jq -r '.tags[]' | \ | |
| sed "s/${{ env.CARTESI_MACHINE_IMAGE_NAME }}/${{ env.CARTESI_NODE_IMAGE_NAME }}/" | \ | |
| xargs -d '\n' -n1 docker image tag "$CARTESI_NODE_IMAGE" | |
| - name: Push Cartesi Machine image | |
| run: | | |
| docker image push --all-tags "${{ env.REGISTRY }}/${{ env.CARTESI_MACHINE_IMAGE_NAME }}" | |
| - name: Push Cartesi Node image | |
| run: | | |
| docker image push --all-tags "${{ env.REGISTRY }}/${{ env.CARTESI_NODE_IMAGE_NAME }}" |