feat: Adicionar verificação do arquivo apko-stg.yaml #58
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build e Distribuição de Pacotes com Melange e APKO | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| jobs: | |
| build: | |
| name: Build e Distribuição de Pacotes | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| # Checkout do código | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| # Configurar Docker Buildx | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # Instalar Melange | |
| - name: Install Melange | |
| run: | | |
| wget https://github.com/chainguard-dev/melange/releases/download/v0.11.2/melange_0.11.2_linux_386.tar.gz | |
| tar -xzf melange_0.11.2_linux_386.tar.gz | |
| cd melange_0.11.2_linux_386 | |
| sudo mv melange /usr/local/bin/ | |
| melange version | |
| # Instalar APKO | |
| - name: Install APKO | |
| run: | | |
| wget https://github.com/chainguard-dev/apko/releases/download/v0.14.7/apko_0.14.7_linux_386.tar.gz | |
| tar -xzf apko_0.14.7_linux_386.tar.gz | |
| cd apko_0.14.7_linux_386 | |
| sudo mv apko /usr/local/bin/ | |
| apko version | |
| # Instalar Cosign | |
| - name: Instalar Cosign | |
| uses: sigstore/[email protected] | |
| # Gerar chaves com Melange | |
| - name: Generate keys with Melange | |
| run: | | |
| cd chainguard | |
| melange keygen | |
| # Construir pacotes com Melange | |
| - name: Build packages with Melange | |
| run: | | |
| cd chainguard | |
| melange build melange.yaml --runner docker --signing-key melange.rsa --arch amd64 | |
| # Construir imagem de container com APKO | |
| - name: Build container image with APKO | |
| run: | | |
| cd chainguard | |
| apko build apko.yaml senhas senhas.tar -k melange.rsa.pub --arch amd64 | |
| # Login no DockerHub | |
| - name: Login to DockerHub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| # Load da imagem Docker | |
| - name: Load Docker image | |
| run: | | |
| cd chainguard | |
| docker load < senhas.tar | |
| docker images | |
| # Extrair metadados (tags, labels) para Docker | |
| - name: Extrair metadados (tags, labels) para Docker | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: nataliagranato/senhas | |
| # Gerar nome único para a tag | |
| - name: Gerar nome único para a tag | |
| id: generate-tag | |
| run: | | |
| # Obtém os primeiros 5 dígitos do hash do commit e a data | |
| SHORT_HASH=$(git log -1 --pretty=format:%h | cut -c1-5) | |
| TIMESTAMP=$(date +%Y%m%d%H%M%S) | |
| echo "tag=${SHORT_HASH}-${TIMESTAMP}" >> $GITHUB_ENV | |
| echo "::set-output name=tag::${SHORT_HASH}-${TIMESTAMP}" | |
| # Fazer push da imagem Docker | |
| - name: Push Docker image | |
| id: push-docker-image | |
| run: | | |
| docker tag senhas:latest-amd64 ${{ secrets.DOCKER_USERNAME }}/senhas:${{ steps.generate-tag.outputs.tag }} | |
| docker push ${{ secrets.DOCKER_USERNAME }}/senhas:${{ steps.generate-tag.outputs.tag }} | |
| # Scan de segurança com Aqua Security Trivy | |
| - name: Aqua Security Trivy | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: nataliagranato/senhas:${{ steps.generate-tag.outputs.tag }} | |
| format: 'sarif' | |
| severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' | |
| output: 'trivy-results.sarif' | |
| # Envio dos resultados do Trivy para a aba de Segurança do GitHub | |
| - name: Fazer upload dos resultados do Trivy para a aba de Segurança do GitHub | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |