-
-
Notifications
You must be signed in to change notification settings - Fork 164
131 lines (115 loc) · 3.7 KB
/
_meta-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
on:
workflow_call:
inputs:
app-version:
type: string
required: false
default: 'snapshot'
description: 'Set the version that should be set/used as tag for the container image'
publish-container:
type: boolean
required: false
default: false
description: 'Set if the container image gets publish and scan once its build'
ref-name:
type: string
required: true
description: 'Short ref name of the branch or tag that triggered the workflow run'
secrets:
registry-0-usr:
required: true
registry-0-psw:
required: true
jobs:
build-node:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/checkout@v4.2.2
- name: Set up NodeJs
uses: actions/setup-node@v4.1.0
with:
node-version: '20'
cache: 'npm'
- name: Run Npm Build
env:
CI: true
run: |-
npm ci
npm run build --if-present
- name: Upload Artifacts
uses: actions/upload-artifact@v4.6.0
with:
name: assembled-frontend
path: |-
dist/
bom.*
build-container:
runs-on: ubuntu-latest
needs:
- build-node
steps:
- name: Checkout Repository
uses: actions/checkout@v4.2.2
- name: Download Artifacts
uses: actions/download-artifact@v4.1.8
with:
name: assembled-frontend
- name: Set up QEMU
uses: docker/setup-qemu-action@v3.3.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3.8.0
id: buildx
with:
install: true
- name: Login to Docker.io
uses: docker/login-action@v3.3.0
if: ${{ inputs.publish-container }}
with:
registry: docker.io
username: ${{ secrets.registry-0-usr }}
password: ${{ secrets.registry-0-psw }}
- name: Set Container Tags
id: tags
run: |-
IMAGE_NAME="docker.io/dependencytrack/frontend"
REF_NAME="${{ inputs.ref-name }}"
TAGS=""
if [[ $REF_NAME == feature-* ]]; then
TAGS="${IMAGE_NAME}:${REF_NAME,,}"
else
TAGS="${IMAGE_NAME}:${{ inputs.app-version }}"
if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
TAGS="${TAGS},${IMAGE_NAME}:latest"
fi
fi
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
- name: Build multi-arch Container Image
uses: docker/build-push-action@v6.11.0
with:
tags: ${{ steps.tags.outputs.tags }}
build-args: |-
APP_VERSION=${{ inputs.app-version }}
COMMIT_SHA=${{ github.sha }}
platforms: linux/amd64,linux/arm64
push: ${{ inputs.publish-container }}
context: .
file: docker/Dockerfile.alpine
- name: Run Trivy Vulnerability Scanner
if: ${{ inputs.publish-container }}
uses: aquasecurity/trivy-action@0.29.0
env:
# https://github.com/aquasecurity/trivy-action/issues/389
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
TRIVY_JAVA_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-java-db:1'
with:
image-ref: docker.io/dependencytrack/frontend:${{ inputs.app-version }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os'
- name: Upload Trivy Scan Results to GitHub Security Tab
if: ${{ inputs.publish-container }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'