-
-
Notifications
You must be signed in to change notification settings - Fork 160
131 lines (115 loc) · 3.7 KB
/
_meta-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
on:
workflow_call:
inputs:
app-version:
type: string
required: false
default: 'snapshot'
description: 'Set the version that should be set/used as tag for the container image'
publish-container:
type: boolean
required: false
default: false
description: 'Set if the container image gets publish and scan once its build'
ref-name:
type: string
required: true
description: 'Short ref name of the branch or tag that triggered the workflow run'
secrets:
registry-0-usr:
required: true
registry-0-psw:
required: true
jobs:
build-node:
runs-on: ubuntu-latest
steps:
- name: Checkout Repository
uses: actions/[email protected]
- name: Set up NodeJs
uses: actions/[email protected]
with:
node-version: '20'
cache: 'npm'
- name: Run Npm Build
env:
CI: true
run: |-
npm ci
npm run build --if-present
- name: Upload Artifacts
uses: actions/[email protected]
with:
name: assembled-frontend
path: |-
dist/
bom.*
build-container:
runs-on: ubuntu-latest
needs:
- build-node
steps:
- name: Checkout Repository
uses: actions/[email protected]
- name: Download Artifacts
uses: actions/[email protected]
with:
name: assembled-frontend
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
uses: docker/[email protected]
id: buildx
with:
install: true
- name: Login to Docker.io
uses: docker/[email protected]
if: ${{ inputs.publish-container }}
with:
registry: docker.io
username: ${{ secrets.registry-0-usr }}
password: ${{ secrets.registry-0-psw }}
- name: Set Container Tags
id: tags
run: |-
IMAGE_NAME="docker.io/dependencytrack/frontend"
REF_NAME="${{ inputs.ref-name }}"
TAGS=""
if [[ $REF_NAME == feature-* ]]; then
TAGS="${IMAGE_NAME}:${REF_NAME,,}"
else
TAGS="${IMAGE_NAME}:${{ inputs.app-version }}"
if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
TAGS="${TAGS},${IMAGE_NAME}:latest"
fi
fi
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
- name: Build multi-arch Container Image
uses: docker/[email protected]
with:
tags: ${{ steps.tags.outputs.tags }}
build-args: |-
APP_VERSION=${{ inputs.app-version }}
COMMIT_SHA=${{ github.sha }}
platforms: linux/amd64,linux/arm64
push: ${{ inputs.publish-container }}
context: .
file: docker/Dockerfile.alpine
- name: Run Trivy Vulnerability Scanner
if: ${{ inputs.publish-container }}
uses: aquasecurity/[email protected]
env:
# https://github.com/aquasecurity/trivy-action/issues/389
TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db:2'
TRIVY_JAVA_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-java-db:1'
with:
image-ref: docker.io/dependencytrack/frontend:${{ inputs.app-version }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os'
- name: Upload Trivy Scan Results to GitHub Security Tab
if: ${{ inputs.publish-container }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'