-
Notifications
You must be signed in to change notification settings - Fork 0
182 lines (158 loc) · 6.28 KB
/
pr.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
name: Lint,Test,Security Checks
on:
pull_request:
branches:
- dev
- qa
- pre-prod
- main
permissions:
contents: read
pull-requests: write
packages: write
jobs:
static-checks:
strategy:
matrix:
include:
- workdir: ./backend
name: backend
dockerfile: ./backend/Dockerfile
image: ghcr.io/${{ github.repository }}-backend:${{ github.sha }}
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Lint Dockerfile
id: hadolint
uses: hadolint/[email protected]
with:
failure-threshold: error
format: json
dockerfile: ${{ matrix.dockerfile }}
# output-file: hadolint_output.json
- name: Save Hadolint output
id: save_hadolint_output
if: always()
run: cd ${{ matrix.workdir }} && echo "$HADOLINT_RESULTS" | jq '.' > hadolint_output.json
- name: Print Dockerfile lint output
run: |
cd ${{ matrix.workdir }}
echo "-----HADOLINT RESULT-----"
echo "Outcome: ${{ steps.hadolint.outcome }}"
echo "-----DETAILS--------"
cat hadolint_output.json
echo "--------------------"
- name: Code lint
id: code_lint
run: |
cd ${{ matrix.workdir }}
npm i
set -o pipefail
# npm run lint 2>&1 | tee code_lint_output.txt
echo "no lint for now, skip" | tee code_lint_output.txt
- name: Unit tests
id: unit_tests
run: |
cd ${{ matrix.workdir }}
npm i
set -o pipefail
# npm run test 2>&1 | tee unit_test_output.txt
echo "no tests for now, skip" | tee unit_test_output.txt
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Cache Docker layers
uses: actions/cache@v3
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- id: image_lowercase
uses: ASzc/change-string-case-action@v6
with:
string: ${{ matrix.image }}
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: ${{ matrix.workdir }}
file: ${{ matrix.dockerfile }}
tags: ${{ steps.image_lowercase.outputs.lowercase }}
load: true
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Save Docker image
run: docker save ${{ steps.image_lowercase.outputs.lowercase }} -o my-image.tar
- name: Scan Docker image with Dockle
id: dockle
run: |
wget https://github.com/goodwithtech/dockle/releases/download/v0.2.4/dockle_0.2.4_Linux-64bit.tar.gz
tar zxvf dockle_0.2.4_Linux-64bit.tar.gz
sudo mv dockle /usr/local/bin
echo '{}' > ~/.docker/config.json
dockle --exit-level fatal --format json --output ${{ matrix.workdir }}/dockle_scan_output.json --input ./my-image.tar
echo "outcome=success" >> $GITHUB_OUTPUT
# - name: Scan Docker image with Dockle
# id: dockle
# uses: goodwithtech/dockle-action@main
# with:
# input: ${{ steps.image_lowercase.outputs.lowercase }}
# format: 'json'
# exit-level: 'fatal'
# ignore: 'CIS-DI-0010'
# output: ${{ matrix.workdir }}/dockle_scan_output.json
- name: Create PR comment
if: always()
uses: actions/github-script@v6
env:
HADOLINT_RESULT: ${{ steps.hadolint.outcome }}
CODE_LINT_RESULT: ${{ steps.code_lint.outcome }}
UNIT_TEST_RESULT: ${{ steps.unit_tests.outcome }}
DOCKLE_RESULT: ${{ steps.dockle.outcome }}
with:
script: |
const fs = require('fs');
const hadolintResult = fs.existsSync('${{ matrix.workdir }}/hadolint_output.json') ? fs.readFileSync('${{ matrix.workdir }}/hadolint_output.json', 'utf8') : 'No output';
const codeLintResult = fs.existsSync('${{ matrix.workdir }}/code_lint_output.txt') ? fs.readFileSync('${{ matrix.workdir }}/code_lint_output.txt', 'utf8') : 'No output';
const unitTestResult = fs.existsSync('${{ matrix.workdir }}/unit_test_output.txt') ? fs.readFileSync('${{ matrix.workdir }}/unit_test_output.txt', 'utf8') : 'No output';
const dockleScanResult = fs.existsSync('${{ matrix.workdir }}/dockle_scan_output.json') ? fs.readFileSync('${{ matrix.workdir }}/dockle_scan_output.json', 'utf8') : 'No output';
let commentBody = '';
if (process.env.HADOLINT_RESULT !== 'success') {
commentBody = `
:x: Dockerfile Lint (Hadolint) failed
\`\`\`json
${hadolintResult}
\`\`\`
`;
} else if (process.env.CODE_LINT_RESULT !== 'success') {
commentBody = `
:x: Code Lint failed
\`\`\`
${codeLintResult}
\`\`\`
`;
} else if (process.env.UNIT_TEST_RESULT !== 'success') {
commentBody = `
:x: Unit Tests failed
\`\`\`
${unitTestResult}
\`\`\`
`;
} else if (process.env.DOCKLE_RESULT !== 'success') {
commentBody = `
:x: Docker Image Scan (Dockle) failed
\`\`\`json
${dockleScanResult}
\`\`\`
`;
} else {
commentBody = ':white_check_mark: All checks succeeded';
}
const { owner, repo } = context.repo;
const issue_number = context.issue.number;
await github.rest.issues.createComment({
owner,
repo,
issue_number,
body: commentBody
});