-
Notifications
You must be signed in to change notification settings - Fork 472
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pipeline for build goss docker image #909
Merged
Merged
Changes from 3 commits
Commits
Show all changes
4 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,98 @@ | ||
name: Docker image for Goss | ||
|
||
on: | ||
push: | ||
branches: | ||
- master | ||
tags: | ||
- "v*" | ||
workflow_dispatch: | ||
|
||
env: | ||
PLATFORMS: "linux/amd64,linux/arm64" | ||
|
||
jobs: | ||
goss: | ||
name: Build and push Docker image | ||
runs-on: ubuntu-latest | ||
permissions: | ||
packages: write | ||
contents: read | ||
security-events: write # To upload Trivy sarif files | ||
|
||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v4 | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
|
||
- name: Login to GHCR | ||
uses: docker/login-action@v3 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.repository_owner }} | ||
password: ${{ secrets.GITHUB_TOKEN }} | ||
|
||
- name: Extract metadata (tags, labels) for Docker | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
with: | ||
images: | | ||
ghcr.io/${{ github.repository_owner }}/goss | ||
|
||
- name: Get latest git tag | ||
uses: actions-ecosystem/action-get-latest-tag@v1 | ||
id: get-latest-tag | ||
|
||
- name: Set short git commit SHA | ||
run: | | ||
calculatedSha=$(git rev-parse --short ${{ github.sha }}) | ||
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | ||
|
||
- name: Get the current version of Go from project. | ||
run: echo "GO_VERSION_FROM_PROJECT=$(go mod edit -json | jq -r .Go)" >> $GITHUB_ENV | ||
|
||
- name: Build master goss image | ||
if: github.ref_name == 'master' | ||
uses: docker/build-push-action@v5 | ||
with: | ||
build-args: | | ||
GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }} | ||
GOSS_VERSION=${{ steps.get-latest-tag.outputs.tag }}-${{ github.ref_name }}+${{ env.COMMIT_SHORT_SHA }} | ||
context: . | ||
push: true | ||
tags: | | ||
ghcr.io/${{ github.repository_owner }}/goss:master | ||
labels: ${{ steps.meta.outputs.labels }} | ||
platforms: ${{ env.PLATFORMS }} | ||
|
||
- name: Build release goss image | ||
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') | ||
uses: docker/build-push-action@v5 | ||
with: | ||
build-args: | | ||
GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }} | ||
GOSS_VERSION=${{ github.ref_name }} | ||
context: . | ||
push: true | ||
tags: | | ||
ghcr.io/${{ github.repository_owner }}/goss:latest | ||
ghcr.io/${{ github.repository_owner }}/goss:${{ github.ref_name }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
platforms: ${{ env.PLATFORMS }} | ||
|
||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/trivy-action@master | ||
with: | ||
image-ref: ghcr.io/${{ github.repository_owner }}/goss:master | ||
format: "sarif" | ||
output: "trivy-results.sarif" | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v3 | ||
with: | ||
sarif_file: "trivy-results.sarif" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
ARG GO_VERSION=1.21 | ||
|
||
FROM docker.io/golang:${GO_VERSION}-alpine AS base | ||
|
||
ARG GOSS_VERSION=v0.0.0 | ||
WORKDIR /build | ||
|
||
RUN --mount=target=. \ | ||
CGO_ENABLED=0 go build \ | ||
-ldflags "-X github.com/goss-org/goss/util.Version=${GOSS_VERSION} -s -w" \ | ||
-o "/release/goss" \ | ||
./cmd/goss | ||
|
||
FROM alpine:3.19 | ||
|
||
COPY --from=base /release/* /usr/bin/ | ||
|
||
RUN mkdir /goss | ||
VOLUME /goss |
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this some thing that typically runs before or after the container is pushed to the repository?
Also, when doing a goss release, this will run against the master branch, but not the released version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a small add on and runs whenever (after) an image (
goss:master
) is pushed into the repo. It scans the imagegoss:master
and not the repository. This is the same image as the tagged image at the time of creating a tag. The step should not trigger a failing, but serves to keep an overview of the image. It scans not only the goss binary, but the whole image including the operating system (base image).This gives you an overview of the status of the CVEs at the time the image was published. In my opinion, this cannot replace a regular scan of your own code.