diff --git a/.github/workflows/build-bunkerized-nginx-autoconf.yml b/.github/workflows/build-bunkerized-nginx-autoconf.yml index f48be09..25886c8 100644 --- a/.github/workflows/build-bunkerized-nginx-autoconf.yml +++ b/.github/workflows/build-bunkerized-nginx-autoconf.yml @@ -12,6 +12,20 @@ jobs: - name: Checkout source code uses: actions/checkout@v2 + # temp fix : can't use buildx + load because of manifest error + # so we need to build the image the traditional way + - name: Temp build to check security issues + run: docker build -t bunkerized-nginx-autoconf -f autoconf/Dockerfile . + + - name: Run Trivy security scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'bunkerized-nginx-autoconf' + format: 'table' + exit-code: '1' + ignore-unfixed: true + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' + - name: Set variables run: | VER=$(cat VERSION | tr -d '\n') @@ -45,9 +59,8 @@ jobs: context: . file: autoconf/Dockerfile platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 - load: true - push: false - tags: bunkerized-nginx-autoconf + push: true + tags: bunkerity/bunkerized-nginx-autoconf:dev cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache-new @@ -57,38 +70,6 @@ jobs: rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache - - name: Build (master) - uses: docker/build-push-action@v2 - if: github.ref == 'refs/heads/master' - with: - context: . - file: autoconf/Dockerfile - platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 - load: true - push: false - tags: bunkerized-nginx-autoconf - cache-to: type=local,dest=/tmp/.buildx-cache-master - - - name: Run Trivy security scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'bunkerized-nginx-autoconf' - format: 'table' - exit-code: '1' - ignore-unfixed: true - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - - - name: Push (dev) - uses: docker/build-push-action@v2 - if: github.ref == 'refs/heads/dev' - with: - context: . - file: autoconf/Dockerfile - platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 - push: true - tags: bunkerity/bunkerized-nginx-autoconf:dev - cache-from: type=local,src=/tmp/.buildx-cache - - name: Push (master) uses: docker/build-push-action@v2 if: github.ref == 'refs/heads/master' @@ -98,4 +79,4 @@ jobs: platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 push: true tags: bunkerity/bunkerized-nginx-autoconf:latest,bunkerity/bunkerized-nginx-autoconf:${{ env.VERSION }} - cache-from: type=local,src=/tmp/.buildx-cache-master + diff --git a/.github/workflows/build-bunkerized-nginx-ui.yml b/.github/workflows/build-bunkerized-nginx-ui.yml index 9f1add8..ff7b9d1 100644 --- a/.github/workflows/build-bunkerized-nginx-ui.yml +++ b/.github/workflows/build-bunkerized-nginx-ui.yml @@ -12,6 +12,20 @@ jobs: - name: Checkout source code uses: actions/checkout@v2 + # temp fix : can't use buildx + load because of manifest error + # so we need to build the image the traditional way + - name: Temp build to check security issues + run: docker build -t bunkerized-nginx-ui -f ui/Dockerfile . + + - name: Run Trivy security scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'bunkerized-nginx-ui' + format: 'table' + exit-code: '1' + ignore-unfixed: true + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' + - name: Set variables run: | VER=$(cat VERSION | tr -d '\n') @@ -45,9 +59,8 @@ jobs: context: . file: ui/Dockerfile platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 - load: true - push: false - tags: bunkerized-nginx-ui + push: true + tags: bunkerity/bunkerized-nginx-ui:dev cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache-new @@ -57,38 +70,6 @@ jobs: rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache - - name: Build (master) - uses: docker/build-push-action@v2 - if: github.ref == 'refs/heads/master' - with: - context: . - file: ui/Dockerfile - platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 - load: true - push: false - tags: bunkerized-nginx-ui - cache-to: type=local,dest=/tmp/.buildx-cache-master - - - name: Run Trivy security scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'bunkerized-nginx-ui' - format: 'table' - exit-code: '1' - ignore-unfixed: true - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - - - name: Push (dev) - uses: docker/build-push-action@v2 - if: github.ref == 'refs/heads/dev' - with: - context: . - file: ui/Dockerfile - platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 - push: true - tags: bunkerity/bunkerized-nginx-ui:dev - cache-from: type=local,src=/tmp/.buildx-cache - - name: Push (master) uses: docker/build-push-action@v2 if: github.ref == 'refs/heads/master' @@ -98,4 +79,3 @@ jobs: platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 push: true tags: bunkerity/bunkerized-nginx-ui:latest,bunkerity/bunkerized-nginx-ui:${{ env.VERSION }} - cache-from: type=local,src=/tmp/.buildx-cache-master diff --git a/.github/workflows/build-bunkerized-nginx.yml b/.github/workflows/build-bunkerized-nginx.yml index 0eaa407..92b47e6 100644 --- a/.github/workflows/build-bunkerized-nginx.yml +++ b/.github/workflows/build-bunkerized-nginx.yml @@ -12,6 +12,23 @@ jobs: - name: Checkout source code uses: actions/checkout@v2 + # temp fix : can't use buildx + load because of manifest error + # so we need to build the image the traditional way + - name: Temp build to check security issues + run: docker build -t bunkerized-nginx . + + - name: Run Trivy security scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'bunkerized-nginx' + format: 'table' + exit-code: '1' + ignore-unfixed: true + severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' + + - name: Run autotest + run: docker run bunkerized-nginx test + - name: Set variables run: | VER=$(cat VERSION | tr -d '\n') @@ -44,9 +61,8 @@ jobs: with: context: . platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 - load: true - push: false - tags: bunkerized-nginx + push: true + tags: bunkerized-nginx:dev cache-from: type=local,src=/tmp/.buildx-cache cache-to: type=local,dest=/tmp/.buildx-cache-new @@ -56,39 +72,6 @@ jobs: rm -rf /tmp/.buildx-cache mv /tmp/.buildx-cache-new /tmp/.buildx-cache - - name: Build (master) - uses: docker/build-push-action@v2 - if: github.ref == 'refs/heads/master' - with: - context: . - platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 - load: true - push: false - tags: bunkerized-nginx - cache-to: type=local,dest=/tmp/.buildx-cache-master - - - name: Run autotest - run: docker run bunkerized-nginx test - - - name: Run Trivy security scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: 'bunkerized-nginx' - format: 'table' - exit-code: '1' - ignore-unfixed: true - severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' - - - name: Push (dev) - uses: docker/build-push-action@v2 - if: github.ref == 'refs/heads/dev' - with: - context: . - platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 - push: true - tags: bunkerity/bunkerized-nginx:dev - cache-from: type=local,src=/tmp/.buildx-cache - - name: Push (master) uses: docker/build-push-action@v2 if: github.ref == 'refs/heads/master' @@ -97,4 +80,3 @@ jobs: platforms: linux/amd64,linux/386,linux/arm/v7,linux/arm64/v8 push: true tags: bunkerity/bunkerized-nginx:latest,bunkerity/bunkerized-nginx:${{ env.VERSION }} - cache-from: type=local,src=/tmp/.buildx-cache-master