2026-04-15 16:49:55 +02:00
|
|
|
name: Build images
|
2026-04-15 08:56:25 +02:00
|
|
|
|
|
|
|
|
on:
|
|
|
|
|
push:
|
|
|
|
|
branches:
|
|
|
|
|
- main
|
|
|
|
|
|
2026-04-15 16:49:55 +02:00
|
|
|
env:
|
|
|
|
|
# Set this to the public IP or hostname of your registry,
|
|
|
|
|
# whichever you use to reach it from your desktop/laptop
|
|
|
|
|
FORGEJO_HOST: code.zeidler.dev
|
|
|
|
|
HELM_EXPERIMENTAL_OCI: 1
|
2026-04-20 16:00:37 +02:00
|
|
|
TRIVY_IMAGE: registry.zeidler.dev/docker-hub/aquasec/trivy:0.70.0
|
2026-04-20 22:45:48 +02:00
|
|
|
GRYPE_IMAGE: registry.zeidler.dev/docker-hub/anchore/grype:v0.88.0
|
2026-04-16 12:03:17 +02:00
|
|
|
|
2026-04-15 08:56:25 +02:00
|
|
|
jobs:
|
2026-04-15 16:49:55 +02:00
|
|
|
check-docker:
|
|
|
|
|
runs-on: docker-cli
|
|
|
|
|
services:
|
|
|
|
|
docker:
|
|
|
|
|
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
|
|
|
|
|
options: --privileged
|
|
|
|
|
container:
|
|
|
|
|
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
|
|
|
|
|
steps:
|
|
|
|
|
- name: Wait for Docker daemon
|
|
|
|
|
run: |
|
|
|
|
|
timeout=300 # Set a timeout value in seconds
|
|
|
|
|
until docker info; do
|
|
|
|
|
echo "Waiting for Docker daemon to start..."
|
|
|
|
|
sleep 5
|
|
|
|
|
timeout=$((timeout-5))
|
|
|
|
|
if [ $timeout -le 0 ]; then
|
|
|
|
|
echo "Timeout waiting for Docker daemon to start."
|
|
|
|
|
exit 1
|
|
|
|
|
fi
|
|
|
|
|
done
|
2026-04-15 08:56:25 +02:00
|
|
|
|
2026-04-16 11:53:16 +02:00
|
|
|
scan:
|
|
|
|
|
needs: check-docker
|
|
|
|
|
runs-on: docker-cli
|
|
|
|
|
services:
|
|
|
|
|
docker:
|
|
|
|
|
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
|
|
|
|
|
options: --privileged
|
|
|
|
|
container:
|
|
|
|
|
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
|
|
|
|
|
steps:
|
|
|
|
|
- name: Checkout the repo
|
|
|
|
|
uses: actions/checkout@v4
|
2026-04-16 11:59:24 +02:00
|
|
|
|
2026-04-16 11:53:16 +02:00
|
|
|
- name: Build proxy image for scanning
|
|
|
|
|
run: docker build -t scan/proxy:latest ./proxy
|
2026-04-16 11:59:24 +02:00
|
|
|
|
|
|
|
|
- name: Generate proxy SBOM
|
2026-04-16 12:03:17 +02:00
|
|
|
run: |
|
|
|
|
|
docker run --rm \
|
|
|
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
|
|
|
-v "$PWD":/output \
|
|
|
|
|
${{ env.TRIVY_IMAGE }} \
|
|
|
|
|
image --exit-code 0 --vuln-type os,library \
|
|
|
|
|
--format cyclonedx --output /output/sbom-proxy.cdx.json \
|
|
|
|
|
scan/proxy:latest
|
2026-04-16 11:59:24 +02:00
|
|
|
|
2026-04-20 22:45:48 +02:00
|
|
|
- name: Scan proxy image (Trivy)
|
2026-04-16 12:03:17 +02:00
|
|
|
run: |
|
|
|
|
|
docker run --rm \
|
|
|
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
|
|
|
${{ env.TRIVY_IMAGE }} \
|
|
|
|
|
image --exit-code 1 --severity HIGH,CRITICAL \
|
|
|
|
|
--ignore-unfixed --vuln-type os,library \
|
|
|
|
|
--format table \
|
|
|
|
|
scan/proxy:latest
|
2026-04-16 11:59:24 +02:00
|
|
|
|
2026-04-20 22:45:48 +02:00
|
|
|
- name: Scan proxy image (Grype)
|
|
|
|
|
run: |
|
|
|
|
|
docker run --rm \
|
|
|
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
|
|
|
${{ env.GRYPE_IMAGE }} \
|
|
|
|
|
docker:scan/proxy:latest \
|
|
|
|
|
--fail-on high \
|
|
|
|
|
--only-fixed
|
|
|
|
|
|
2026-04-16 11:53:16 +02:00
|
|
|
- name: Build claude image for scanning
|
|
|
|
|
run: docker build -t scan/claude:latest ./claude
|
2026-04-16 11:59:24 +02:00
|
|
|
|
|
|
|
|
- name: Generate claude SBOM
|
2026-04-16 12:03:17 +02:00
|
|
|
run: |
|
|
|
|
|
docker run --rm \
|
|
|
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
|
|
|
-v "$PWD":/output \
|
|
|
|
|
${{ env.TRIVY_IMAGE }} \
|
|
|
|
|
image --exit-code 0 --vuln-type os,library \
|
|
|
|
|
--format cyclonedx --output /output/sbom-claude.cdx.json \
|
|
|
|
|
scan/claude:latest
|
2026-04-16 11:59:24 +02:00
|
|
|
|
2026-04-20 22:45:48 +02:00
|
|
|
- name: Scan claude image (Trivy)
|
2026-04-16 12:03:17 +02:00
|
|
|
run: |
|
|
|
|
|
docker run --rm \
|
|
|
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
|
|
|
${{ env.TRIVY_IMAGE }} \
|
|
|
|
|
image --exit-code 1 --severity HIGH,CRITICAL \
|
|
|
|
|
--ignore-unfixed --vuln-type os,library \
|
|
|
|
|
--format table \
|
|
|
|
|
scan/claude:latest
|
2026-04-16 11:53:16 +02:00
|
|
|
|
2026-04-20 22:45:48 +02:00
|
|
|
- name: Scan claude image (Grype)
|
|
|
|
|
run: |
|
|
|
|
|
docker run --rm \
|
|
|
|
|
-v /var/run/docker.sock:/var/run/docker.sock \
|
|
|
|
|
${{ env.GRYPE_IMAGE }} \
|
|
|
|
|
docker:scan/claude:latest \
|
|
|
|
|
--fail-on high \
|
|
|
|
|
--only-fixed
|
|
|
|
|
|
2026-04-16 11:59:24 +02:00
|
|
|
- name: Upload SBOMs
|
|
|
|
|
if: always()
|
|
|
|
|
uses: actions/upload-artifact@v4
|
|
|
|
|
with:
|
|
|
|
|
name: sboms-${{ env.GITHUB_RUN_NUMBER }}
|
|
|
|
|
path: |
|
|
|
|
|
sbom-proxy.cdx.json
|
|
|
|
|
sbom-claude.cdx.json
|
|
|
|
|
retention-days: 90
|
|
|
|
|
|
2026-04-15 16:49:55 +02:00
|
|
|
build-and-push:
|
2026-04-16 11:53:16 +02:00
|
|
|
needs: scan
|
2026-04-15 16:49:55 +02:00
|
|
|
runs-on: docker-cli
|
|
|
|
|
services:
|
|
|
|
|
docker:
|
|
|
|
|
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
|
|
|
|
|
options: --privileged
|
|
|
|
|
environment: deploy
|
|
|
|
|
container:
|
|
|
|
|
image: registry.zeidler.dev/docker-hub/catthehacker/ubuntu:act-latest
|
2026-04-15 08:56:25 +02:00
|
|
|
steps:
|
2026-04-15 16:49:55 +02:00
|
|
|
- name: Checkout the repo
|
2026-04-15 08:56:25 +02:00
|
|
|
uses: actions/checkout@v4
|
2026-04-15 16:49:55 +02:00
|
|
|
- name: Login to the registry
|
2026-04-15 08:56:25 +02:00
|
|
|
uses: docker/login-action@v3
|
|
|
|
|
with:
|
|
|
|
|
registry: ${{ vars.REGISTRY_URL }}
|
|
|
|
|
username: ${{ vars.REGISTRY_USER }}
|
|
|
|
|
password: ${{ secrets.REGISTRY_PASSWORD }}
|
2026-04-15 16:49:55 +02:00
|
|
|
- name: Set up Docker Buildx
|
|
|
|
|
uses: docker/setup-buildx-action@v3
|
|
|
|
|
with:
|
|
|
|
|
driver: docker-container
|
2026-04-15 16:52:40 +02:00
|
|
|
- name: Docker publish proxy
|
2026-04-15 16:49:55 +02:00
|
|
|
uses: docker/build-push-action@v6
|
2026-04-15 08:56:25 +02:00
|
|
|
with:
|
2026-04-15 16:52:40 +02:00
|
|
|
context: proxy
|
2026-04-15 08:56:25 +02:00
|
|
|
push: true
|
2026-04-16 11:59:24 +02:00
|
|
|
sbom: true
|
|
|
|
|
provenance: true
|
2026-04-15 16:49:55 +02:00
|
|
|
platforms: linux/amd64, linux/arm64
|
2026-04-15 17:06:53 +02:00
|
|
|
tags: |
|
2026-04-15 21:39:10 +02:00
|
|
|
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:0.1.${{ env.GITHUB_RUN_NUMBER }}
|
|
|
|
|
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-proxy:latest
|
2026-04-15 16:52:40 +02:00
|
|
|
- name: Docker publish claude
|
|
|
|
|
uses: docker/build-push-action@v6
|
|
|
|
|
with:
|
|
|
|
|
context: claude
|
|
|
|
|
push: true
|
2026-04-16 11:59:24 +02:00
|
|
|
sbom: true
|
|
|
|
|
provenance: true
|
2026-04-15 16:52:40 +02:00
|
|
|
platforms: linux/amd64, linux/arm64
|
2026-04-15 17:06:53 +02:00
|
|
|
tags: |
|
2026-04-15 21:39:10 +02:00
|
|
|
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:0.1.${{ env.GITHUB_RUN_NUMBER }}
|
|
|
|
|
${{ vars.REGISTRY_URL }}/docker-public/${{ env.GITHUB_REPOSITORY }}-claude:latest
|
