python-github-runner/.github/workflows/validate.yaml at main · DeerHide/python-github-runner · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
name: Validate

on:
  workflow_call:

permissions:
  contents: read

jobs:
  hadolint:
    name: Lint Containerfile
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - uses: hadolint/hadolint-action@v3.1.0
        with:
          dockerfile: Containerfile

  build-and-scan:
    name: Build and scan
    needs: hadolint
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Install build tools
        run: ./scripts/install_tools.sh

      - name: Read manifest
        id: manifest
        run: |
          echo "image_name=$(yq e '.name' manifest.yaml)" >> "$GITHUB_OUTPUT"
          echo "format=$(yq e '.build.format' manifest.yaml)" >> "$GITHUB_OUTPUT"

      - name: Build image
        env:
          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
          IMAGE_FORMAT: ${{ steps.manifest.outputs.format }}
        run: |
          # Build args from manifest
          BUILD_ARGS=()
          while IFS= read -r arg; do
            BUILD_ARGS+=(--build-arg "${arg}")
          done < <(yq e '.build.args[]' manifest.yaml)

          # Labels from manifest
          LABELS=()
          while IFS= read -r label; do
            if [[ -n "${label}" ]]; then
              label_key="${label%%=*}"
              label_value="${label#*=}"
              label_value="${label_value%\"}"
              label_value="${label_value#\"}"
              LABELS+=(--label "${label_key}=${label_value}")
            fi
          done < <(yq e '.build.labels[]' manifest.yaml)

          buildah build \
            --squash \
            --pull-always \
            --format "${IMAGE_FORMAT}" \
            "${BUILD_ARGS[@]}" \
            "${LABELS[@]}" \
            --tag "${IMAGE_NAME}:test" \
            .

          # Save to OCI archive for scanning
          mkdir -p build
          buildah push "${IMAGE_NAME}:test" "oci-archive:build/${IMAGE_NAME}.tar"

          # Load into Docker daemon for dive scan
          skopeo copy "oci-archive:build/${IMAGE_NAME}.tar" "docker-daemon:${IMAGE_NAME}:test"

      - name: Dive filesystem scan
        env:
          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
        run: dive --ci --source=docker "${IMAGE_NAME}:test"

      - name: Cache Trivy vulnerability DB
        uses: actions/cache@v4
        with:
          path: ~/.cache/trivy
          key: trivy-db-${{ runner.os }}-${{ github.run_id }}
          restore-keys: |
            trivy-db-${{ runner.os }}-

      - name: Trivy vulnerability scan
        env:
          IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
        run: |
          trivy image \
            --scanners vuln \
            --ignore-unfixed \
            --pkg-types library \
            --skip-dirs /home/runner/externals \
            --skip-dirs /usr/local/lib/docker \
            --skip-files /usr/bin/dockerd \
            --ignorefile .trivyignore \
            --severity HIGH,CRITICAL \
            --exit-code 1 \
            "${IMAGE_NAME}:test"