Rest proxy #104
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Rest proxy | |
on: | |
push: | |
branches: | |
- 'main' | |
paths: | |
- '.github/workflows/rest-proxy.yml' | |
- 'proxies/rest/**' | |
pull_request: | |
paths: | |
- '.github/workflows/rest-proxy.yml' | |
- 'proxies/rest/**' | |
schedule: | |
- cron: '0 0 * * *' | |
jobs: | |
build: | |
name: Build docker image | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Cache Docker layers | |
uses: actions/cache@v3 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-single-buildx-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-single-buildx | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Build and push | |
uses: docker/build-push-action@v4 | |
with: | |
push: false | |
tags: discordeno/rest-proxy:latest | |
context: proxies/rest | |
target: runner | |
outputs: type=docker,dest=/tmp/rest-proxy-image.tar | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
- # Temp fix | |
# https://github.com/docker/build-push-action/issues/252 | |
# https://github.com/moby/buildkit/issues/1896 | |
name: Move cache | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
- name: Upload artifact | |
uses: actions/upload-artifact@v3 | |
with: | |
name: rest-proxy-image | |
path: /tmp/rest-proxy-image.tar | |
image-scan: | |
name: Image scan | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- uses: actions/checkout@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Download artifact | |
uses: actions/download-artifact@v3 | |
with: | |
name: rest-proxy-image | |
path: /tmp | |
- name: Load Docker image | |
run: docker load --input /tmp/rest-proxy-image.tar | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: 'discordeno/rest-proxy:latest' | |
format: 'table' | |
exit-code: '0' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }} | |
with: | |
image-ref: 'discordeno/rest-proxy:latest' | |
exit-code: '0' | |
vuln-type: 'os,library' | |
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }} | |
with: | |
sarif_file: 'trivy-results.sarif' | |
- name: Run Snyk to check Docker image for vulnerabilities | |
if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }} | |
continue-on-error: true | |
uses: snyk/actions/docker@master | |
env: | |
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
with: | |
image: 'discordeno/rest-proxy:latest' | |
args: --file=proxies/rest/Dockerfile | |
- name: Upload result to GitHub Code Scanning | |
if: ${{ github.event_name == 'schedule' || github.event_name == 'push' }} | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: snyk.sarif | |
build-all-arch: | |
name: Build image for all architectures | |
needs: build | |
if: ${{ github.event_name != 'schedule' }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Cache Docker layers | |
uses: actions/cache@v3 | |
with: | |
path: /tmp/.buildx-cache | |
key: ${{ runner.os }}-single-buildx-${{ github.sha }} | |
restore-keys: | | |
${{ runner.os }}-single-buildx | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Build Docker image | |
uses: docker/build-push-action@v4 | |
with: | |
context: proxies/rest | |
push: false | |
tags: 'discordeno/rest-proxy:latest' | |
# linux/s390x stuck at yarn install, remove it for now | |
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le | |
target: runner | |
cache-from: type=local,src=/tmp/.buildx-cache | |
cache-to: type=local,dest=/tmp/.buildx-cache-new,mode=max | |
- # Temp fix | |
# https://github.com/docker/build-push-action/issues/252 | |
# https://github.com/moby/buildkit/issues/1896 | |
name: Move cache | |
run: | | |
rm -rf /tmp/.buildx-cache | |
mv /tmp/.buildx-cache-new /tmp/.buildx-cache | |
publish: | |
name: Publish image | |
needs: build-all-arch | |
if: ${{ github.ref == 'refs/heads/main' && github.event_name == 'push' }} | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v3 | |
- name: Log in to the Container registry | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Build and push Docker image | |
uses: docker/build-push-action@v4 | |
with: | |
context: proxies/rest | |
push: true | |
tags: 'ghcr.io/discordeno/rest-proxy:latest' | |
# linux/s390x stuck at yarn install, remove it for now | |
platforms: linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64/v8,linux/ppc64le | |
target: runner |