docker-prod-test/.github/workflows/ci.yaml at main · codeedu/docker-prod-test · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
name: CI

on:
  push:
    branches: ["main"]
    # Publish semver tags as releases.
    tags: ["v*.*.*"]
  pull_request:
    branches: ["main"]

env:
  REGISTRY: docker.io
  DOCKER_USERNAME: argentinaluiz
  IMAGE_NAME: argentinaluiz/docker-prod-test
  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
  CLOUD_BUILDER_NAME: test-ci
jobs:
  ci:
    runs-on: ubuntu-latest
    permissions:
      contents: read # Ler o conteúdo do repositório
      packages: write # Permitir publicar pacotes no GitHub Packages
      pull-requests: write # Permitir criar e atualizar pull requests
      security-events: write # Enviar eventos de segurança para o Github Security
      id-token: write # Permitir emitir tokens OIDC para autenticação com provedores externos

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ env.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          driver: cloud
          endpoint: "${{ env.DOCKER_USERNAME }}/${{ env.CLOUD_BUILDER_NAME }}"

      - name: Build for CI
        id: build-ci
        uses: docker/build-push-action@v5.0.0
        with:
          context: ./src/ci/nestjs-project
          file: ./src/ci/nestjs-project/Dockerfile.prod
          push: false
          load: true # driver docker-container
          target: ci
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:ci
          secrets: |
            github_token=${{ secrets.MY_GITHUB_TOKEN }}

      - name: Up containers
        run: docker compose -f ./src/ci/nestjs-project/compose.ci.yaml up -d --wait-timeout 10

      - name: Run tests
        run: echo "Running tests..."

      - name: Build for analysis
        id: build-for-analysis
        uses: docker/build-push-action@v5.0.0
        with:
          context: ./src/ci/nestjs-project
          file: ./src/ci/nestjs-project/Dockerfile.prod
          push: false
          load: true
          tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
          secrets: |
            github_token=${{ secrets.MY_GITHUB_TOKEN }}

      - name: Analyze for critical and high CVEs
        id: docker-scout-cves
        uses: docker/scout-action@v1
        with:
          command: cves
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
          only-severities: critical,high
          only-fixed: true
          summary: true # publicar github actions e pull request
          exit-code: true

      - name: Analyze for all CVEs
        id: docker-scout-all-cves
        uses: docker/scout-action@v1
        with:
          command: cves
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
          summary: true
          sarif-file: sarif.output.json

      - name: Upload SARIF result
        id: upload-sarif
        if: ${{ github.event_name != 'pull_request' }}
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarif.output.json

      - name: Extract Docker metadata
        id: meta
        if: github.event_name != 'pull_request'
        uses: docker/metadata-action@v5.0.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.revision=${{ env.SHA }}
          tags: |
            type=edge,branch=$repo.default_branch
            type=semver,pattern=v{{version}}
            type=sha,prefix=,suffix=,format=short

      - name: Build final
        id: build-final
        if: github.event_name != 'pull_request'
        uses: docker/build-push-action@v5.0.0
        with:
          context: ./src/ci/nestjs-project
          file: ./src/ci/nestjs-project/Dockerfile.prod
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          provenance: mode=max
          sbom: true
          secrets: |
            github_token=${{ secrets.MY_GITHUB_TOKEN }}

      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: "v2.2.4"

      - name: Sign the published Docker image
        if: github.event_name != 'pull_request'
        env:
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ steps.build-final.outputs.digest }}
        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}