dev-toolchain/.github/workflows/ci.yml at main · devrail-dev/dev-toolchain · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
name: CI Validation

on:
  push:
    branches: [main]
  pull_request:
    branches: [main]

permissions:
  contents: read
  security-events: write

env:
  IMAGE_NAME: ghcr.io/devrail-dev/dev-toolchain
  IMAGE_TAG: local

jobs:
  build-and-validate:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      # Phase 1: Build the image
      - name: Build container image
        run: docker build -t ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} .

      # Phase 2: Self-validate with make check
      - name: Run make check (shellcheck + shfmt)
        run: |
          docker run --rm \
            -v "$(pwd):/workspace" \
            -w /workspace \
            ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \
            make _check

      # Phase 2b: Validate tool version manifest
      - name: Validate tool version manifest
        run: |
          docker run --rm \
            ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \
            bash /opt/devrail/scripts/report-tool-versions.sh \
            | jq .

      # Phase 3: Security scans
      # Blocking scan: OS packages only. We control the base image and can act on
      # these. ignore-unfixed skips CVEs with no Debian patch available yet.
      - name: Run trivy OS package scan (blocking)
        uses: aquasecurity/trivy-action@0.28.0
        with:
          image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
          severity: CRITICAL,HIGH
          ignore-unfixed: 'true'
          vuln-type: os
          exit-code: 1
          format: table

      # Advisory scan: full image (OS + Go binaries + Python packages). Results
      # are uploaded to the GitHub Security tab for visibility. Not blocking
      # because Go binary CVEs depend on upstream tool releases we don't control.
      - name: Run trivy full scan (SARIF, advisory)
        uses: aquasecurity/trivy-action@0.28.0
        if: always()
        with:
          image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }}
          severity: CRITICAL,HIGH
          ignore-unfixed: 'true'
          exit-code: 0
          format: sarif
          output: trivy-results.sarif

      - name: Upload SARIF results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v3
        if: always()
        with:
          sarif_file: trivy-results.sarif

      - name: Run gitleaks scan
        run: |
          docker run --rm \
            -v "$(pwd):/workspace" \
            -w /workspace \
            ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \
            gitleaks detect --source /workspace --verbose

  # Image signing placeholder — actual signing should be added to build.yml
  # when images are published to GHCR. CI builds are local-only and not pushed,
  # so signing here has no effect. This job serves as documentation of the
  # intended cosign verification workflow.
  sign-image:
    needs: [build-and-validate]
    if: github.event_name == 'push' && github.ref == 'refs/heads/main'
    runs-on: ubuntu-latest
    steps:
      - name: Note on image signing
        run: |
          echo "Image signing is performed during the build workflow (build.yml)"
          echo "when images are published to GHCR. CI only builds locally."
          echo ""
          echo "Consumers can verify published images with:"
          echo "  cosign verify \\"
          echo "    --certificate-oidc-issuer https://token.actions.githubusercontent.com \\"
          echo "    --certificate-identity-regexp 'github.com/devrail-dev/dev-toolchain' \\"
          echo "    ghcr.io/devrail-dev/dev-toolchain:v1"