diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 24a3251..fb0254b 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,7 @@ concurrency: permissions: contents: write packages: write + security-events: write env: REGISTRY: ghcr.io @@ -151,17 +152,43 @@ jobs: type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Build and push Docker image + - name: Build Docker image uses: docker/build-push-action@v6 with: context: . - push: ${{ github.event_name == 'push' }} + load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} target: prod cache-from: type=gha cache-to: type=gha,mode=max + - name: Scan frontend image for vulnerabilities + uses: anchore/scan-action@v5 + id: scan + with: + image: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}" + fail-build: true + severity-cutoff: high + output-format: sarif + + - name: Upload frontend scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + target: prod + cache-from: type=gha + - name: Create git tag if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | @@ -221,14 +248,42 @@ jobs: type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Build and push auth Docker image + - name: Build Docker image uses: docker/build-push-action@v6 with: context: ./auth file: ./auth/Dockerfile - push: ${{ github.event_name == 'push' }} + load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Scan auth image for vulnerabilities + uses: anchore/scan-action@v5 + id: scan + with: + image: "${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }}" + fail-build: true + severity-cutoff: high + output-format: sarif + + - name: Upload auth scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: ./auth + file: ./auth/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha build-and-push-receiptwitness: runs-on: runners-cartsnitch @@ -278,14 +333,42 @@ jobs: type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Build and push receiptwitness image + - name: Build Docker image uses: docker/build-push-action@v6 with: context: . file: ./receiptwitness/Dockerfile - push: ${{ github.event_name == 'push' }} + load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Scan receiptwitness image for vulnerabilities + uses: anchore/scan-action@v5 + id: scan + with: + image: "${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }}" + fail-build: true + severity-cutoff: high + output-format: sarif + + - name: Upload receiptwitness scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: . + file: ./receiptwitness/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha build-and-push-api: runs-on: runners-cartsnitch @@ -335,14 +418,42 @@ jobs: type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Build and push API Docker image + - name: Build Docker image uses: docker/build-push-action@v6 with: context: ./api file: ./api/Dockerfile - push: ${{ github.event_name == 'push' }} + load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + cache-to: type=gha,mode=max + + - name: Scan api image for vulnerabilities + uses: anchore/scan-action@v5 + id: scan + with: + image: "${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }}" + fail-build: true + severity-cutoff: high + output-format: sarif + + - name: Upload api scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: ./api + file: ./api/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha deploy-dev: runs-on: runners-cartsnitch