diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 24a3251..010bc0f 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -13,6 +13,7 @@ concurrency: permissions: contents: write packages: write + security-events: write env: REGISTRY: ghcr.io @@ -151,17 +152,42 @@ jobs: type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Build and push Docker image + - name: Build Docker image uses: docker/build-push-action@v6 with: context: . - push: ${{ github.event_name == 'push' }} + load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} target: prod cache-from: type=gha cache-to: type=gha,mode=max + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }} + format: 'sarif' + output: 'trivy-results-frontend.sarif' + severity: 'CRITICAL,HIGH' + exit-code: '1' + + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results-frontend.sarif' + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: . + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + - name: Create git tag if: github.event_name == 'push' && github.ref == 'refs/heads/main' run: | @@ -221,15 +247,41 @@ jobs: type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Build and push auth Docker image + - name: Build Docker image uses: docker/build-push-action@v6 with: context: ./auth file: ./auth/Dockerfile - push: ${{ github.event_name == 'push' }} + load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.AUTH_IMAGE_NAME }}:sha-${{ github.sha }} + format: 'sarif' + output: 'trivy-results-auth.sarif' + severity: 'CRITICAL,HIGH' + exit-code: '1' + + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results-auth.sarif' + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: ./auth + file: ./auth/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + build-and-push-receiptwitness: runs-on: runners-cartsnitch if: github.event_name == 'push' @@ -278,15 +330,41 @@ jobs: type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Build and push receiptwitness image + - name: Build Docker image uses: docker/build-push-action@v6 with: context: . file: ./receiptwitness/Dockerfile - push: ${{ github.event_name == 'push' }} + load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.RECEIPTWITNESS_IMAGE_NAME }}:sha-${{ github.sha }} + format: 'sarif' + output: 'trivy-results-receiptwitness.sarif' + severity: 'CRITICAL,HIGH' + exit-code: '1' + + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results-receiptwitness.sarif' + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: . + file: ./receiptwitness/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + build-and-push-api: runs-on: runners-cartsnitch if: github.event_name == 'push' @@ -335,15 +413,41 @@ jobs: type=raw,value=${{ steps.calver.outputs.version }},enable=${{ github.ref == 'refs/heads/main' }} type=raw,value=latest,enable=${{ github.ref == 'refs/heads/main' }} - - name: Build and push API Docker image + - name: Build Docker image uses: docker/build-push-action@v6 with: context: ./api file: ./api/Dockerfile - push: ${{ github.event_name == 'push' }} + load: true tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.28.0 + with: + image-ref: ${{ env.REGISTRY }}/${{ env.API_IMAGE_NAME }}:sha-${{ github.sha }} + format: 'sarif' + output: 'trivy-results-api.sarif' + severity: 'CRITICAL,HIGH' + exit-code: '1' + + - name: Upload Trivy scan results to GitHub Security + uses: github/codeql-action/upload-sarif@v3 + if: always() + with: + sarif_file: 'trivy-results-api.sarif' + + - name: Push Docker image + if: github.event_name == 'push' + uses: docker/build-push-action@v6 + with: + context: ./api + file: ./api/Dockerfile + push: true + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + cache-from: type=gha + deploy-dev: runs-on: runners-cartsnitch needs: [build-and-push, build-and-push-auth, build-and-push-receiptwitness, build-and-push-api]