Skip to content

Merge branch 'master' into dependabot/maven/org.openrewrite.recipe-re… #1078

Merge branch 'master' into dependabot/maven/org.openrewrite.recipe-re…

Merge branch 'master' into dependabot/maven/org.openrewrite.recipe-re… #1078

name: Build Development Docker Images
on:
push:
paths-ignore:
- "Website/**"
- "*.md"
pull_request_target:
paths-ignore:
- "Website/**"
- "*.md"
workflow_dispatch:
jobs:
build-and-scan:
name: Build and Scan [drifty-${{ matrix.image_name_suffix }}, ${{ matrix.os }}]
runs-on: ubuntu-latest
if: github.repository == 'SaptarshiSarkar12/Drifty'
strategy:
matrix:
os: [ 'ubuntu-latest', 'macos-13', 'macos-14', 'windows-latest' ] # macos-13 is AMD64 and macos-14 is ARM64
image_name_suffix: [ 'cli', 'gui' ]
fail-fast: false
permissions:
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.sha }}
- name: Pull runtime os image # to patch vulnerabilities
if: matrix.os == 'ubuntu-latest'
run: docker pull oraclelinux:9-slim
- name: Build latest version of Copa # to support Oracle Linux yum packages
if: matrix.os == 'ubuntu-latest'
run: |
git clone https://github.com/project-copacetic/copacetic
cd copacetic
make
sudo mv dist/linux_amd64/release/copa /usr/local/bin/
- name: Run Copa to patch vulnerabilities
if: matrix.os == 'ubuntu-latest'
continue-on-error: true # to handle cases where the image does not have vulnerabilities
uses: nick-fields/retry@v3 # Retry action to handle network issues
with:
timeout_minutes: 15
max_attempts: 3
retry_on: error
command: |
docker run --detach --rm --privileged --name buildkitd --entrypoint buildkitd moby/buildkit:latest
copa patch -i oraclelinux:9-slim -t 9-slim --addr docker-container://buildkitd --timeout 10m
retry_wait_seconds: '10'
on_retry_command: |
docker stop buildkitd
- name: Build Docker image
run: |
docker compose build base
docker compose build runner
docker compose build ${{ matrix.image_name_suffix }}
- name: Run Trivy security scan
if: matrix.os == 'ubuntu-latest'
uses: aquasecurity/trivy-action@0.24.0
continue-on-error: true
with:
image-ref: "drifty-${{ matrix.image_name_suffix }}"
format: 'sarif'
exit-code: 1
vuln-type: os,library
ignore-unfixed: true
output: 'trivy-report.sarif'
hide-progress: false
scanners: vuln,secret,misconfig
- name: Upload Trivy security scan results
if: always() && matrix.os == 'ubuntu-latest'
uses: github/codeql-action/upload-sarif@main
with:
sarif_file: trivy-report.sarif