From 7302a6f4011764930e12624f652721b8e7ea97d0 Mon Sep 17 00:00:00 2001 From: en-jschuetze <126695184+en-jschuetze@users.noreply.github.com> Date: Thu, 16 Jan 2025 08:22:40 +0100 Subject: [PATCH] Add building quay/dockerhub and run tests for 8.4 zts --- .github/workflows/ci.yml | 67 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 64 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 405c1ae..4715dd5 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -8,7 +8,8 @@ on: env: GITHUB_REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} + GITHUB_IMAGE_NAME: ${{ github.repository }} + IMAGE_NAME: endava/php RELEASE_REF_FILTER: 'refs/heads/release/' EXCLUDED_PLATFORM: "none" # change to linux/amd64 # and thos blocks from: @@ -299,6 +300,60 @@ jobs: - name: "PHP_VERSION Env arm64" if: env.EXCLUDED_PLATFORM != 'linux/arm64' run: echo "PHP_VERSION=`docker run --pull=never --rm -t temporary-build-image-linux-arm64 php --version | head -n 1 | cut -f 2 -d ' '``docker run --pull=never --rm -t temporary-build-image-linux-arm64 php --version | grep 'ZTS' >/dev/null && echo '-zts' || echo ''`" >> $GITHUB_ENV + - name: "Run Tests amd64" + if: env.EXCLUDED_PLATFORM != 'linux/amd64' + run: tests/run_tests.sh + env: + DOCKER_REGISTRY_IMAGE: "temporary-build-image-linux-amd64" + - name: "Run Tests arm64" + if: env.EXCLUDED_PLATFORM != 'linux/arm64' + run: tests/run_tests.sh + env: + DOCKER_REGISTRY_IMAGE: "temporary-build-image-linux-arm64" + - if: ${{ contains(matrix.suffix, 'unsuffixed') && contains(github.ref, 'refs/heads/release/') }} + uses: aquasecurity/trivy-action@master + with: + image-ref: php-${{ env.PHP_VERSION }} + format: 'table' + exit-code: '0' # we don't break the build if vulnerabilities are included! + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL,HIGH' + + - if: ${{ contains(matrix.suffix, 'unsuffixed') && contains(github.ref, 'refs/heads/release/') }} + name: Run Alpine Trivy vulnerability scanner and upload to github security tab + uses: aquasecurity/trivy-action@master + with: + image-ref: php-${{ env.PHP_VERSION }} + format: 'sarif' + output: 'trivy-results.sarif' + + - if: ${{ contains(matrix.suffix, 'unsuffixed') && contains(github.ref, 'refs/heads/release/') }} + name: Upload Alpine Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: 'trivy-results.sarif' + - if: ${{ contains(matrix.suffix, 'unsuffixed') && contains(github.ref, 'refs/heads/release/') }} + name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots + uses: aquasecurity/trivy-action@master + with: + format: 'github' + output: 'dependency-results.sbom.json' + image-ref: 'temporary-build-image-linux-amd64' + github-pat: ${{ secrets.PAT }} + - if: github.event_name != 'pull_request' + name: Login to DockerHub + uses: docker/login-action@v3.0.0 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + - if: github.event_name != 'pull_request' + name: Login to Quay.io + uses: docker/login-action@v3.0.0 + with: + registry: quay.io + username: ${{ secrets.QUAY_USERNAME }} + password: ${{ secrets.QUAY_PASSWORD }} - name: Log into registry ${{ env.GITHUB_REGISTRY }} if: github.event_name != 'pull_request' uses: docker/login-action@v3.0.0 @@ -312,7 +367,10 @@ jobs: with: tags: | type=raw,value=${{ env.PHP_VERSION }} - images: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }} + images: | + ${{ env.IMAGE_NAME } + quay.io/${{ env.IMAGE_NAME } + ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_IMAGE_NAME }} - name: Set platforms id: set-platforms run: | @@ -352,7 +410,10 @@ jobs: with: tags: | type=raw,value=${{ env.PHP_VERSION }}-${{ matrix.suffix }} - images: ${{ env.GITHUB_REGISTRY }}/${{ env.IMAGE_NAME }} + images: | + ${{ env.IMAGE_NAME } + quay.io/${{ env.IMAGE_NAME } + ${{ env.GITHUB_REGISTRY }}/${{ env.GITHUB_IMAGE_NAME }} - if: ${{ !contains(matrix.suffix, 'unsuffixed') }} name: Build and push Dockerfile-${{ matrix.suffix }} uses: docker/build-push-action@v5.3.0