forked from DependencyTrack/frontend
-
Notifications
You must be signed in to change notification settings - Fork 0
131 lines (114 loc) · 3.71 KB
/
_meta-build.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
on:
workflow_call:
inputs:
node-versions:
type: string
required: false
default: '["18"]'
description: 'Stringified JSON Array of node versions to build against'
node-version-package:
type: string
required: false
default: '18'
description: 'Set which version of node the container packaged dist should be based on. (MUST be part of the node-versions)'
app-version:
type: string
required: false
default: 'snapshot'
description: 'Set the version that should be set/used as tag for the container image'
publish-container:
type: boolean
required: false
default: false
description: 'Set if the container image gets publish and scan once its build'
secrets:
registry-0-usr:
required: true
registry-0-psw:
required: true
jobs:
build-node:
runs-on: ubuntu-latest
strategy:
fail-fast: true
matrix:
node-version: ${{ fromJson(inputs.node-versions) }}
steps:
- name: Checkout Repository
uses: actions/[email protected]
- name: Set up NodeJs
uses: actions/[email protected]
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
- name: Run Npm Build
env:
CI: true
run: |-
npm ci
npm run build --if-present
- name: Upload Artifacts
uses: actions/[email protected]
with:
name: assembled-frontend-node${{ matrix.node-version }}
path: |-
dist/
bom.*
build-container:
runs-on: ubuntu-latest
needs:
- build-node
steps:
- name: Checkout Repository
uses: actions/[email protected]
- name: Download Artifacts
uses: actions/[email protected]
with:
name: assembled-frontend-node${{ inputs.node-version-package }}
- name: Set up QEMU
uses: docker/[email protected]
- name: Set up Docker Buildx
uses: docker/[email protected]
id: buildx
with:
install: true
- name: Login to Docker.io
uses: docker/[email protected]
if: ${{ inputs.publish-container }}
with:
registry: docker.io
username: ${{ secrets.registry-0-usr }}
password: ${{ secrets.registry-0-psw }}
- name: Set Container Tags
id: tags
run: |-
TAGS="${TAGS},docker.io/dependencytrack/frontend:${{ inputs.app-version }}"
if [[ "${{ inputs.app-version }}" != "snapshot" ]]; then
TAGS="${TAGS},docker.io/dependencytrack/frontend:latest"
fi
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
- name: Build multi-arch Container Image
uses: docker/[email protected]
with:
tags: ${{ steps.tags.outputs.tags }}
build-args: |-
APP_VERSION=${{ inputs.app-version }}
COMMIT_SHA=${{ github.sha }}
platforms: linux/amd64,linux/arm64
push: ${{ inputs.publish-container }}
context: .
file: docker/Dockerfile.alpine
- name: Run Trivy Vulnerability Scanner
if: ${{ inputs.publish-container }}
uses: aquasecurity/[email protected]
with:
image-ref: docker.io/dependencytrack/frontend:${{ inputs.app-version }}
format: 'sarif'
output: 'trivy-results.sarif'
ignore-unfixed: true
vuln-type: 'os'
- name: Upload Trivy Scan Results to GitHub Security Tab
if: ${{ inputs.publish-container }}
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'