Skip to content

Commit

Permalink
chore: initial structure
Browse files Browse the repository at this point in the history
  • Loading branch information
@meysam81
meysam81 committed Oct 24, 2024
1 parent 5aaf192 commit fa27a37
Show file tree
Hide file tree
Showing 7 changed files with 372 additions and 0 deletions.
3 changes: 3 additions & 0 deletions .github/FUNDING.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
github:
- meysam81
7 changes: 7 additions & 0 deletions .github/dependabot.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
version: 2
updates:
- package-ecosystem: github-actions
directory: /
schedule:
interval: weekly
79 changes: 79 additions & 0 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,79 @@
---
name: ci

concurrency:
cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
group: ci-${{ github.ref_name }}-${{ github.event_name }}

on:
push:
branches:
- main
tags:
- v*
pull_request:
branches:
- main

env:
ANSIBLE_FORCE_COLOR: "1"
PY_COLORS: "1"

jobs:
trivy:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
scan-type:
- fs
- config
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Cache trivy db
uses: actions/cache@v4
with:
path: |
~/.cache/trivy
~/work/temp
key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }}
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
format: sarif
ignore-unfixed: true
output: trivy-results.sarif
scan-ref: .
scan-type: ${{ matrix.scan-type }}
severity: CRITICAL,HIGH
trivy-config: trivy.yaml
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif

ansible-lint:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run ansible-lint
uses: ansible/ansible-lint@main

release-please:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Release please
uses: googleapis/release-please-action@v4
with:
release-type: simple
71 changes: 71 additions & 0 deletions .pre-commit-config.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
repos:
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0
hooks:
- id: check-added-large-files
args: ["--maxkb=800"]
- id: check-ast
- id: check-executables-have-shebangs
- id: check-json
- id: check-shebang-scripts-are-executable
- id: check-yaml
args:
- --allow-multiple-documents
- id: detect-private-key
exclude: |
(?x)^(
)$
- id: detect-aws-credentials
args:
- --allow-missing-credentials
- id: end-of-file-fixer
exclude: |
(?x)^(
)$
- id: name-tests-test
- id: file-contents-sorter
- id: requirements-txt-fixer
- id: sort-simple-yaml
- id: trailing-whitespace
- id: fix-byte-order-marker
- id: check-builtin-literals
- id: check-case-conflict
- id: check-builtin-literals
- id: check-byte-order-marker
- id: check-case-conflict
- id: check-docstring-first
- id: check-merge-conflict
- id: check-symlinks
- id: check-toml
- id: check-vcs-permalinks
- id: check-xml
- id: debug-statements
- id: destroyed-symlinks
- id: fix-byte-order-marker
- id: fix-encoding-pragma
- id: forbid-new-submodules
- id: forbid-submodules
- id: mixed-line-ending
- id: pretty-format-json
args:
- --autofix
- repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
rev: v9.18.0
hooks:
- id: commitlint
stages: [commit-msg]
additional_dependencies: ["@commitlint/config-conventional"]
- repo: https://github.com/astral-sh/ruff-pre-commit
rev: v0.6.9
hooks:
- id: ruff
args:
- --fix
- --select=I
- id: ruff-format
- repo: https://github.com/tofuutils/pre-commit-opentofu
rev: v2.0.0
hooks:
- id: tofu_fmt
- id: tofu_tflint
- id: tofu_docs
191 changes: 191 additions & 0 deletions action.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,191 @@
name: "Build Docker Image"
description: "Builds and optionally pushes a Docker image"

inputs:
build-args:
default: ""
description: Build arguments
required: false
context:
default: .
description: Context of the Dockerfile
required: false
dockerhub-password:
description: Docker Hub password
required: false
default: ""
dockerhub-username:
description: Docker Hub username
required: false
default: ""
github-token:
default: ${{ github.token }}
description: GitHub token
required: true
image-extra-tags:
default: ""
description: Image tags
required: false
image-name:
description: Image name
required: true
image-target:
default: ""
description: Target stage of the Dockerfile
required: false
kubescape:
default: "false"
description: Whether or not to run Kubescape
required: false
kubescape-upload-sarif:
default: "false"
description: Whether or not to upload Kubescape SARIF results
required: false
platforms:
default: linux/amd64,linux/arm64
description: Platforms to build for
required: false
push:
default: "true"
description: Whether or not to push image to registry
required: false
ref:
default: ${{ github.ref }}
description: Ref to checkout
required: false
runner:
default: ubuntu-latest
description: Runner to use
required: false
scout-comment-pr:
default: "false"
description: Whether or not to comment on PR
required: false
scout-compare:
default: "false"
description: Whether or not to run scout compare
required: false
scout-cves:
default: "false"
description: Whether or not to run scout CVEs
required: false

outputs:
digest:
description: Image digest
value: ${{ steps.build-push.outputs.digest }}
imageid:
description: Image ID
value: ${{ steps.build-push.outputs.image-id }}
metadata:
description: Build result metadata
value: ${{ steps.build-push.outputs.metadata }}

runs:
using: "composite"
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
password: ${{ inputs.github-token }}
registry: ghcr.io
username: ${{ github.actor }}

- if: |
inputs.dockerhub-username != '' &&
inputs.dockerhub-password != ''
name: Login to Docker hub
uses: docker/login-action@v3
with:
password: ${{ inputs.dockerhub-password }}
username: ${{ inputs.dockerhub-username }}
- name: Docker metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ inputs.image-name }}
- name: Build and push
id: build-push
uses: docker/build-push-action@v6
with:
build-args: ${{ inputs.build-args }}
cache-from: type=gha
cache-to: type=gha,mode=max
context: ${{ inputs.context }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ inputs.platforms }}
push: ${{ inputs.push }}
tags: |
${{ steps.meta.outputs.tags }}
${{ inputs.image-extra-tags }}
target: ${{ inputs.image-target }}

- name: Docker Scout - compare
if: inputs.scout-compare == 'true'
uses: docker/scout-action@v1
with:
command: compare
github-token: ${{ github.token }}
ignore-unchanged: true
image: ${{ steps.meta.outputs.tags }}
only-severities: critical,high,medium
to: ${{ inputs.image-name }}:latest
write-comment: ${{ inputs.scout-comment-pr }}

- name: Docker Scout - cves
if: inputs.scout-cves == 'true'
uses: docker/scout-action@v1
with:
command: cves
ignore-unchanged: true
image: ${{ steps.meta.outputs.tags }}
only-fixed: true
only-severities: medium,high,critical
sarif-file: sarif.output.json
summary: true

- name: Create unique job identifier
id: job-id
shell: bash
run: |
four_character_timestamp=$(date +%s | sha256sum | base64 | head -c 4)
run_id=$(echo ${{ github.run_id }} | sha256sum | base64 | head -c 4)
job_id="${four_character_timestamp}${run_id}"
echo "job-id=$job_id" >> $GITHUB_OUTPUT
- name: Upload artifact
if: inputs.scout-cves == 'true'
uses: actions/upload-artifact@v4
with:
if-no-files-found: warn
name: scout-results-${{ steps.job-id.outputs.job-id }}
path: sarif.output.json

- if: inputs.kubescape == 'true'
uses: kubescape/github-action@main
continue-on-error: true
with:
image: ${{ inputs.image-name }}@${{ steps.build-push.outputs.digest }}
format: sarif
outputFile: results.sarif
severityThreshold: Medium

- if: inputs.kubescape-upload-sarif == 'true'
name: Upload Kubescape scan results to Github Code Scanning
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif
6 changes: 6 additions & 0 deletions renovate.json
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"extends": [
"config:recommended"
]
}
15 changes: 15 additions & 0 deletions trivy.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
quiet: false
debug: false
insecure: false
timeout: 1m
cache:
dir: .pre-commit-trivy-cache
scan:
skip-dirs:
- "**/.terraform*"
misconfiguration:
terraform:
exclude-downloaded-modules: false
severity:
- HIGH
- CRITICAL

0 comments on commit fa27a37

Please sign in to comment.