Update workflow and remove Quay

Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-06-12 03:23:19 -07:00
parent 7985baa1e3
commit b450470d52
No known key found for this signature in database
GPG Key ID: 555C902A34EC968F
3 changed files with 29 additions and 41 deletions

View File

@ -9,8 +9,8 @@ on:
paths-ignore:
- '**.md'
schedule:
# Build the image regularly (each Saturday)
- cron: '0 22 * * 6'
# Build the image daily
- cron: '0 0 * * *'
env:
REGISTRY: ghcr.io
@ -29,11 +29,6 @@ jobs:
- name: Checkout code
uses: actions/checkout@v4
- name: Extract version for tags
run: |
echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile)" >> $GITHUB_ENV
echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c5)" >> $GITHUB_ENV
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v3
@ -56,8 +51,6 @@ jobs:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
latest
${{ env.FULL_VERSION }}
${{ env.MAJOR_VERSION }}
- name: Build and push Docker image
id: build-and-push
@ -74,9 +67,11 @@ jobs:
env:
TAGS: ${{ steps.meta.outputs.tags }}
scan:
name: Scan current image & report results
trivy:
name: Scan current image with Trivy
needs: build
permissions:
security-events: write
runs-on: "ubuntu-latest"
steps:
- name: Run Trivy vulnerability scanner
@ -93,3 +88,24 @@ jobs:
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
category: 'trivy'
grype:
name: Scan current image with Grype
needs: build
permissions:
security-events: write
runs-on: "ubuntu-latest"
steps:
- name: Run Grype vulnerability scanner
uses: anchore/scan-action@v3
id: grype
with:
image: "ghcr.io/tommytran732/synapse"
fail-build: false
- name: Upload Grype scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.grype.outputs.sarif }}
category: grype

View File

@ -1,27 +0,0 @@
name: Scan
on:
workflow_dispatch:
schedule:
# Scan the image regularly (once a day)
- cron: '0 23 * * *'
jobs:
scan:
name: Scan current image & report results
runs-on: "ubuntu-latest"
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/tommytran732/synapse'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
vuln-type: "os,library"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'

View File

@ -5,16 +5,15 @@
[Synapse](https://github.com/matrix-org/synapse) is a [Matrix](https://matrix.org/) implementation written in Python.
### Notes
- Prebuilt images are available at `ghcr.io/tommytran732/synapse` and `quay.io/tommytran732/synapse`.
- Prebuilt images are available at `ghcr.io/tommytran732/synapse`.
- Don't trust random images: build yourself if you can.
- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/TommyTran732/Synapse-Docker/blob/main/Dockerfile#L1-L4).
- Images from `ghcr.io` are built every week and scanned every day for critical vulnerabilities with Trivy. I recommend that you use these images.
- Images from `quay.io` are built on every push event and scanned for vulnerabilities with Clair.
### Features & usage
- Drop-in replacement for the [official image](https://github.com/matrix-org/synapse/tree/develop/docker).
- Unprivileged image: you should check your volumes permissions (eg `/data`), default UID/GID is 991.
- Based on the latest [Alpine](https://alpinelinux.org/) containers which provide more recent packages while having less attack surface.
- Daily rebuilds keeping the image up-to-date.
- Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.
- [Mjolnir module](https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md) support.