mirror of
https://github.com/tommytran732/Synapse-Docker.git
synced 2024-10-01 08:25:44 -04:00
Update workflow and remove Quay
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
parent
7985baa1e3
commit
b450470d52
38
.github/workflows/build.yml
vendored
38
.github/workflows/build.yml
vendored
@ -9,8 +9,8 @@ on:
|
||||
paths-ignore:
|
||||
- '**.md'
|
||||
schedule:
|
||||
# Build the image regularly (each Saturday)
|
||||
- cron: '0 22 * * 6'
|
||||
# Build the image daily
|
||||
- cron: '0 0 * * *'
|
||||
|
||||
env:
|
||||
REGISTRY: ghcr.io
|
||||
@ -29,11 +29,6 @@ jobs:
|
||||
- name: Checkout code
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- name: Extract version for tags
|
||||
run: |
|
||||
echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile)" >> $GITHUB_ENV
|
||||
echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c5)" >> $GITHUB_ENV
|
||||
|
||||
- name: Install cosign
|
||||
if: github.event_name != 'pull_request'
|
||||
uses: sigstore/cosign-installer@v3
|
||||
@ -56,8 +51,6 @@ jobs:
|
||||
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||
tags: |
|
||||
latest
|
||||
${{ env.FULL_VERSION }}
|
||||
${{ env.MAJOR_VERSION }}
|
||||
|
||||
- name: Build and push Docker image
|
||||
id: build-and-push
|
||||
@ -74,9 +67,11 @@ jobs:
|
||||
env:
|
||||
TAGS: ${{ steps.meta.outputs.tags }}
|
||||
|
||||
scan:
|
||||
name: Scan current image & report results
|
||||
trivy:
|
||||
name: Scan current image with Trivy
|
||||
needs: build
|
||||
permissions:
|
||||
security-events: write
|
||||
runs-on: "ubuntu-latest"
|
||||
steps:
|
||||
- name: Run Trivy vulnerability scanner
|
||||
@ -93,3 +88,24 @@ jobs:
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
||||
category: 'trivy'
|
||||
|
||||
grype:
|
||||
name: Scan current image with Grype
|
||||
needs: build
|
||||
permissions:
|
||||
security-events: write
|
||||
runs-on: "ubuntu-latest"
|
||||
steps:
|
||||
- name: Run Grype vulnerability scanner
|
||||
uses: anchore/scan-action@v3
|
||||
id: grype
|
||||
with:
|
||||
image: "ghcr.io/tommytran732/synapse"
|
||||
fail-build: false
|
||||
|
||||
- name: Upload Grype scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: ${{ steps.grype.outputs.sarif }}
|
||||
category: grype
|
27
.github/workflows/scan.yml
vendored
27
.github/workflows/scan.yml
vendored
@ -1,27 +0,0 @@
|
||||
name: Scan
|
||||
|
||||
on:
|
||||
workflow_dispatch:
|
||||
schedule:
|
||||
# Scan the image regularly (once a day)
|
||||
- cron: '0 23 * * *'
|
||||
|
||||
jobs:
|
||||
scan:
|
||||
name: Scan current image & report results
|
||||
runs-on: "ubuntu-latest"
|
||||
steps:
|
||||
- name: Run Trivy vulnerability scanner
|
||||
uses: aquasecurity/trivy-action@master
|
||||
with:
|
||||
image-ref: 'ghcr.io/tommytran732/synapse'
|
||||
format: 'template'
|
||||
template: '@/contrib/sarif.tpl'
|
||||
output: 'trivy-results.sarif'
|
||||
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
|
||||
vuln-type: "os,library"
|
||||
|
||||
- name: Upload Trivy scan results to GitHub Security tab
|
||||
uses: github/codeql-action/upload-sarif@v3
|
||||
with:
|
||||
sarif_file: 'trivy-results.sarif'
|
@ -5,16 +5,15 @@
|
||||
[Synapse](https://github.com/matrix-org/synapse) is a [Matrix](https://matrix.org/) implementation written in Python.
|
||||
|
||||
### Notes
|
||||
- Prebuilt images are available at `ghcr.io/tommytran732/synapse` and `quay.io/tommytran732/synapse`.
|
||||
- Prebuilt images are available at `ghcr.io/tommytran732/synapse`.
|
||||
- Don't trust random images: build yourself if you can.
|
||||
- Always keep your software up-to-date: manage versions with [build-time variables](https://github.com/TommyTran732/Synapse-Docker/blob/main/Dockerfile#L1-L4).
|
||||
- Images from `ghcr.io` are built every week and scanned every day for critical vulnerabilities with Trivy. I recommend that you use these images.
|
||||
- Images from `quay.io` are built on every push event and scanned for vulnerabilities with Clair.
|
||||
|
||||
### Features & usage
|
||||
- Drop-in replacement for the [official image](https://github.com/matrix-org/synapse/tree/develop/docker).
|
||||
- Unprivileged image: you should check your volumes permissions (eg `/data`), default UID/GID is 991.
|
||||
- Based on the latest [Alpine](https://alpinelinux.org/) containers which provide more recent packages while having less attack surface.
|
||||
- Daily rebuilds keeping the image up-to-date.
|
||||
- Comes with the [hardened memory allocator](https://github.com/GrapheneOS/hardened_malloc) built from the latest tag, protecting against some heap-based buffer overflows.
|
||||
- [Mjolnir module](https://github.com/matrix-org/mjolnir/blob/main/docs/synapse_module.md) support.
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user