Matrix-Mirrors/wonderfall-docker-synapse
1
0
Fork 0
mirror of https://github.com/Wonderfall/docker-synapse.git synced 2025-06-25 07:00:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

Reach parity with TommyTran732/Synapse-OCI

Browse source 
Signed-off-by: Tommy <contact@tommytran.io>
This commit is contained in:
Tommy 2024-06-15 15:00:57 -07:00
parent 63182121f2
commit 0b601a31a5
No known key found for this signature in database
GPG key ID: 555C902A34EC968F
3 changed files with 37 additions and 42 deletions
Download patch file Download diff file Expand all files Collapse all files

6
.github/dependabot.yml vendored Normal file
View file

@ -0,0 +1,6 @@
version: 2
updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "daily"

44
.github/workflows/build.yml vendored
View file

@ -1,4 +1,4 @@
name: build name: Build
on: on:
workflow_dispatch: workflow_dispatch:
@ -9,8 +9,8 @@ on:
paths-ignore: paths-ignore:
- '**.md' - '**.md'
schedule: schedule:
# Build the image regularly (each Friday) # Build the image daily
- cron: '13 21 * * 5' - cron: '0 0 * * *'
env: env:
REGISTRY: ghcr.io REGISTRY: ghcr.io
@ -29,11 +29,6 @@ jobs:
- name: Checkout code - name: Checkout code
uses: actions/checkout@v4 uses: actions/checkout@v4
- name: Extract version for tags
run: |
echo "FULL_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile)" >> $GITHUB_ENV
echo "MAJOR_VERSION=$(grep -oP '(?<=SYNAPSE_VERSION=).*' Dockerfile | head -c5)" >> $GITHUB_ENV
- name: Install cosign - name: Install cosign
if: github.event_name != 'pull_request' if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@v3 uses: sigstore/cosign-installer@v3
@ -56,8 +51,6 @@ jobs:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: | tags: |
latest latest
${{ env.FULL_VERSION }}
${{ env.MAJOR_VERSION }}
- name: Build and push Docker image - name: Build and push Docker image
id: build-and-push id: build-and-push
@ -74,9 +67,11 @@ jobs:
env: env:
TAGS: ${{ steps.meta.outputs.tags }} TAGS: ${{ steps.meta.outputs.tags }}
scan: trivy:
name: Scan current image & report results name: Scan current image with Trivy
needs: build needs: build
permissions:
security-events: write
runs-on: "ubuntu-latest" runs-on: "ubuntu-latest"
steps: steps:
- name: Run Trivy vulnerability scanner - name: Run Trivy vulnerability scanner
@ -86,10 +81,31 @@ jobs:
format: 'template' format: 'template'
template: '@/contrib/sarif.tpl' template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif' output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH' severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
vuln-type: "os" vuln-type: "os,library"
- name: Upload Trivy scan results to GitHub Security tab - name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3 uses: github/codeql-action/upload-sarif@v3
with: with:
sarif_file: 'trivy-results.sarif' sarif_file: 'trivy-results.sarif'
category: 'trivy'
grype:
name: Scan current image with Grype
needs: build
permissions:
security-events: write
runs-on: "ubuntu-latest"
steps:
- name: Run Grype vulnerability scanner
uses: anchore/scan-action@v3
id: grype
with:
image: "ghcr.io/wonderfall/synapse"
fail-build: false
- name: Upload Grype scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.grype.outputs.sarif }}
category: grype

27
.github/workflows/scan.yml vendored
View file

@ -1,27 +0,0 @@
name: scan
on:
schedule:
# Scan the image regularly (once a day)
- cron: '45 03 * * *'
jobs:
scan:
name: Scan current image & report results
runs-on: "ubuntu-latest"
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/wonderfall/synapse'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
vuln-type: "os"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'