Skip to content

Commit

Permalink
Revert cache setup as it is now done at the provider level (#2013)
Browse files Browse the repository at this point in the history 
* Revert cache setup as it is now done at the provider level

Also restricts to only scan for vulnerabilities

* Try to use Docker context for resharing of image

* Use locally loaded image for CI tests
  • Loading branch information
@DrizzlyOwl
DrizzlyOwl authored Dec 2, 2024
1 parent 3411240 commit 34600b0
Show file tree
Hide file tree
Showing 2 changed files with 67 additions and 120 deletions.
179 changes: 66 additions & 113 deletions .github/workflows/ci-checks.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,8 @@ on:
- main

jobs:
build-and-cache:
name: Build and cache image
build:
name: Build Docker image
runs-on: ubuntu-latest
steps:
-
Expand All @@ -18,97 +18,86 @@ jobs:
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
name: Build
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
build-args: RAILS_ENV=test
push: false
tags: complete-app:latest
tags: complete-app:ci
cache-from: type=gha
cache-to: type=gha,mode=min
outputs: type=docker,dest=/tmp/base.tar
-
name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: complete-app-ci
path: /tmp/base.tar

lint-and-format:
name: Linting and formatting
runs-on: ubuntu-latest
needs: build-and-cache
needs: build
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
uses: docker/build-push-action@v6
name: Download artifact
uses: actions/download-artifact@v4
with:
context: .
file: ./Dockerfile
build-args: |
RAILS_ENV=test
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
name: complete-app-ci
path: /tmp
-
name: Load image
run: |
docker load --input /tmp/base.tar
docker image ls -a
-
name: Run linters and formaters
run: |
docker run --rm complete-app:latest /bin/bash -c "bin/standardrb -f simple && bin/erblint --lint-all \
docker run --rm complete-app:ci /bin/bash -c "bin/standardrb -f simple && bin/erblint --lint-all \
&& yarn run lint:format && yarn run lint:js"
static-analysis:
name: Static analysis
runs-on: ubuntu-latest
needs: build-and-cache
needs: build
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
uses: docker/build-push-action@v6
name: Download artifact
uses: actions/download-artifact@v4
with:
context: .
file: ./Dockerfile
build-args: |
RAILS_ENV=test
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
name: complete-app-ci
path: /tmp
-
name: Load image
run: |
docker load --input /tmp/base.tar
docker image ls -a
-
name: Run Brakeman
run: |
docker run --rm complete-app:latest /bin/bash -c "bin/brakeman"
docker run --rm complete-app:ci /bin/bash -c "bin/brakeman"
specs:
name: Specs and coverage
runs-on: ubuntu-latest
needs: build-and-cache
needs: build
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
uses: docker/build-push-action@v6
name: Download artifact
uses: actions/download-artifact@v4
with:
context: .
file: ./Dockerfile
build-args: |
RAILS_ENV=test
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
name: complete-app-ci
path: /tmp
-
name: Load image
run: |
docker load --input /tmp/base.tar
docker image ls -a
-
name: Run RSpec and Simplecov
run: |
Expand All @@ -131,25 +120,22 @@ jobs:
accessibility:
name: Accessibility
runs-on: ubuntu-latest
needs: build-and-cache
needs: build
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
uses: docker/build-push-action@v6
name: Download artifact
uses: actions/download-artifact@v4
with:
context: .
file: ./Dockerfile
build-args: RAILS_ENV=test
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
name: complete-app-ci
path: /tmp
-
name: Load image
run: |
docker load --input /tmp/base.tar
docker image ls -a
-
name: Run RSpec Accessibility checks
run: |
Expand All @@ -164,16 +150,16 @@ jobs:
runs-on: ubuntu-latest
needs: specs
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: actions/download-artifact@v4
-
uses: actions/download-artifact@v4
with:
name: coverage-report
path: ./coverage
- name: Update coverage report paths
-
name: Update coverage report paths
run: sed -i "s|/srv/app|/github/workspace|g" ./coverage/coverage.json
- name: SonarCloud Scan
-
name: SonarCloud Scan
uses: SonarSource/sonarcloud-github-action@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand All @@ -182,61 +168,28 @@ jobs:
docker:
name: Docker
runs-on: ubuntu-latest
needs: build-and-cache
continue-on-error: true
needs: build
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build and cache
id: build
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
build-args: RAILS_ENV=development
push: false
load: true
tags: complete-app:latest
cache-from: type=gha
-
name: Generate tarball from image
run: |
docker save -o ./vuln-image.tar ${{ steps.build.outputs.imageid }}
- ## To avoid the trivy-db becoming outdated, we save the cache for one day
name: Get TrivyDB data
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
-
name: Restore TrivyDB cache
uses: actions/cache@v4
name: Download artifact
uses: actions/download-artifact@v4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-
name: complete-app-ci
path: /tmp
-
name: Scan Docker image for CVEs
uses: aquasecurity/trivy-action@0.28.0
with:
input: ./vuln-image.tar
input: /tmp/base.tar
format: 'sarif'
output: 'trivy-results.sarif'
limit-severities-for-sarif: true
scanners: vuln
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
github-pat: ${{ secrets.GITHUB_TOKEN }}
cache-dir: "./cache"
-
name: change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
-
name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
8 changes: 1 addition & 7 deletions docker-compose.checks.yml
View file
Original file line number Diff line number Diff line change
@@ -1,12 +1,6 @@
services:
test:
build:
context: .
dockerfile: Dockerfile
cache_from:
- type=gha
args:
RAILS_ENV: "test"
image: complete-app:ci
command: bin/rspec
ports:
- "3000:3000"
Expand Down

0 comments on commit 34600b0

Please sign in to comment.