-
Notifications
You must be signed in to change notification settings - Fork 1
116 lines (103 loc) · 4.47 KB
/
Copy pathci.yml
File metadata and controls
116 lines (103 loc) · 4.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
name: CI
# TODO: setup CUE linter for file formatting
# TODO: setup YAML linter?
# TODO: test CUE files
on:
workflow_dispatch: {}
push:
branches: [ main, '+.x', beta, alpha ]
pull_request:
branches: [ main, '+.x', beta, alpha ]
schedule:
- cron: '16 5 * * *' # Every day at 05:16 UTC
# Typically for validating maintenance releases prior publishing them
workflow_call:
secrets:
DOCKERHUB_TOKEN:
required: true
permissions: {}
jobs:
build-and-test:
name: Build & Test
runs-on: ubuntu-24.04
timeout-minutes: 15
permissions:
contents: read
pull-requests: write # Required to write comments to the PR about security scans results
security-events: write # Required to upload found security gaps
steps:
# Firewall rules:
# -> "*.github.com": Standard interactions with GitHub
# -> "objects.githubusercontent.com": Uploading of security reports
# -> "raw.githubusercontent.com": Retrieve license file when building OCI image
# -> "*.docker.io", "*.docker.com" & "docker-images-prod.*.r2.cloudflarestorage.com": Standard interactions with Docker
# -> "*.alpinelinux.org": Standard interactions with Alpine Linux package repositories
# -> "cdn.fwupd.org": Firmware updates (Alpine)
# -> "api.papermc.io": Dynamic retrieval of the PaperMC server
# -> "piston-data.mojang.com": Downloading of the Mojang server
# -> "api.minecraftservices.com": Downloading Yggdrasil public key for Reobfuscation
- name: Harden runner
uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
*.github.com:443
*.githubusercontent.com:443
*.docker.io:443
*.docker.com:443
docker-images-prod.*.r2.cloudflarestorage.com
dl-cdn.alpinelinux.org:443
cdn.fwupd.org:443
api.papermc.io:443
piston-data.mojang.com:443
api.minecraftservices.com:443
- name: Checkout repository
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
with:
persist-credentials: false
- name: Login to Docker Hub
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
if: github.event.pull_request.head.repo.fork == false
with:
username: ${{ vars.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
- name: Build
uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0
with:
source: .
workdir: src/
targets: test
load: true # Export to Docker - Required for later steps
set: |
*.cache-from=type=gha,timeout=20s
*.cache-to=type=gha,mode=max,timeout=20s
- name: Test
run: src/test/test.sh
- name: Docker Scout
uses: docker/scout-action@f8c776824083494ab0d56b8105ba2ca85c86e4de # v1.18.2
if: github.event.pull_request.head.repo.fork == false
with:
command: compare, cves
image: 'djaytan/papermc-server:test'
to-latest: true
organization: djaytan
sarif-file: results.sarif
- name: Upload to GitHub's code scanning dashboard
uses: github/codeql-action/upload-sarif@9e907b5e64f6b83e7804b09294d44122997950d6 # v4.32.3
if: github.event.pull_request.head.repo.fork == false
with:
sarif_file: results.sarif
# Use a fixed category to ensure consistent configuration across all SARIF uploads.
#
# This prevents the GitHub warning: "Code scanning cannot determine the alerts introduced by this pull request,
# because 1 configuration present on refs/heads/main was not found".
# The warning occurs when different workflows use different categories for SARIF files on the same branch.
#
# Using a single, consistent category (e.g., 'global') ensures all uploads are correctly associated.
#
# Additional details: https://docs.github.com/en/code-security/code-scanning/integrating-with-code-scanning/sarif-support-for-code-scanning#uploading-more-than-one-sarif-file-for-a-commit
category: global