|
| 1 | +name: DevContainer CI |
| 2 | + |
| 3 | +on: |
| 4 | + push: |
| 5 | + branches: [ main, develop ] |
| 6 | + paths: |
| 7 | + - '.devcontainer/**' |
| 8 | + - '.github/workflows/devcontainer.yml' |
| 9 | + pull_request: |
| 10 | + branches: [ main ] |
| 11 | + paths: |
| 12 | + - '.devcontainer/**' |
| 13 | + - '.github/workflows/devcontainer.yml' |
| 14 | + schedule: |
| 15 | + # Test weekly to catch upstream image changes |
| 16 | + - cron: '0 6 * * 1' # Every Monday at 6 AM UTC |
| 17 | + workflow_dispatch: |
| 18 | + |
| 19 | +env: |
| 20 | + REGISTRY: ghcr.io |
| 21 | + IMAGE_NAME: aimdb-dev/devcontainer |
| 22 | + |
| 23 | +jobs: |
| 24 | + build-devcontainer: |
| 25 | + runs-on: ubuntu-latest |
| 26 | + permissions: |
| 27 | + contents: read |
| 28 | + packages: write |
| 29 | + |
| 30 | + steps: |
| 31 | + - name: Checkout repository |
| 32 | + uses: actions/checkout@v4 |
| 33 | + |
| 34 | + - name: Set up Docker Buildx |
| 35 | + uses: docker/setup-buildx-action@v3 |
| 36 | + |
| 37 | + - name: Log in to Container Registry |
| 38 | + if: github.event_name != 'pull_request' |
| 39 | + uses: docker/login-action@v3 |
| 40 | + with: |
| 41 | + registry: ${{ env.REGISTRY }} |
| 42 | + username: ${{ github.actor }} |
| 43 | + password: ${{ secrets.GITHUB_TOKEN }} |
| 44 | + |
| 45 | + - name: Extract metadata |
| 46 | + id: meta |
| 47 | + uses: docker/metadata-action@v5 |
| 48 | + with: |
| 49 | + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} |
| 50 | + tags: | |
| 51 | + type=ref,event=branch |
| 52 | + type=ref,event=pr |
| 53 | + type=sha,prefix=sha- |
| 54 | + type=raw,value=latest,enable={{is_default_branch}} |
| 55 | +
|
| 56 | + - name: Build devcontainer image |
| 57 | + uses: docker/build-push-action@v5 |
| 58 | + with: |
| 59 | + context: .devcontainer |
| 60 | + file: .devcontainer/Dockerfile |
| 61 | + platforms: linux/amd64 |
| 62 | + push: ${{ github.event_name != 'pull_request' }} |
| 63 | + tags: ${{ steps.meta.outputs.tags }} |
| 64 | + labels: ${{ steps.meta.outputs.labels }} |
| 65 | + cache-from: type=gha |
| 66 | + cache-to: type=gha,mode=max |
| 67 | + build-args: | |
| 68 | + USERNAME=vscode |
| 69 | + USER_UID=1000 |
| 70 | + USER_GID=1000 |
| 71 | +
|
| 72 | + test-devcontainer: |
| 73 | + runs-on: ubuntu-latest |
| 74 | + needs: build-devcontainer |
| 75 | + if: github.event_name == 'pull_request' || github.event_name == 'push' |
| 76 | + |
| 77 | + steps: |
| 78 | + - name: Checkout repository |
| 79 | + uses: actions/checkout@v4 |
| 80 | + |
| 81 | + - name: Set up Docker Buildx |
| 82 | + uses: docker/setup-buildx-action@v3 |
| 83 | + |
| 84 | + - name: Build test image |
| 85 | + uses: docker/build-push-action@v5 |
| 86 | + with: |
| 87 | + context: .devcontainer |
| 88 | + file: .devcontainer/Dockerfile |
| 89 | + load: true |
| 90 | + tags: aimdb-devcontainer:test |
| 91 | + cache-from: type=gha |
| 92 | + build-args: | |
| 93 | + USERNAME=vscode |
| 94 | + USER_UID=1000 |
| 95 | + USER_GID=1000 |
| 96 | +
|
| 97 | + - name: Test Rust installation |
| 98 | + run: | |
| 99 | + docker run --rm aimdb-devcontainer:test bash -c " |
| 100 | + rustc --version && |
| 101 | + cargo --version && |
| 102 | + rustup --version |
| 103 | + " |
| 104 | +
|
| 105 | + - name: Test embedded targets |
| 106 | + run: | |
| 107 | + docker run --rm aimdb-devcontainer:test bash -c " |
| 108 | + rustup target list --installed | grep -E 'thumbv(6m|7[em])-none-eab[hi]' |
| 109 | + " |
| 110 | +
|
| 111 | + - name: Test development tools |
| 112 | + run: | |
| 113 | + docker run --rm aimdb-devcontainer:test bash -c " |
| 114 | + cargo audit --version && |
| 115 | + cargo watch --version && |
| 116 | + cargo expand --version && |
| 117 | + (probe-rs --version || echo 'probe-rs not installed - this is OK') |
| 118 | + " |
| 119 | +
|
| 120 | + - name: Test system dependencies |
| 121 | + run: | |
| 122 | + docker run --rm aimdb-devcontainer:test bash -c " |
| 123 | + gcc --version && |
| 124 | + arm-none-eabi-gcc --version && |
| 125 | + protoc --version && |
| 126 | + pkg-config --version |
| 127 | + " |
| 128 | +
|
| 129 | + - name: Test user permissions |
| 130 | + run: | |
| 131 | + docker run --rm aimdb-devcontainer:test bash -c " |
| 132 | + whoami && |
| 133 | + id && |
| 134 | + sudo echo 'sudo works' && |
| 135 | + touch /tmp/test-file && |
| 136 | + ls -la /tmp/test-file |
| 137 | + " |
| 138 | +
|
| 139 | + - name: Test AimDB workspace setup |
| 140 | + run: | |
| 141 | + docker run --rm -v ${{ github.workspace }}:/aimdb aimdb-devcontainer:test bash -c " |
| 142 | + cd /aimdb && |
| 143 | + ls -la && |
| 144 | + # Test if we can run basic cargo commands (if Cargo.toml exists) |
| 145 | + if [ -f Cargo.toml ]; then |
| 146 | + cargo check --version || echo 'No Cargo.toml found, skipping cargo check' |
| 147 | + else |
| 148 | + echo 'No Cargo.toml found yet - this is expected for early development' |
| 149 | + fi |
| 150 | + " |
| 151 | +
|
| 152 | + security-scan: |
| 153 | + runs-on: ubuntu-latest |
| 154 | + needs: build-devcontainer |
| 155 | + if: github.event_name != 'pull_request' |
| 156 | + |
| 157 | + steps: |
| 158 | + - name: Checkout repository |
| 159 | + uses: actions/checkout@v4 |
| 160 | + |
| 161 | + - name: Set up Docker Buildx |
| 162 | + uses: docker/setup-buildx-action@v3 |
| 163 | + |
| 164 | + - name: Build image for scanning |
| 165 | + uses: docker/build-push-action@v5 |
| 166 | + with: |
| 167 | + context: .devcontainer |
| 168 | + file: .devcontainer/Dockerfile |
| 169 | + load: true |
| 170 | + tags: aimdb-devcontainer:scan |
| 171 | + cache-from: type=gha |
| 172 | + |
| 173 | + - name: Run Trivy vulnerability scanner |
| 174 | + uses: aquasecurity/trivy-action@master |
| 175 | + with: |
| 176 | + image-ref: aimdb-devcontainer:scan |
| 177 | + format: 'sarif' |
| 178 | + output: 'trivy-results.sarif' |
| 179 | + |
| 180 | + - name: Upload Trivy scan results to GitHub Security tab |
| 181 | + uses: github/codeql-action/upload-sarif@v3 |
| 182 | + if: always() |
| 183 | + with: |
| 184 | + sarif_file: 'trivy-results.sarif' |
0 commit comments