docker-prod-test/.github/workflows/ci-bake.yaml at 2e3ffa0f64d8fe59610c293c1f4d4c5a0e61cbff · codeedu/docker-prod-test · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
name: CI Bake

on:
  push:
    branches: [ "main" ]
    # Publish semver tags as releases.
    tags: [ 'v*.*.*' ]
  pull_request:
    branches: [ "main" ]

env:
  REGISTRY: docker.io
  DOCKER_USERNAME: argentinaluiz
  IMAGE_NAME: argentinaluiz/docker-prod-test
  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
jobs:
  ci:

    runs-on: ubuntu-latest
    permissions:
      contents: read # Ler o conteúdo do repositório
      packages: write # Permitir publicar pacotes no GitHub Packages
      pull-requests: write # Permitir criar e atualizar pull requests
      security-events: write # Enviar eventos de segurança para o Github Security
      id-token: write # Permitir emitir tokens OIDC para autenticação com provedores externos

    steps:
      - name: Checkout repository
        uses: actions/checkout@v4

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v3
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ env.DOCKER_USERNAME }}
          password: ${{ secrets.DOCKER_TOKEN }}

      - name: Build for CI
        id: build-ci
        uses: docker/bake-action@v6
        env:
          github_token: ${{ secrets.GITHUB_TOKEN }}
        with:
          files: ./src/ci/docker-bake.hcl
          push: false
          load: true
          targets: ci
          set: |
            ci.cache-from=type=gha
            ci.cache-to=type=gha,mode=max
            ci.tags=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:ci

      - name: Up containers
        run: docker compose -f ./src/ci/nestjs-project/compose.ci.yaml up -d --wait-timeout 10

      - name: Run tests
        run: echo "Running tests..."

      - name: Build for analysis
        id: build-for-analysis
        uses: docker/bake-action@v6
        env:
          github_token: ${{ secrets.GITHUB_TOKEN }}
        with:
          push: false
          load: true
          targets: prod
          files: |
            ./src/ci/docker-bake.hcl
          set: |
            prod.cache-from=type=gha
            prod.cache-to=type=gha,mode=max
            prod.tags=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}

      - name: Analyze for critical and high CVEs
        id: docker-scout-cves
        uses: docker/scout-action@v1
        with:
          command: cves
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
          only-severities: critical,high
          only-fixed: true
          summary: true # publicar github actions e pull request
          exit-code: true

      - name: Analyze for all CVEs
        id: docker-scout-all-cves
        uses: docker/scout-action@v1
        with:
          command: cves
          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
          summary: true
          sarif-file: sarif.output.json

      - name: Upload SARIF result
        id: upload-sarif
        if: ${{ github.event_name != 'pull_request' }}
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: sarif.output.json

      - name: Extract Docker metadata
        id: meta
        if: github.event_name != 'pull_request'
        uses: docker/metadata-action@v5.0.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.revision=${{ env.SHA }}
          tags: |
            type=edge,branch=$repo.default_branch
            type=semver,pattern=v{{version}}
            type=sha,prefix=,suffix=,format=short

      - name: Build final
        id: build-final
        if: github.event_name != 'pull_request'
        uses: docker/bake-action@v6
        env:
          github_token: ${{ secrets.GITHUB_TOKEN }}
        with:
          push: ${{ github.event_name != 'pull_request' }}
          provenance: mode=max
          sbom: true
          targets: prod
          files: |
            ./src/ci/docker-bake.hcl
            cwd://${{ steps.meta.outputs.bake-file }}
          set: |
            prod.cache-from=type=gha
            prod.cache-to=type=gha,mode=max
            prod.tags=${{ steps.meta.outputs.tags }}

      - name: Install cosign
        if: github.event_name != 'pull_request'
        uses: sigstore/cosign-installer@v3.5.0
        with:
          cosign-release: 'v2.2.4'

      - name: Sign the published Docker image
        if: github.event_name != 'pull_request'
        env:
          TAGS: ${{ steps.meta.outputs.tags }}
          DIGEST: ${{ fromJSON(steps.build-final.outputs.metadata).default['containerimage.digest'] }}
        run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}