Enhancement: Add image name and push policy to devcontainer test job #9
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| actions: read | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| name: Build and Validate | |
| outputs: | |
| image-name: ${{ steps.build.outputs.image-name }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install missing dependencies | |
| run: sudo apt-get update && sudo apt-get install -y tcl | |
| - name: Check Docker Compose file existence | |
| run: test -f .devcontainer/docker-compose.yml && echo "Docker Compose file exists" | |
| - name: Validate docker-compose.yml | |
| run: docker compose -f .devcontainer/docker-compose.yml config | |
| - name: Lint Dockerfile | |
| uses: hadolint/hadolint-action@v3.1.0 | |
| with: | |
| dockerfile: .devcontainer/Dockerfile | |
| - name: Check for secrets | |
| uses: gitleaks/gitleaks-action@v2 | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build Docker image | |
| id: build | |
| run: | | |
| IMAGE_NAME="dev-template:${{ github.sha }}" | |
| docker build -t "$IMAGE_NAME" .devcontainer/ | |
| echo "image-name=$IMAGE_NAME" >> $GITHUB_OUTPUT | |
| - name: Save Docker image as artifact | |
| run: | | |
| docker save ${{ steps.build.outputs.image-name }} | gzip > dev-template.tar.gz | |
| - name: Upload Docker image artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: docker-image | |
| path: dev-template.tar.gz | |
| test: | |
| runs-on: ubuntu-latest | |
| name: Test Devcontainer | |
| needs: build | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Install missing dependencies | |
| run: sudo apt-get update && sudo apt-get install -y tcl | |
| - name: Check Docker Compose version | |
| run: docker compose version | |
| - name: Test devcontainer functionality | |
| uses: devcontainers/ci@v0.3 | |
| with: | |
| imageName: ghcr.io/idvoretskyi/dev-test | |
| push: never | |
| runCmd: | | |
| # Test basic tools are available | |
| which tclsh || echo "tclsh is missing" | |
| which docker || echo "docker is missing" | |
| which kubectl || echo "kubectl is missing" | |
| which helm || echo "helm is missing" | |
| which gh || echo "gh is missing" | |
| which node || echo "node is missing" | |
| which npm || echo "npm is missing" | |
| # Test essential packages | |
| curl --version | |
| jq --version | |
| security-scan: | |
| runs-on: ubuntu-latest | |
| name: Security and SBOM Analysis | |
| needs: build | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Download Docker image artifact | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: docker-image | |
| - name: Load Docker image | |
| run: | | |
| docker load < dev-template.tar.gz | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: '${{ needs.build.outputs.image-name }}' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate SBOM | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: '${{ needs.build.outputs.image-name }}' | |
| format: 'spdx-json' | |
| output-file: 'sbom.spdx.json' | |
| - name: Upload SBOM as artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.spdx.json |