@@ -22,97 +22,121 @@ jobs:
2222 name : Download AV database
2323 runs-on : ubuntu-24.04
2424 steps :
25- - run : |
26- apt-get update -y && apt-get -y --no-install-recommends install clamav ca-certificates
27- freshclam
25+ - name : Install clamav and update databases
26+ run : |
27+ sudo apt-get update -y
28+ sudo apt-get -y --no-install-recommends install clamav ca-certificates
29+ sudo systemctl stop clamav-freshclam.service
30+ sudo freshclam
2831name : Cache clamav databases
2932 uses : actions/cache/save@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
3033 with :
3134 path : /var/lib/clamav
32- key : clamav-${{ runner.os }}-${{ github.run_id }}
33- image :
34- name : Build image
35+ key : clamav-${{ github.run_id }}
36+ # image:
37+ # name: Build image
38+ # needs: av_database
39+ # runs-on: ubuntu-22.04
40+ # permissions:
41+ # contents: read
42+ # id-token: write
43+ # strategy:
44+ # fail-fast: false
45+ # matrix:
46+ # image:
47+ # - intel-fpga-admissionwebhook
48+ # - intel-fpga-initcontainer
49+ # - intel-gpu-initcontainer
50+ # - intel-gpu-plugin
51+ # - intel-fpga-plugin
52+ # - intel-qat-initcontainer
53+ # - intel-qat-plugin
54+ # - intel-deviceplugin-operator
55+ # - intel-sgx-admissionwebhook
56+ # - intel-sgx-plugin
57+ # - intel-sgx-initcontainer
58+ # - intel-dsa-plugin
59+ # - intel-iaa-plugin
60+ # - intel-idxd-config-initcontainer
61+ # - intel-dlb-plugin
62+ # - intel-dlb-initcontainer
63+ # - intel-xpumanager-sidecar
64+
65+ # # # Demo images
66+ # - crypto-perf
67+ # - opae-nlb-demo
68+ # steps:
69+ # - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
70+ # - uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
71+ # with:
72+ # go-version-file: go.mod
73+ # check-latest: true
74+ # - name: Prepare cache directory
75+ # run: |
76+ # sudo mkdir -p /var/lib/clamav
77+ # sudo chmod a+rwx /var/lib/clamav
78+ # - name: Retrieve AV database
79+ # uses: actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
80+ # with:
81+ # path: /var/lib/clamav
82+ # key: clamav-${{ github.run_id }}
83+ # - run: make -e vendor
84+ # - name: Build image
85+ # env:
86+ # IMAGE_NAME: ${{ matrix.image }}
87+ # run: |
88+ # ORG=${{ inputs.registry }} TAG=${{ inputs.image_tag }} make ${IMAGE_NAME} BUILDER=docker
89+ # - name: Trivy scan for image
90+ # uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
91+ # with:
92+ # scan-type: image
93+ # image-ref: ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
94+ # exit-code: 1
95+ # - name: Malware scan
96+ # env:
97+ # FULL_IMAGE: ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
98+ # IMG_FILE: ${{ matrix.image }}-${{ inputs.image_tag }}.tar
99+ # run: |
100+ # sudo apt-get update -y
101+ # sudo apt-get -y --no-install-recommends install clamav ca-certificates
102+ # sudo systemctl stop clamav-freshclam.service
103+ # sudo freshclam
104+ # docker save $FULL_IMAGE -o $IMG_FILE
105+ # clamscan $IMG_FILE
106+ # - name: Test image base layer
107+ # # Don't run base layer check for selected images
108+ # if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
109+ # run: IMG=${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
110+ # - name: Login
111+ # uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
112+ # with:
113+ # username: ${{ secrets.DOCKERHUB_USER }}
114+ # password: ${{ secrets.DOCKERHUB_PASS }}
115+ # - name: Push
116+ # run: docker push ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
117+ # - name: Get image digest
118+ # if: ${{ inputs.image_tag != 'devel' }}
119+ # id: digest
120+ # run: |
121+ # echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }})" >> $GITHUB_OUTPUT
122+ # - name: Install cosign
123+ # if: ${{ inputs.image_tag != 'devel' }}
124+ # uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #v3.6.0
125+ # - name: Keyless image sign
126+ # if: ${{ inputs.image_tag != 'devel' }}
127+ # run: |
128+ # cosign sign --yes ${{ steps.digest.outputs.image_sha }}
129+ cleanup :
130+ runs-on : ubuntu-latest
131+ # needs: image
35132 needs : av_database
36- runs-on : ubuntu-22.04
37133 permissions :
38- contents : read
39- id-token : write
40- strategy :
41- fail-fast : false
42- matrix :
43- image :
44- - intel-fpga-admissionwebhook
45- # - intel-fpga-initcontainer
46- # - intel-gpu-initcontainer
47- - intel-gpu-plugin
48- # - intel-fpga-plugin
49- # - intel-qat-initcontainer
50- # - intel-qat-plugin
51- # - intel-deviceplugin-operator
52- # - intel-sgx-admissionwebhook
53- # - intel-sgx-plugin
54- # - intel-sgx-initcontainer
55- - intel-dsa-plugin
56- # - intel-iaa-plugin
57- # - intel-idxd-config-initcontainer
58- # - intel-dlb-plugin
59- # - intel-dlb-initcontainer
60- # - intel-xpumanager-sidecar
61-
62- # # Demo images
63- - crypto-perf
64- - opae-nlb-demo
134+ contents : write
65135 steps :
66136 - uses : actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
67- - uses : actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5
68- with :
69- go-version-file : go.mod
70- check-latest : true
71- - run : make -e vendor
72- - name : Build image
73- env :
74- IMAGE_NAME : ${{ matrix.image }}
137+ - name : Remove av database cache
75138 run : |
76- ORG=${{ inputs.registry }} TAG=${{ inputs.image_tag }} make ${IMAGE_NAME} BUILDER=docker
77- name : Trivy scan for image
78- uses : aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
79- with :
80- scan-type : image
81- image-ref : ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
82- exit-code : 1
83- - name : Retrieve AV database
84- uses : actions/cache/restore@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
85- with :
86- name : av-database
87- key : clamav-${{ runner.os }}-${{ github.run_id }}
88- - name : Malware scan
139+ gh extension install actions/gh-actions-cache
140+ gh actions-cache delete clamav-${{ github.run_id }} --confirm
89141env :
90- FULL_IMAGE : ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
91- IMG_FILE : ${{ matrix.image }}-${{ inputs.image_tag }}.tar
92- run : |
93- apt-get update -y && apt-get -y --no-install-recommends install clamav ca-certificates
94- docker save $FULL_IMAGE -o $IMG_FILE
95- clamscan $IMG_FILE
96- # - name: Test image base layer
97- # # Don't run base layer check for selected images
98- # if: ${{ !contains(fromJson(env.no_base_check), matrix.image) }}
99- # run: IMG=${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }} make test-image-base-layer BUILDER=docker
100- # - name: Login
101- # uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3
102- # with:
103- # username: ${{ secrets.DOCKERHUB_USER }}
104- # password: ${{ secrets.DOCKERHUB_PASS }}
105- # - name: Push
106- # run: docker push ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }}
107- # - name: Get image digest
108- # if: ${{ inputs.image_tag != 'devel' }}
109- # id: digest
110- # run: |
111- # echo "image_sha=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.registry }}/${{ matrix.image }}:${{ inputs.image_tag }})" >> $GITHUB_OUTPUT
112- # - name: Install cosign
113- # if: ${{ inputs.image_tag != 'devel' }}
114- # uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 #v3.6.0
115- # - name: Keyless image sign
116- # if: ${{ inputs.image_tag != 'devel' }}
117- # run: |
118- # cosign sign --yes ${{ steps.digest.outputs.image_sha }}
142+ GH_TOKEN : ${{ secrets.GITHUB_TOKEN }}
0 commit comments