Skip to content

Commit

Permalink
Add scanning option (#472)
Browse files Browse the repository at this point in the history
* Add a scanning option for vulnerabilities



---------

Co-authored-by: spatialgeobyte <[email protected]>
  • Loading branch information
NyakudyaA and spatialgeobyte authored May 24, 2024
1 parent 0772eb3 commit 98e2513
Show file tree
Hide file tree
Showing 3 changed files with 89 additions and 63 deletions.
2 changes: 1 addition & 1 deletion .github/dependabot.yml
Original file line number Diff line number Diff line change
Expand Up @@ -3,4 +3,4 @@ updates:
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "monthly"
interval: "weekly"
141 changes: 84 additions & 57 deletions .github/workflows/build-latest.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,24 @@ on:
pull_request:
branches:
- develop
paths:
- 'Dockerfile'
- 'scripts/**'
- 'base_build/**'
- '.github/workflows/**'
push:
branches:
- develop
paths:
- 'Dockerfile'
- 'scripts/**'
- 'build_data/**'
- '.github/workflows/**'
jobs:
run-scenario-tests:
build-docker-image:
runs-on: ubuntu-latest
timeout-minutes: 25
if: github.actor != 'dependabot[bot]'
strategy:
matrix:
postgresMajorVersion:
Expand All @@ -22,14 +34,6 @@ jobs:
- imageDistro: debian
imageDistroVersion: bookworm
imageDistroVariant: slim
scenario:
- datadir_init
- streaming_replication
- collations
- extensions
- logical_replication
- init_scripts
- multiple_databases
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
Expand All @@ -45,6 +49,7 @@ jobs:
push: false
load: true
tags: kartoza/postgis:manual-build
outputs: type=docker,dest=/tmp/postgis.tar
build-args: |
DISTRO=${{ matrix.imageVersion.imageDistro }}
IMAGE_VERSION=${{ matrix.imageVersion.imageDistroVersion }}
Expand All @@ -55,42 +60,88 @@ jobs:
POSTGIS_MAJOR_VERSION=${{ matrix.postgisMajorVersion }}
POSTGIS_MINOR_VERSION=${{ matrix.postgisMinorRelease }}
cache-from: |
type=gha,scope=test
type=gha,scope=prod
type=gha,scope=base
type=gha,scope=test
type=gha,scope=prod
type=gha,scope=base
cache-to: type=gha,scope=test
target: postgis-test
- name: Upload artifact
uses: actions/upload-artifact@v4
with:
name: kartoza-postgis
path: /tmp/postgis.tar

run-scenario-tests:
runs-on: ubuntu-latest
needs: [build-docker-image]
timeout-minutes: 20
if: github.actor != 'dependabot[bot]'
strategy:
matrix:
scenario:
- datadir_init
- streaming_replication
- collations
- extensions
- logical_replication
- init_scripts
- multiple_databases
steps:
- uses: actions/checkout@v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: kartoza-postgis
path: /tmp
- name: Load image
run: |
docker load --input /tmp/postgis.tar
- name: Run scenario test ${{ matrix.scenario }}
working-directory: scenario_tests/${{ matrix.scenario }}
env:
COMPOSE_INTERACTIVE_NO_CLI: 1
PRINT_TEST_LOGS: 1
run: |
bash ./test.sh
scan_image:
runs-on: ubuntu-latest
timeout-minutes: 20
if: github.actor != 'dependabot[bot]'
needs: [build-docker-image, run-scenario-tests]
steps:
- uses: actions/checkout@v4
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: kartoza-postgis
path: /tmp
- name: Load image
run: |
docker load --input /tmp/postgis.tar
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
format: 'sarif'
ignore-unfixed: true
image-ref: kartoza/postgis:manual-build
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
vuln-type: 'os,library'

push-internal-pr-images:
if: github.event.pull_request.base.repo.url == github.event.pull_request.head.repo.url
if: github.event.pull_request.base.repo.url == github.event.pull_request.head.repo.url && github.actor != 'dependabot[bot]'
runs-on: ubuntu-latest
needs: [ run-scenario-tests ]
strategy:
matrix:
postgresMajorVersion:
- 16
postgisMajorVersion:
- 3
postgisMinorRelease:
- 4
imageVersion:
- imageDistro: debian
imageDistroVersion: bookworm
imageDistroVariant: slim
needs: [ build-docker-image, run-scenario-tests ]
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Download artifact
uses: actions/download-artifact@v4
with:
name: kartoza-postgis
path: /tmp
- name: Load image
run: |
docker load --input /tmp/postgis.tar
- name: Login to DockerHub
uses: docker/login-action@v3
with:
Expand All @@ -102,31 +153,7 @@ jobs:
with:
images: ${{ secrets.DOCKERHUB_REPO}}/postgis
tags: |
type=semver,pattern={{version}}
type=semver,pattern=\d.\d.\d
type=ref,event=branch
type=ref,event=pr
- name: Build image for testing
id: docker_build_testing_image
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile
push: true
tags: |
${{ steps.docker_meta.outputs.tags }}-${{ matrix.postgresMajorVersion }}-${{ matrix.postgisMajorVersion }}.${{ matrix.postgisMinorRelease }}
build-args: |
DISTRO=${{ matrix.imageVersion.imageDistro }}
IMAGE_VERSION=${{ matrix.imageVersion.imageDistroVersion }}
IMAGE_VARIANT=${{ matrix.imageVersion.imageDistroVariant }}
LANGS=en_US.UTF-8,id_ID.UTF-8
GENERATE_ALL_LOCALE=0
POSTGRES_MAJOR_VERSION=${{ matrix.postgresMajorVersion }}
POSTGIS_MAJOR_VERSION=${{ matrix.postgisMajorVersion }}
POSTGIS_MINOR_VERSION=${{ matrix.postgisMinorRelease }}
cache-from: |
type=gha,scope=test
type=gha,scope=prod
type=gha,scope=base
cache-to: type=gha,scope=test
target: postgis-test

9 changes: 4 additions & 5 deletions .github/workflows/deploy-image.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,8 @@ on:
jobs:
deploy-image:
runs-on: ubuntu-latest
timeout-minutes: 20
if: github.actor != 'dependabot[bot]'
env:
latest-ref: refs/heads/develop
strategy:
Expand All @@ -37,14 +39,11 @@ jobs:
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}

- name: Get Current Date
id: current_date
shell: python
run: |
import datetime
now = datetime.datetime.utcnow()
print(f'::set-output name=formatted::{now:%Y.%m.%d}')
run: echo "formatted=$(date -u +%Y.%m.%d)" >> $GITHUB_OUTPUT

- name: Build base image
id: docker_build_base
Expand Down

0 comments on commit 98e2513

Please sign in to comment.