-
Notifications
You must be signed in to change notification settings - Fork 0
118 lines (98 loc) · 3.72 KB
/
pr-check..yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
name: Pull Request Check
on:
pull_request:
branches: ['main']
jobs:
build:
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [22.x]
steps:
- uses: actions/checkout@v4
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
cache: 'npm'
- run: npm ci
- run: npm run lint
- run: npm run build --if-present
- run: npm test
- name: Upload test coverage
uses: actions/upload-artifact@v4
with:
name: coverage
path: coverage/
if-no-files-found: warn
docker-build:
runs-on: ubuntu-latest
# Ensures the docker-build job runs after the build job
needs: build
steps:
- uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver: docker-container
- name: Build Docker image for validation
uses: docker/build-push-action@v5
with:
context: .
tags: metalheads/metal-api:pr-${{ github.event.pull_request.number }}
push: false # Keeps the image local to the runner
load: true # Loads the image into the local Docker daemon
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Save Docker image as an artifact
run: docker save metalheads/metal-api:pr-${{ github.event.pull_request.number }} -o metal-api.tar
- name: Upload image artifact
uses: actions/upload-artifact@v4
with:
name: metal-api-image
path: metal-api.tar
- name: Verify image tar exists before upload
run: ls -l metal-api.tar
vulnerability-scan:
runs-on: ubuntu-latest
needs: docker-build # Runs after docker-build job
steps:
- uses: actions/checkout@v4
# Cache Trivy DB
- name: Cache Trivy DB
uses: actions/cache@v4
with:
path: ~/.cache/trivy/db
key: trivy-db-${{ github.run_id }}
restore-keys: |
trivy-db-
# Cache Trivy Policies
- name: Cache Trivy Policies
uses: actions/cache@v4
with:
path: ~/.cache/trivy/policy
key: trivy-policies-${{ github.run_id }}
restore-keys: |
trivy-policies-
# Pre-download Trivy DB and Policies
- name: Pre-download Trivy DB and Policies
run: |
mkdir -p ~/.cache/trivy
trivy image --download-db-only
trivy --scanners config --download-policies
env:
TRIVY_CACHE_DIR: ~/.cache/trivy
# Download image artifact
- name: Download image artifact
uses: actions/download-artifact@v4
with:
name: metal-api-image
# Load Docker image
- name: Load Docker image
run: docker load -i metal-api.tar
# Run Trivy vulnerability scan
- name: Run Trivy Scan
run: trivy image metalheads/metal-api:pr-${{ github.event.pull_request.number }}
env:
TRIVY_CACHE_DIR: ~/.cache/trivy
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}