Skip to content

Commit

Permalink
Initial commit
Browse files Browse the repository at this point in the history
  • Loading branch information
@dedene
dedene committed Oct 3, 2023
0 parents commit f0543e6
Show file tree
Hide file tree
Showing 11 changed files with 662 additions and 0 deletions.
2 changes: 2 additions & 0 deletions .dockerignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# Ignore everything
*
4 changes: 4 additions & 0 deletions .github/auto-merge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
# Run on autopilot
- match:
dependency_type: all
update_type: all
13 changes: 13 additions & 0 deletions .github/dependabot.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
version: 2
updates:
# Maintain dependencies for GitHub Actions
- package-ecosystem: 'github-actions'
directory: '/'
schedule:
interval: 'daily'

# Maintain dependencies within Dockerfiles
- package-ecosystem: 'docker'
directory: '/'
schedule:
interval: 'daily'
14 changes: 14 additions & 0 deletions .github/workflows/auto-merge.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
name: Auto-Merge Dependabot PRs

on:
pull_request:

jobs:
auto-merge:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: ahmadnassri/action-dependabot-auto-merge@v2
with:
target: minor
github-token: ${{ secrets.GH_TOKEN }}
199 changes: 199 additions & 0 deletions .github/workflows/build.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,199 @@
name: Build and push container images

on:
workflow_dispatch:
push:
branches: [main]
paths:
- Dockerfile
pull_request:
branches: [main]
paths:
- Dockerfile

env:
DOCKER_BUILDKIT: 1
COSIGN_EXPERIMENTAL: 1

jobs:
metadata:
name: Get image and repo details
runs-on: ubuntu-latest

outputs:
name: ${{ steps.name.outputs.name }}
title: ${{ steps.title.outputs.title }}
version: ${{ steps.version.outputs.version }}
branch: ${{ steps.branch.outputs.branch }}
labels: ${{ steps.metadata.outputs.labels }}
tags: ${{ steps.metadata.outputs.tags }}
platforms: linux/amd64,linux/arm64,linux/arm/v7

steps:
- name: Checkout repo
uses: actions/checkout@v4

- name: Generate docker-compliant image name
id: name
run: echo "name=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//')" | tee -a $GITHUB_OUTPUT

- name: Generate OCI image title
id: title
run:
echo "title=$(echo ${GITHUB_REPOSITORY#*/} | sed 's/docker-//')" | tee -a $GITHUB_OUTPUT

- name: Parse Caddy version
id: version
run:
echo "version=$(grep -Eo 'caddy:[0-9]+\.[0-9]+\.[0-9]+$' Dockerfile | cut -d ':' -f2)" |
tee -a $GITHUB_OUTPUT

- name: Generate build tag from head
id: branch
run: |
export GIT_REF=${GITHUB_HEAD_REF:-$GITHUB_REF_NAME}
echo "branch=$(echo ${GIT_REF,,} | sed 's/[^a-zA-Z0-9]/-/g')" | tee -a $GITHUB_OUTPUT
- name: Generate Docker metadata with Caddy version
uses: docker/metadata-action@v4
id: metadata
with:
images: |
docker.io/${{ steps.name.outputs.name }}
ghcr.io/${{ steps.name.outputs.name }}
tags: |
type=semver,pattern={{version}},value=v${{ steps.version.outputs.version }}
type=semver,pattern={{major}}.{{minor}},value=v${{ steps.version.outputs.version }}
type=semver,pattern={{major}},value=v${{ steps.version.outputs.version }}
labels: |
org.opencontainers.image.title=${{ steps.title.outputs.title }}
build:
name: Build container image
runs-on: ubuntu-latest
needs: [metadata]

permissions:
id-token: write # keyless Cosign signatures
pull-requests: write # PR comments

outputs:
digest: ${{ steps.build.outputs.digest }}
image-ref: ttl.sh/${{ needs.metadata.outputs.name }}:${{ github.sha }}

steps:
- name: Checkout repo
uses: actions/checkout@v4

- name: Install Cosign
uses: sigstore/[email protected]

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Build Docker image
uses: docker/build-push-action@v4
id: build
with:
context: .
push: true # to ttl.sh
tags: ttl.sh/${{ needs.metadata.outputs.name }}:${{ github.sha }}
labels: ${{ needs.metadata.outputs.labels }}
platforms: ${{ needs.metadata.outputs.platforms }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Sign container images
run: |
cosign sign --yes --recursive \
"ttl.sh/$IMAGE_NAME@$IMAGE_DIGEST"
env:
IMAGE_NAME: ${{ needs.metadata.outputs.name }}
IMAGE_DIGEST: ${{ steps.build.outputs.digest }}

trivy:
name: Run Trivy scanner
needs: [build]
uses: ./.github/workflows/trivy.yml
with:
image-ref: ${{ needs.build.outputs.image-ref }}

publish:
name: Publish container image
needs: [metadata, build, trivy]
runs-on: ubuntu-latest

permissions:
id-token: write # keyless Cosign signatures
packages: write # GHCR
contents: write # git tags

if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
steps:
- name: Checkout repo
uses: actions/checkout@v4

- name: Install Cosign
uses: sigstore/[email protected]

- name: Set up QEMU
uses: docker/setup-qemu-action@v3

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Login to Docker Hub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}

- name: Login to GitHub Container Repository
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}

- name: Verify container images
run: |
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp https://github.com/$GITHUB_REPOSITORY/.github/workflows/ \
${{ needs.build.outputs.image-ref }}
- name: Publish container image
uses: docker/build-push-action@v4
id: publish
with:
context: .
push: true
tags: ${{ needs.metadata.outputs.tags }}
labels: ${{ needs.metadata.outputs.labels }}
platforms: ${{ needs.metadata.outputs.platforms }}
cache-from: type=gha
cache-to: type=gha,mode=max

- name: Sign container images
run: |
cosign sign --yes --recursive "docker.io/$IMAGE_NAME@$IMAGE_DIGEST"
cosign sign --yes --recursive "ghcr.io/$IMAGE_NAME@$IMAGE_DIGEST"
env:
IMAGE_NAME: ${{ needs.metadata.outputs.name }}
IMAGE_DIGEST: ${{ steps.publish.outputs.digest }}

- name: Push version tags
run: |
MAJOR=$(echo $CADDY_VERSION | cut -d . -f 1)
MINOR=$(echo $CADDY_VERSION | cut -d . -f 2)
git tag -f "v$MAJOR"
git tag -f "v$MAJOR.$MINOR"
git tag -f "v$CADDY_VERSION"
git push -f -u origin "v$MAJOR"
git push -f -u origin "v$MAJOR.$MINOR"
git push -f -u origin "v$CADDY_VERSION"
env:
CADDY_VERSION: ${{ needs.metadata.outputs.version }}
29 changes: 29 additions & 0 deletions .github/workflows/readme.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
name: Sync GitHub README with Docker Hub

on:
workflow_dispatch:
push:
branches: [main]
paths:
- README.md

jobs:
github-docker:
name: Sync GitHub README with Docker Hub
runs-on: ubuntu-latest

steps:
- name: Checkout repo
uses: actions/checkout@v4

- name: Generate docker-compliant image name
run:
echo "IMAGE_NAME=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//')" | tee -a $GITHUB_ENV

- name: Update Docker Hub description
uses: peter-evans/dockerhub-description@v3
with:
username: ${{ secrets.DOCKER_HUB_USER }}
password: ${{ secrets.DOCKER_HUB_PASSWORD }}
repository: ${{ env.IMAGE_NAME }}
short-description: ${{ github.event.repository.description }}
103 changes: 103 additions & 0 deletions .github/workflows/trivy.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,103 @@
name: Trivy Security Scan

on:
workflow_dispatch:
schedule:
- cron: 0 0 * * * # daily at midnight
workflow_call:
inputs:
image-ref:
type: string
required: false
description: Container Ref to be scanned by Trivy

env:
DOCKER_BUILDKIT: 1
COSIGN_EXPERIMENTAL: 1

jobs:
trivy-repo:
name: Scan repository
runs-on: ubuntu-latest

permissions:
security-events: write # upload security results

steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Get main branch SHA
run: |
git pull origin main:main
echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV
- name: Scan repo filesystem
uses: aquasecurity/[email protected]
with:
scan-type: fs
format: sarif
output: trivy-results.sarif

- name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: trivy-results.sarif
ref: refs/heads/main
sha: ${{ env.BASE_SHA }}

trivy-docker:
name: Scan container image
runs-on: ubuntu-latest

permissions:
security-events: write # upload security results

steps:
- name: Checkout repo
uses: actions/checkout@v4
with:
fetch-depth: 0

- name: Get main branch SHA
run: |
git pull origin main:main
echo "BASE_SHA=$(git merge-base --fork-point main)" | tee -a $GITHUB_ENV
- name: Install Cosign
uses: sigstore/[email protected]

- name: Generate docker-compliant image name
run: |
if [[ -z "$IMAGE_REF" ]]; then
echo "IMAGE_REF=$(echo ${GITHUB_REPOSITORY,,} | sed 's/docker-//'):latest" | tee -a $GITHUB_ENV
else
echo "IMAGE_REF=$IMAGE_REF" | tee -a $GITHUB_ENV
fi
env:
IMAGE_REF: ${{ inputs.image-ref }}

- name: Verify container images
run: |
cosign verify \
--certificate-oidc-issuer https://token.actions.githubusercontent.com \
--certificate-identity-regexp https://github.com/$GITHUB_REPOSITORY/.github/workflows/ \
$IMAGE_REF
- name: Scan container image
uses: aquasecurity/[email protected]
with:
image-ref: ${{ env.IMAGE_REF }}
format: sarif
output: trivy-results.sarif

- name: Upload scan results to GitHub Security
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: trivy-results.sarif
ref: refs/heads/main
sha: ${{ env.BASE_SHA }}
Loading

0 comments on commit f0543e6

Please sign in to comment.