repatch scout cli #81
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Publish Docker image for Render & Railway deployments | |
concurrency: | |
group: build-${{ github.ref }} | |
cancel-in-progress: true | |
on: | |
push: | |
branches: ['render'] | |
paths-ignore: | |
- '**.md' | |
- 'cloud-deployments/*' | |
- 'images/**/*' | |
- '.vscode/**/*' | |
- '**/.env.example' | |
- '.github/ISSUE_TEMPLATE/**/*' | |
- 'render.yaml' | |
- 'embed/**/*' # Embed should be published to frontend (yarn build:publish) if any changes are introduced | |
- 'server/utils/agents/aibitat/example/**/*' # Do not push new image for local dev testing of new aibitat images. | |
jobs: | |
push_to_registries: | |
name: Push Docker image to DockerHub for use on Render or Railway deployments | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
contents: read | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Check if DockerHub build needed | |
shell: bash | |
run: | | |
# Check if the secret for USERNAME is set (don't even check for the password) | |
if [[ -z "${{ secrets.DOCKER_USERNAME }}" ]]; then | |
echo "DockerHub build not needed" | |
echo "enabled=false" >> $GITHUB_OUTPUT | |
else | |
echo "DockerHub build needed" | |
echo "enabled=true" >> $GITHUB_OUTPUT | |
fi | |
id: dockerhub | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Log in to Docker Hub | |
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a | |
# Only login to the Docker Hub if the repo is mintplex/anythingllm, to allow for forks to build on GHCR | |
if: steps.dockerhub.outputs.enabled == 'true' | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@9ec57ed1fcdbf14dcef7dfbe97b2010124a938b7 | |
with: | |
images: | | |
${{ steps.dockerhub.outputs.enabled == 'true' && 'mintplexlabs/anythingllm' || '' }} | |
tags: | | |
type=raw,value=render | |
type=raw,value=railway | |
- name: Build and push multi-platform Docker image | |
uses: docker/build-push-action@v6 | |
with: | |
context: . | |
file: ./docker/render.Dockerfile | |
push: true | |
sbom: true | |
provenance: mode=max | |
platforms: linux/amd64 | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
build-args: | | |
"STORAGE_DIR=/storage" | |
# For Docker scout there are some intermediary reported CVEs which exists outside | |
# of execution content or are unreachable by an attacker but exist in image. | |
# We create VEX files for these so they don't show in scout summary. | |
- name: Collect known and verified CVE exceptions | |
id: cve-list | |
run: | | |
# Collect CVEs from filenames in vex folder | |
CVE_NAMES="" | |
for file in ./docker/vex/*.vex.json; do | |
[ -e "$file" ] || continue | |
filename=$(basename "$file") | |
stripped_filename=${filename%.vex.json} | |
CVE_NAMES+=" $stripped_filename" | |
done | |
echo "CVE_EXCEPTIONS=$CVE_NAMES" >> $GITHUB_OUTPUT | |
shell: bash | |
# About VEX attestations https://docs.docker.com/scout/explore/exceptions/ | |
# Justifications https://github.com/openvex/spec/blob/main/OPENVEX-SPEC.md#status-justifications | |
- name: Add VEX attestations | |
env: | |
CVE_EXCEPTIONS: ${{ steps.cve-list.outputs.CVE_EXCEPTIONS }} | |
run: | | |
echo $CVE_EXCEPTIONS | |
curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s -- | |
for cve in $CVE_EXCEPTIONS; do | |
for tag in "${{ join(fromJSON(steps.meta.outputs.json).tags, ' ') }}"; do | |
echo "Attaching VEX exception $cve to $tag" | |
docker scout attestation add \ | |
--file "./docker/vex/$cve.vex.json" \ | |
--predicate-type https://openvex.dev/ns/v0.2.0 \ | |
$tag | |
done | |
done | |
shell: bash |