Skip to content

Commit afb98f0

Browse files
jim60105jim60105
committed
Initial commit
0 parents  commit afb98f0

24 files changed

+1963
-0
lines changed

.dockerignore

+8
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
LICENSE
2+
*.md
3+
.hadolint.yml
4+
node_modules
5+
*.log
6+
.git
7+
.gitignore
8+
.env

.github/workflows/docker-reused-setup-steps/action.yml

+72
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,72 @@
1+
name: Setup docker
2+
3+
description: Configure the docker workflow.
4+
5+
inputs:
6+
DOCKERHUB_USERNAME:
7+
required: true
8+
DOCKERHUB_TOKEN:
9+
required: true
10+
QUAY_USERNAME:
11+
required: true
12+
QUAY_TOKEN:
13+
required: true
14+
CR_PAT:
15+
required: true
16+
tag:
17+
required: true
18+
19+
outputs:
20+
tags:
21+
description: "tags"
22+
value: ${{ steps.meta.outputs.tags }}
23+
labels:
24+
description: "labels"
25+
value: ${{ steps.meta.outputs.labels }}
26+
27+
runs:
28+
using: composite
29+
steps:
30+
- name: Docker meta:${{ inputs.tag }}
31+
id: meta
32+
uses: docker/metadata-action@v5
33+
with:
34+
images: ${{ inputs.DOCKERHUB_USERNAME }}/fc2-live-dl,ghcr.io/${{ github.repository_owner }}/fc2-live-dl,quay.io/${{ github.repository_owner }}/fc2-live-dl
35+
flavor: |
36+
latest=${{ inputs.tag == 'alpine' }}
37+
tags: |
38+
type=ref,event=tag,enable=${{ inputs.tag == 'alpine' }}
39+
type=ref,suffix=-${{ inputs.tag }},event=tag
40+
${{ inputs.tag }}
41+
42+
- name: Set up QEMU
43+
uses: docker/setup-qemu-action@v3
44+
45+
- name: Set up Docker Buildx
46+
uses: docker/setup-buildx-action@v3
47+
48+
# Create a Access Token and save it as as Actions secret
49+
# https://hub.docker.com/settings/security
50+
# DOCKERHUB_USERNAME
51+
# DOCKERHUB_TOKEN
52+
- name: Login to DockerHub
53+
uses: docker/login-action@v3
54+
with:
55+
username: ${{ inputs.DOCKERHUB_USERNAME }}
56+
password: ${{ inputs.DOCKERHUB_TOKEN }}
57+
58+
# Create a Access Token with `read:packages` and `write:packages` scopes
59+
# CR_PAT
60+
- name: Login to GitHub Container Registry
61+
uses: docker/login-action@v3
62+
with:
63+
registry: ghcr.io
64+
username: ${{ github.repository_owner }}
65+
password: ${{ inputs.CR_PAT }}
66+
67+
- name: Login to Quay Container Registry
68+
uses: docker/login-action@v3
69+
with:
70+
registry: quay.io
71+
username: ${{ inputs.QUAY_USERNAME }}
72+
password: ${{ inputs.QUAY_TOKEN }}

.github/workflows/docker_publish.yml

+139
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,139 @@
1+
name: docker_publish
2+
3+
on:
4+
push:
5+
branches:
6+
- 'master'
7+
tags:
8+
- 'v*'
9+
schedule:
10+
- cron: '0 4 1 * *' # 1st day of month at 4am UTC
11+
12+
workflow_dispatch:
13+
14+
jobs:
15+
docker-alpine:
16+
runs-on: ubuntu-latest
17+
18+
steps:
19+
- name: Checkout
20+
uses: actions/checkout@v4
21+
with:
22+
submodules: true
23+
24+
- name: Checkout submodule
25+
run: |
26+
cd fc2-live-dl && \
27+
git fetch --all --tags && \
28+
if [[ "${{ github.ref }}" == refs/tags/* ]]; then
29+
git checkout tags/${{ github.ref_name }} -b ${{ github.ref_name }}
30+
else
31+
git checkout main
32+
fi
33+
34+
- name: Setup docker
35+
id: setup
36+
uses: ./.github/workflows/docker-reused-setup-steps
37+
with:
38+
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
39+
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
40+
QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
41+
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
42+
CR_PAT: ${{ secrets.CR_PAT }}
43+
tag: alpine
44+
45+
- name: Build and push
46+
uses: docker/build-push-action@v5
47+
with:
48+
context: .
49+
file: ./alpine.Dockerfile
50+
push: true
51+
target: final
52+
tags: ${{ steps.setup.outputs.tags }}
53+
labels: ${{ steps.setup.outputs.labels }}
54+
build-args: VERSION=${{ github.head_ref || github.ref_name }}
55+
platforms: linux/amd64,linux/arm64
56+
57+
docker-ubi:
58+
runs-on: ubuntu-latest
59+
60+
steps:
61+
- name: Checkout
62+
uses: actions/checkout@v4
63+
with:
64+
submodules: true
65+
66+
- name: Checkout submodule
67+
run: |
68+
cd fc2-live-dl && \
69+
git fetch --all --tags && \
70+
if [[ "${{ github.ref }}" == refs/tags/* ]]; then
71+
git checkout tags/${{ github.ref_name }} -b ${{ github.ref_name }}
72+
else
73+
git checkout main
74+
fi
75+
76+
- name: Setup docker
77+
id: setup
78+
uses: ./.github/workflows/docker-reused-setup-steps
79+
with:
80+
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
81+
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
82+
QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
83+
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
84+
CR_PAT: ${{ secrets.CR_PAT }}
85+
tag: ubi
86+
87+
- name: Build and push
88+
uses: docker/build-push-action@v5
89+
with:
90+
context: .
91+
file: ./ubi.Dockerfile
92+
push: true
93+
target: final
94+
tags: ${{ steps.setup.outputs.tags }}
95+
labels: ${{ steps.setup.outputs.labels }}
96+
build-args: VERSION=${{ github.head_ref || github.ref_name }}
97+
platforms: linux/amd64,linux/arm64
98+
99+
docker-distroless:
100+
runs-on: ubuntu-latest
101+
102+
steps:
103+
- name: Checkout
104+
uses: actions/checkout@v4
105+
with:
106+
submodules: true
107+
108+
- name: Checkout submodule
109+
run: |
110+
cd fc2-live-dl && \
111+
git fetch --all --tags && \
112+
if [[ "${{ github.ref }}" == refs/tags/* ]]; then
113+
git checkout tags/${{ github.ref_name }} -b ${{ github.ref_name }}
114+
else
115+
git checkout main
116+
fi
117+
118+
- name: Setup docker
119+
id: setup
120+
uses: ./.github/workflows/docker-reused-setup-steps
121+
with:
122+
DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
123+
DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
124+
QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
125+
QUAY_TOKEN: ${{ secrets.QUAY_TOKEN }}
126+
CR_PAT: ${{ secrets.CR_PAT }}
127+
tag: distroless
128+
129+
- name: Build and push
130+
uses: docker/build-push-action@v5
131+
with:
132+
context: .
133+
file: ./distroless.Dockerfile
134+
push: true
135+
target: final
136+
tags: ${{ steps.setup.outputs.tags }}
137+
labels: ${{ steps.setup.outputs.labels }}
138+
build-args: VERSION=${{ github.head_ref || github.ref_name }}
139+
platforms: linux/amd64,linux/arm64

.github/workflows/scan.yml

+62
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
name: scan
2+
3+
on:
4+
workflow_run:
5+
workflows: [docker_publish]
6+
types: [completed]
7+
8+
# Allows you to run this workflow manually from the Actions tab
9+
workflow_dispatch:
10+
11+
jobs:
12+
scan:
13+
name: Scan docker image
14+
runs-on: ubuntu-latest
15+
if: ${{ github.event.workflow_run.conclusion == 'success' || github.event_name == 'workflow_dispatch' }}
16+
steps:
17+
- name: Checkout
18+
uses: actions/checkout@v4
19+
with:
20+
sparse-checkout: |
21+
.github/workflows/scan/html.tpl
22+
sparse-checkout-cone-mode: false
23+
24+
- name: Run Trivy vulnerability scanner for alpine image
25+
uses: aquasecurity/[email protected]
26+
with:
27+
image-ref: "ghcr.io/jim60105/fc2-live-dl:alpine"
28+
vuln-type: "os,library"
29+
scanners: vuln
30+
severity: "CRITICAL,HIGH"
31+
format: "template"
32+
template: "@.github/workflows/scan/html.tpl"
33+
output: "trivy-results-alpine.html"
34+
35+
- name: Run Trivy vulnerability scanner for ubi image
36+
uses: aquasecurity/[email protected]
37+
with:
38+
image-ref: "ghcr.io/jim60105/fc2-live-dl:ubi"
39+
vuln-type: "os,library"
40+
scanners: vuln
41+
severity: "CRITICAL,HIGH"
42+
format: "template"
43+
template: "@.github/workflows/scan/html.tpl"
44+
output: "trivy-results-ubi.html"
45+
46+
- name: Run Trivy vulnerability scanner for distroless image
47+
uses: aquasecurity/[email protected]
48+
with:
49+
image-ref: "ghcr.io/jim60105/fc2-live-dl:distroless"
50+
vuln-type: "os,library"
51+
scanners: vuln
52+
severity: "CRITICAL,HIGH"
53+
format: "template"
54+
template: "@.github/workflows/scan/html.tpl"
55+
output: "trivy-results-distroless.html"
56+
57+
- name: Upload Artifact
58+
uses: actions/upload-artifact@v3
59+
with:
60+
name: trivy-results
61+
path: trivy-results-*
62+
retention-days: 90

0 commit comments

Comments
 (0)