mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-04 19:21:51 +00:00
134 lines
4.1 KiB
YAML
134 lines
4.1 KiB
YAML
name: 'UI: Container Checks'
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
paths:
|
|
- 'ui/**'
|
|
- '.github/workflows/ui-container-checks.yml'
|
|
pull_request:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
UI_WORKING_DIR: ./ui
|
|
IMAGE_NAME: prowler-ui
|
|
|
|
permissions: {}
|
|
|
|
jobs:
|
|
ui-dockerfile-lint:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 10
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
|
|
with:
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
github.com:443
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
# zizmor: ignore[artipacked]
|
|
persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
|
|
|
|
- name: Check if Dockerfile changed
|
|
id: dockerfile-changed
|
|
uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
|
|
with:
|
|
files: ui/Dockerfile
|
|
|
|
- name: Lint Dockerfile with Hadolint
|
|
if: steps.dockerfile-changed.outputs.any_changed == 'true'
|
|
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
|
with:
|
|
dockerfile: ui/Dockerfile
|
|
ignore: DL3018
|
|
|
|
ui-container-build-and-scan:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@ab7a9404c0f3da075243ca237b5fac12c98deaa5 # v2.19.3
|
|
with:
|
|
egress-policy: block
|
|
allowed-endpoints: >
|
|
github.com:443
|
|
registry-1.docker.io:443
|
|
auth.docker.io:443
|
|
production.cloudflare.docker.com:443
|
|
production.cloudfront.docker.com:443
|
|
registry.npmjs.org:443
|
|
dl-cdn.alpinelinux.org:443
|
|
fonts.googleapis.com:443
|
|
fonts.gstatic.com:443
|
|
api.github.com:443
|
|
mirror.gcr.io:443
|
|
check.trivy.dev:443
|
|
get.trivy.dev:443
|
|
release-assets.githubusercontent.com:443
|
|
objects.githubusercontent.com:443
|
|
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
# zizmor: ignore[artipacked]
|
|
persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
|
|
|
|
- name: Check for UI changes
|
|
id: check-changes
|
|
uses: tj-actions/changed-files@9426d40962ed5378910ee2e21d5f8c6fcbf2dd96 # v47.0.6
|
|
with:
|
|
files: ui/**
|
|
files_ignore: |
|
|
ui/CHANGELOG.md
|
|
ui/README.md
|
|
ui/AGENTS.md
|
|
|
|
- name: Set up Docker Buildx
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
|
|
- name: Build UI container
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
|
|
with:
|
|
context: ${{ env.UI_WORKING_DIR }}
|
|
target: prod
|
|
push: false
|
|
load: true
|
|
tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=${{ github.event_name == 'pull_request' && 'min' || 'max' }}
|
|
build-args: |
|
|
NEXT_PUBLIC_STRIPE_PUBLISHABLE_KEY=pk_test_51LwpXXXX
|
|
|
|
- name: Scan UI container with Trivy
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: ./.github/actions/trivy-scan
|
|
with:
|
|
image-name: ${{ env.IMAGE_NAME }}
|
|
image-tag: ${{ github.sha }}
|
|
fail-on-critical: 'true'
|
|
severity: 'CRITICAL'
|