mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-07-17 17:41:50 +00:00
81 lines
2.1 KiB
YAML
81 lines
2.1 KiB
YAML
name: 'MCP: Pull Request'
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
paths:
|
|
- '.github/workflows/mcp-pull-request.yml'
|
|
- 'mcp_server/**'
|
|
- '!mcp_server/README.md'
|
|
- '!mcp_server/CHANGELOG.md'
|
|
pull_request:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
paths:
|
|
- '.github/workflows/mcp-pull-request.yml'
|
|
- 'mcp_server/**'
|
|
- '!mcp_server/README.md'
|
|
- '!mcp_server/CHANGELOG.md'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
MCP_WORKING_DIR: ./mcp_server
|
|
IMAGE_NAME: prowler-mcp
|
|
|
|
jobs:
|
|
dockerfile-lint:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Lint Dockerfile with Hadolint
|
|
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
|
with:
|
|
dockerfile: mcp_server/Dockerfile
|
|
|
|
container-build-and-scan:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
|
|
- name: Build MCP container
|
|
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
|
|
with:
|
|
context: ${{ env.MCP_WORKING_DIR }}
|
|
push: false
|
|
load: true
|
|
tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}
|
|
cache-from: type=gha
|
|
cache-to: type=gha,mode=max
|
|
|
|
- name: Scan MCP container with Trivy
|
|
uses: ./.github/actions/trivy-scan
|
|
with:
|
|
image-name: ${{ env.IMAGE_NAME }}
|
|
image-tag: ${{ github.sha }}
|
|
fail-on-critical: 'false'
|
|
severity: 'CRITICAL'
|