mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-03-22 03:08:23 +00:00
41a7b19c7d
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
109 lines
3.3 KiB
YAML
109 lines
3.3 KiB
YAML
name: 'API: Container Checks'
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
pull_request:
|
|
branches:
|
|
- 'master'
|
|
- 'v5.*'
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
env:
|
|
API_WORKING_DIR: ./api
|
|
IMAGE_NAME: prowler-api
|
|
|
|
jobs:
|
|
api-dockerfile-lint:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 15
|
|
permissions:
|
|
contents: read
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
# zizmor: ignore[artipacked]
|
|
persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
|
|
|
|
- name: Check if Dockerfile changed
|
|
id: dockerfile-changed
|
|
uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
|
|
with:
|
|
files: api/Dockerfile
|
|
|
|
- name: Lint Dockerfile with Hadolint
|
|
if: steps.dockerfile-changed.outputs.any_changed == 'true'
|
|
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
|
with:
|
|
dockerfile: api/Dockerfile
|
|
ignore: DL3013
|
|
|
|
api-container-build-and-scan:
|
|
if: github.repository == 'prowler-cloud/prowler'
|
|
runs-on: ${{ matrix.runner }}
|
|
strategy:
|
|
matrix:
|
|
include:
|
|
- platform: linux/amd64
|
|
runner: ubuntu-latest
|
|
arch: amd64
|
|
- platform: linux/arm64
|
|
runner: ubuntu-24.04-arm
|
|
arch: arm64
|
|
timeout-minutes: 30
|
|
permissions:
|
|
contents: read
|
|
security-events: write
|
|
pull-requests: write
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
# zizmor: ignore[artipacked]
|
|
persist-credentials: true # Required by tj-actions/changed-files to fetch PR branch
|
|
|
|
- name: Check for API changes
|
|
id: check-changes
|
|
uses: tj-actions/changed-files@7dee1b0c1557f278e5c7dc244927139d78c0e22a # v47.0.4
|
|
with:
|
|
files: api/**
|
|
files_ignore: |
|
|
api/docs/**
|
|
api/README.md
|
|
api/CHANGELOG.md
|
|
api/AGENTS.md
|
|
|
|
- name: Set up Docker Buildx
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0
|
|
|
|
- name: Build container for ${{ matrix.arch }}
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2
|
|
with:
|
|
context: ${{ env.API_WORKING_DIR }}
|
|
push: false
|
|
load: true
|
|
platforms: ${{ matrix.platform }}
|
|
tags: ${{ env.IMAGE_NAME }}:${{ github.sha }}-${{ matrix.arch }}
|
|
cache-from: type=gha,scope=${{ matrix.arch }}
|
|
cache-to: type=gha,mode=max,scope=${{ matrix.arch }}
|
|
|
|
- name: Scan container with Trivy for ${{ matrix.arch }}
|
|
if: steps.check-changes.outputs.any_changed == 'true'
|
|
uses: ./.github/actions/trivy-scan
|
|
with:
|
|
image-name: ${{ env.IMAGE_NAME }}
|
|
image-tag: ${{ github.sha }}-${{ matrix.arch }}
|
|
fail-on-critical: 'false'
|
|
severity: 'CRITICAL'
|