refactor: rewrite build CI for better tagging and parallel code-scanning

CentreForDigitalHumanities · Nov 28, 2024 · 59a52af · 59a52af
1 parent 6946ca9
commit 59a52af
Showing 1 changed file with 78 additions and 3 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -2,9 +2,11 @@ name: Build and Push Docker Images
 
 on:
   push:
+    branches:
+      - 'main'
+      - 'develop'
     tags:
       - '*'
-  workflow_dispatch:
 
 env:
   IMAGE_NAME: development-idp
@@ -24,14 +26,26 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/centrefordigitalhumanities/development-idp/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=pep440,pattern={{version}}
+            type=pep440,pattern={{major}}.{{minor}}
+
       - name: Build and push main image
         uses: docker/build-push-action@v4
         with:
           context: .
           file: ${{ env.DOCKERFILE_PATH }}
           push: true
-          tags: |
-            ghcr.io/centrefordigitalhumanities/development-idp/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
 
       - name: Grype Scan
         id: scan
@@ -44,3 +58,64 @@ jobs:
         uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}
+
+  grype-scan:
+    needs: build-and-push
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read # for actions/checkout to fetch code
+      security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
+      actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
+    steps:
+
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            ghcr.io/centrefordigitalhumanities/development-idp/${{ env.IMAGE_NAME }}:${{ github.ref_name }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=pep440,pattern={{version}}
+
+      - name: Run the Anchore Grype scan action
+        uses: anchore/scan-action@v5
+        id: scan
+        with:
+          image: ghcr.io/centrefordigitalhumanities/development-idp/${{ env.IMAGE_NAME }}:${{ steps.meta.outputs.version }}
+          fail-build: false
+          severity-cutoff: critical
+
+      - name: Upload vulnerability report
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          category: 'Grype'
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+
+  CodeQL:
+    name: "CodeQL: Analyze Python code"
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      packages: read
+      actions: read
+      contents: read
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: python
+          build-mode: none
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: "CodeQL"