chore(deps): update alpinelinux/unbound:latest docker digest to 42b9bd4 #633
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and test application | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - next | |
| tags: [v*] | |
| pull_request: | |
| paths: | |
| - ".env.dist" | |
| - ".github/workflows/build.yml" | |
| - "bin/**" | |
| - "deploy/**" | |
| - "docker-compose*.yml" | |
| - "kustomization.yaml" | |
| - "Makefile" | |
| - "target/**" | |
| - "test/**" | |
| concurrency: | |
| group: "${{ github.workflow }}-${{ github.ref }}" | |
| cancel-in-progress: true | |
| env: | |
| ADDITIONAL_DOCKER_IMAGES: "mysql:lts axllent/mailpit:v1.27 redis:8.2-alpine ghcr.io/jeboehm/fetchmailmgr:0.4.0" | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: true | |
| matrix: | |
| include: | |
| - context: target/mda | |
| image: mailserver-mda | |
| - context: target/mta | |
| image: mailserver-mta | |
| - context: target/filter | |
| image: mailserver-filter | |
| - context: target/web | |
| image: mailserver-web | |
| - context: target/ssl | |
| image: mailserver-ssl | |
| - context: target/unbound | |
| image: mailserver-unbound | |
| - context: test/bats | |
| image: mailserver-test | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| attestations: write | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Set up QEMU | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - name: Log in to Container Registry (ghcr.io) | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Log in to Container Registry (docker.io) | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| username: ${{ vars.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| with: | |
| images: | | |
| ghcr.io/jeboehm/${{ matrix.image }} | |
| jeboehm/${{ matrix.image }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=sha | |
| - name: Create banner | |
| run: .github/bin/create_banner.sh ${{ github.sha }} ${{ github.ref_name }} | |
| - name: Build and push Docker image | |
| id: build-and-push | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 | |
| with: | |
| context: ${{ matrix.context }} | |
| platforms: ${{ github.event_name == 'pull_request' && 'linux/amd64' || 'linux/amd64,linux/arm64' }} | |
| push: ${{ github.event_name != 'pull_request' && matrix.image != 'mailserver-test' }} | |
| tags: ${{ github.event_name == 'pull_request' && format('jeboehm/{0}', matrix.image) || steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha,scope=${{ matrix.image }} | |
| cache-to: type=gha,scope=${{ matrix.image }},mode=max | |
| outputs: ${{ github.event_name == 'pull_request' && format('type=docker,dest={0}/{1}.tar', runner.temp, matrix.image) || '' }} | |
| - name: Generate artifact attestation (ghcr.io) | |
| if: ${{ github.event_name != 'pull_request' && matrix.image != 'mailserver-test' }} | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3 | |
| with: | |
| subject-name: ghcr.io/jeboehm/${{ matrix.image }} | |
| subject-digest: ${{ steps.build-and-push.outputs.digest }} | |
| push-to-registry: true | |
| - name: Generate artifact attestation (docker.io) | |
| if: ${{ github.event_name != 'pull_request' && matrix.image != 'mailserver-test' }} | |
| uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3 | |
| with: | |
| subject-name: index.docker.io/jeboehm/${{ matrix.image }} | |
| subject-digest: ${{ steps.build-and-push.outputs.digest }} | |
| push-to-registry: true | |
| - name: Upload Docker image to artifacts | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6 | |
| with: | |
| name: docker-image-${{ matrix.image }} | |
| path: ${{ runner.temp }}/${{ matrix.image }}.tar | |
| retention-days: 1 | |
| test_container_image_efficiency: | |
| needs: build | |
| if: ${{ github.event_name == 'pull_request' }} | |
| runs-on: ubuntu-latest | |
| env: | |
| CI: "true" | |
| DIVE_VER: 0.13.1 # renovate: depName=wagoodman/dive | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Download Docker image artifacts | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 | |
| with: | |
| path: images | |
| pattern: docker-image-* | |
| merge-multiple: true | |
| - name: Cache Dive | |
| id: cache-dive | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 | |
| with: | |
| path: /tmp/dive_${{ env.DIVE_VER }}_linux_amd64.deb | |
| key: ${{ runner.os }}-dive-${{ env.DIVE_VER }} | |
| - name: Install Dive | |
| run: | | |
| if [ ! -f "/tmp/dive_${DIVE_VER}_linux_amd64.deb" ]; then | |
| curl -sfL -o "/tmp/dive_${DIVE_VER}_linux_amd64.deb" \ | |
| "https://github.com/wagoodman/dive/releases/download/v${DIVE_VER}/dive_${DIVE_VER}_linux_amd64.deb" | |
| fi | |
| sudo dpkg -i "/tmp/dive_${DIVE_VER}_linux_amd64.deb" | |
| - name: Check container image efficiency | |
| run: | | |
| for image in $(ls images/); do | |
| echo "::group::Checking image ${image}" | |
| dive --ci-config .github/linters/.dive-ci.yml docker-archive://images/${image} | |
| echo "::endgroup::" | |
| done | |
| test_docker_matrix: | |
| needs: build | |
| if: ${{ github.event_name == 'pull_request' }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| TEST_CASE: | |
| - default | |
| - relayhost | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Download Docker image artifacts | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 | |
| with: | |
| path: images | |
| pattern: docker-image-* | |
| merge-multiple: true | |
| - name: Docker load downloaded image artifacts | |
| run: | | |
| for image in $(ls images/); do | |
| docker load --input images/${image} | |
| done | |
| - name: Cache Docker images | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 | |
| id: docker-images-cache | |
| with: | |
| path: /tmp/docker-images | |
| key: ${{ runner.os }}-images-additional-${{ hashFiles('.github/workflows/build.yml') }} | |
| - name: Load or pull Docker images | |
| run: | | |
| mkdir -p /tmp/docker-images | |
| read -a IMAGES <<< "${{ env.ADDITIONAL_DOCKER_IMAGES }}" | |
| for IMAGE in "${IMAGES[@]}"; do | |
| # Convert image name to filename-safe format | |
| FILENAME=$(echo "$IMAGE" | tr '/:' '-').tar | |
| CACHE_PATH="/tmp/docker-images/$FILENAME" | |
| if [ -f "$CACHE_PATH" ]; then | |
| echo "::group::Loading $IMAGE from cache" | |
| docker load --input "$CACHE_PATH" | |
| echo "::endgroup::" | |
| else | |
| echo "::group::Pulling $IMAGE from registry" | |
| docker pull "$IMAGE" | |
| docker save "$IMAGE" -o "$CACHE_PATH" | |
| echo "::endgroup::" | |
| fi | |
| done | |
| - name: Prepare environment | |
| run: | | |
| make .env | |
| cat .env .github/test-matrix/${{ matrix.TEST_CASE }}.env > .env.tmp | |
| awk -F= '{seen[$1]=$0} END {for (key in seen) print seen[key]}' .env.tmp > .env | |
| rm .env.tmp | |
| - name: Output environment | |
| run: cat .env | |
| - name: Start components | |
| run: make up | |
| - name: Load database fixtures | |
| run: make fixtures | |
| - name: Run tests | |
| run: bin/test.sh run --rm test | |
| - name: Collect logs | |
| if: failure() | |
| run: | | |
| make logs | |
| docker ps -a | |
| test_kubernetes_matrix: | |
| needs: build | |
| if: ${{ github.event_name == 'pull_request' }} | |
| runs-on: ubuntu-latest | |
| env: | |
| CLUSTER_NAME: kind | |
| POPEYE_VER: v0.22.1 # renovate: depName=derailed/popeye | |
| strategy: | |
| matrix: | |
| TEST_CASE: | |
| - default | |
| - relayhost | |
| - proxy | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Setup Kind | |
| uses: helm/kind-action@ef37e7f390d99f746eb8b610417061a60e82a6cc # v1 | |
| with: | |
| cluster_name: ${{ env.CLUSTER_NAME }} | |
| - name: Cache Popeye | |
| id: cache-popeye | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 | |
| with: | |
| path: /tmp/popeye_linux_amd64.deb | |
| key: ${{ runner.os }}-popeye-${{ env.POPEYE_VER }} | |
| - name: Install Popeye | |
| run: | | |
| if [ ! -f "/tmp/popeye_linux_amd64.deb" ]; then | |
| curl -sfL -o "/tmp/popeye_linux_amd64.deb" \ | |
| "https://github.com/derailed/popeye/releases/download/${{ env.POPEYE_VER }}/popeye_linux_amd64.deb" | |
| fi | |
| sudo dpkg -i /tmp/popeye_linux_amd64.deb | |
| - name: Use kubectl context | |
| run: | | |
| kind get clusters | |
| kubectl config use-context kind-${{ env.CLUSTER_NAME }} | |
| - name: Cache Docker images | |
| uses: actions/cache@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5 | |
| id: docker-images-cache | |
| with: | |
| path: /tmp/docker-images | |
| key: ${{ runner.os }}-images-additional-${{ hashFiles('.github/workflows/build.yml') }} | |
| - name: Load or pull Docker images into kind cluster | |
| run: | | |
| mkdir -p /tmp/docker-images | |
| read -a IMAGES <<< "${{ env.ADDITIONAL_DOCKER_IMAGES }}" | |
| for IMAGE in "${IMAGES[@]}"; do | |
| FILENAME=$(echo "$IMAGE" | tr '/:' '-').tar | |
| CACHE_PATH="/tmp/docker-images/$FILENAME" | |
| if [ -f "$CACHE_PATH" ]; then | |
| echo "::group::Loading $IMAGE from cache into kind cluster" | |
| kind load image-archive "$CACHE_PATH" | |
| echo "::endgroup::" | |
| else | |
| echo "::group::Pulling $IMAGE and loading into kind cluster" | |
| docker pull "$IMAGE" | |
| docker save "$IMAGE" -o "$CACHE_PATH" | |
| kind load image-archive "$CACHE_PATH" | |
| echo "::endgroup::" | |
| fi | |
| done | |
| - name: Download docker image artifacts | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 | |
| with: | |
| path: images | |
| pattern: docker-image-* | |
| merge-multiple: true | |
| - name: Load downloaded docker images | |
| run: | | |
| for image in $(ls images/); do | |
| echo "::group::Loading $image from downloaded artifacts into kind cluster" | |
| kind load image-archive images/${image} | |
| echo "::endgroup::" | |
| done | |
| - name: Prepare environment | |
| run: | | |
| make .env | |
| cat .env .github/test-matrix/${{ matrix.TEST_CASE }}.env > .env.tmp | |
| awk -F= '{seen[$1]=$0} END {for (key in seen) print seen[key]}' .env.tmp > .env | |
| rm .env.tmp | |
| - name: Prepare tls certs | |
| run: make kubernetes-tls | |
| - name: Deploy Kubernetes resources | |
| run: make kubernetes-deploy-helper kubernetes-up | |
| - name: Wait for all pods to be ready | |
| run: make kubernetes-wait | |
| - name: Run tests | |
| run: make kubernetes-test | |
| - name: Run Popeye | |
| run: make popeye-score | |
| - name: Get pod status on failure | |
| if: failure() | |
| run: | | |
| make kubernetes-logs | |
| kubectl get pods -o wide | |
| test_trivy_vulnerabilities: | |
| needs: build | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| include: | |
| - image: mailserver-mda | |
| - image: mailserver-mta | |
| - image: mailserver-filter | |
| - image: mailserver-web | |
| - image: mailserver-ssl | |
| - image: mailserver-unbound | |
| steps: | |
| - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6 | |
| - name: Download Docker image artifacts | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7 | |
| with: | |
| path: images | |
| pattern: docker-image-${{ matrix.image }} | |
| merge-multiple: true | |
| - name: Run Trivy vulnerability scanner | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| input: "images/${{ matrix.image }}.tar" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| severity: "CRITICAL,HIGH" | |
| - name: Log in to Container Registry (ghcr.io) | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Run Trivy vulnerability scanner | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| image-ref: "ghcr.io/jeboehm/${{ matrix.image }}:latest" | |
| format: "sarif" | |
| output: "trivy-results.sarif" | |
| severity: "CRITICAL,HIGH" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: always() | |
| uses: github/codeql-action/upload-sarif@e46ed2cbd01164d986452f91f178727624ae40d7 # v4 | |
| with: | |
| sarif_file: "trivy-results.sarif" | |
| category: "${{ matrix.image }}" |