pr to upstream

.github/workflows/docker-hub-description.yml

@@ -4,18 +4,26 @@ on:
   push:
     tags:
       - '*'
+  workflow_call:
+    secrets:
+      DOCKERHUB_TOKEN:
+        required: true
+
+env:
+  DOCKERHUB_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+  DOCKERHUB_REPOSITORY: ${{ vars.DOCKERHUB_REPOSITORY }}
 
 jobs:
   update:
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
 
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Update docker hub description
-        uses: peter-evans/dockerhub-description@v4
+        uses: peter-evans/dockerhub-description@v5
         with:
-          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          username: ${{ env.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
-          repository: visibilityspots/cloudflared
+          repository: ${{ github.repository_owner }}/${{ env.DOCKERHUB_REPOSITORY }}
           short-description: ${{ github.event.repository.description }}

.github/workflows/main.yml

@@ -0,0 +1,93 @@
+name: CI
+
+on:
+  push:
+    tags:
+      - '*'
+  workflow_call:
+    inputs:
+      platforms:
+        required: false
+        type: string
+    secrets:
+      DOCKERHUB_TOKEN:
+        required: true
+      GOSS_CMD:
+        required: false
+env:
+  DOCKERHUB_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+  DOCKERHUB_REPOSITORY: ${{ vars.DOCKERHUB_REPOSITORY }}
+  DOCKERHUB_PLATFORMS: ${{ inputs.platforms || 'linux/amd64,linux/arm/v6,linux/arm/v7,linux/arm64' }}
+
+jobs:
+  test:
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          ref: main
+
+      - name: Build ${{ env.DOCKERHUB_REPOSITORY }}:dev image
+        run: docker build -t ${{ env.DOCKERHUB_USERNAME }}/${{ env.DOCKERHUB_REPOSITORY }}:dev .
+
+      - uses: e1himself/[email protected]
+        with:
+          version: 'v0.4.9'
+
+      - name: Execute dgoss run on ${{ env.DOCKERHUB_REPOSITORY }}:dev image
+        env:
+          GOSS_FILES_STRATEGY: cp
+        run: dgoss run ${{ env.DOCKERHUB_USERNAME }}/${{ env.DOCKERHUB_REPOSITORY }}:dev ${{ secrets.GOSS_CMD }}
+
+  deploy:
+    needs: test
+
+    runs-on: ubuntu-24.04
+
+    steps:
+      - uses: actions/checkout@v6
+
+      - uses: docker/[email protected]
+        with:
+          username: ${{ env.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - uses: docker/setup-qemu-action@v3
+
+      - uses: docker/setup-buildx-action@v3
+
+      - name: Build and push ${{ env.DOCKERHUB_REPOSITORY }} image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          platforms: ${{ env.DOCKERHUB_PLATFORMS }}
+          push: true
+          tags: |
+            ${{ env.DOCKERHUB_USERNAME }}/${{ env.DOCKERHUB_REPOSITORY }}:latest
+            ${{ env.DOCKERHUB_USERNAME }}/${{ env.DOCKERHUB_REPOSITORY }}:${{ github.ref_name }}
+          cache-from: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/${{ env.DOCKERHUB_REPOSITORY }}:buildcache
+          cache-to: type=registry,ref=${{ env.DOCKERHUB_USERNAME }}/${{ env.DOCKERHUB_REPOSITORY }}:buildcache,mode=max
+
+      - name: Generate CHANGELOG
+        id: changelog
+        uses: requarks/changelog-action@v1
+        with:
+          token: ${{ github.token }}
+          tag: ${{ github.ref_name }}
+
+      - name: Create github ${{ github.ref_name }} release
+        uses: ncipollo/release-action@v1
+        with:
+          makeLatest: true
+          allowUpdates: true
+          body: ${{ steps.changelog.output.changes }}
+          token: ${{ github.token }}
+
+      - name: Commit updated CHANGELOG.md for ${{ github.ref_name }}
+        uses: stefanzweifel/git-auto-commit-action@v7
+        with:
+          branch: main
+          commit_message: 'docs: update CHANGELOG.md for ${{ github.ref_name }} [skip ci]'
+          file_pattern: CHANGELOG.md

.github/workflows/trivy.yml

@@ -6,43 +6,51 @@ on:
       - '*'
   schedule:
     - cron: '44 19 * * 4'
+  workflow_call:
 
 permissions:
   contents: read
 
+env:
+  DOCKERHUB_USERNAME: ${{ vars.DOCKERHUB_USERNAME }}
+  DOCKERHUB_REPOSITORY: ${{ vars.DOCKERHUB_REPOSITORY }}
+  TRIVY_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-db'
+  TRIVY_JAVA_DB_REPOSITORY: 'public.ecr.aws/aquasecurity/trivy-java-db'
+
 jobs:
   scan:
     permissions:
       contents: read
       security-events: write
-    runs-on: "ubuntu-latest"
+
+    runs-on: ubuntu-24.04
+
     steps:
-      - name: Checkout code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v6
 
       - name: Build an image from Dockerfile
         run: |
-          docker build -t visibilityspots/cloudflared:dev .
+          docker build -t ${{ env.DOCKERHUB_USERNAME }}/${{ env.DOCKERHUB_REPOSITORY }}:dev .
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.24.0
+        uses: aquasecurity/trivy-action@0.34.0
         with:
-          image-ref: 'visibilityspots/cloudflared:dev'
+          image-ref: '${{ env.DOCKERHUB_USERNAME }}/${{ env.DOCKERHUB_REPOSITORY }}:dev'
           format: 'table'
           exit-code: 0
           ignore-unfixed: true
           severity: 'CRITICAL,HIGH'
 
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@0.24.0
+      - name: Store Trivy vulnerability scanner output
+        uses: aquasecurity/trivy-action@0.34.0
         with:
-          image-ref: 'visibilityspots/cloudflared:dev'
+          image-ref: '${{ env.DOCKERHUB_USERNAME }}/${{ env.DOCKERHUB_REPOSITORY }}:dev'
           format: 'sarif'
           output: 'trivy-results.sarif'
           ignore-unfixed: true
           severity: 'CRITICAL,HIGH'
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@v4
         with:
           sarif_file: 'trivy-results.sarif'