name: malcolm-iso-build-docker-wrap-push-ghcr on: push: branches: - main - development paths: - 'malcolm-iso/**' - 'shared/bin/*' - '!shared/bin/configure-capture.py' - '!shared/bin/zeek*' - '!shared/bin/suricata*' - '.trigger_iso_workflow_build' - '.github/workflows/malcolm-iso-build-docker-wrap-push-ghcr.yml' workflow_dispatch: repository_dispatch: jobs: build: runs-on: ubuntu-22.04 permissions: actions: write packages: write contents: read security-events: write defaults: run: shell: bash steps: - name: Cancel previous run in progress uses: styfle/cancel-workflow-action@0.12.0 with: ignore_sha: true all_but_latest: true access_token: ${{ secrets.GITHUB_TOKEN }} - name: Set up QEMU uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: driver-opts: | image=moby/buildkit:master - name: Build environment setup run: | sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc || true sudo env DEBIAN_FRONTEND=noninteractive apt-get -q update sudo env DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y -q \ apt-transport-https \ bc \ build-essential \ ca-certificates \ curl \ debhelper-compat \ debian-archive-keyring \ debootstrap \ genisoimage \ gettext \ git \ gnupg2 \ imagemagick \ jq \ po4a \ rsync \ software-properties-common \ squashfs-tools \ virt-what \ xorriso \ xz-utils git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20230131' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build cd /tmp/live-build dpkg-buildpackage -b -uc -us cd /tmp sudo dpkg -i /tmp/live-build*.deb sudo rm -rf /tmp/live-build /tmp/live-build*.deb - name: Checkout uses: actions/checkout@v4 - name: Extract branch name shell: bash run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT id: extract_branch - name: Extract commit SHA shell: bash run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT id: extract_commit_sha - name: Extract Malcolm version shell: bash run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose-dev.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT id: extract_malcolm_version - name: Build image run: | IMAGES=( $(grep image: docker-compose-dev.yml | awk '{print $2}' | sort -u) ) for IMAGE in "${IMAGES[@]}"; do REPO_IMAGE="$(echo "$IMAGE" | sed "s@^.*\(malcolm\)@ghcr.io/${{ github.repository_owner }}/\1@" | sed "s/:.*/:${{ steps.extract_branch.outputs.branch }}/")" docker pull "$REPO_IMAGE" && \ docker tag "$REPO_IMAGE" "$IMAGE" && \ docker rmi "$REPO_IMAGE" done DEST_IMAGES_TXZ=$(pwd)/malcolm_"$(date +%Y.%m.%d_%H:%M:%S)"_${{ steps.extract_commit_sha.outputs.sha }}_images.tar.xz echo "Saving Malcolm Docker images to \"$DEST_IMAGES_TXZ\"" docker save "${IMAGES[@]}" | xz -1 > "$DEST_IMAGES_TXZ" for IMAGE in "${IMAGES[@]}"; do docker rmi "$IMAGE" done pushd ./malcolm-iso mkdir -p ./shared echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" > ./shared/environment.chroot sudo /usr/bin/env bash ./build.sh -r -d "$DEST_IMAGES_TXZ" rm -rf ./shared/ "$DEST_IMAGES_TXZ" sudo chmod 644 ./malcolm-*.* popd - name: Run Trivy vulnerability scanner id: trivy-scan uses: aquasecurity/trivy-action@master with: scan-type: 'fs' scan-ref: './malcolm-iso' format: 'sarif' output: 'trivy-results.sarif' severity: 'HIGH,CRITICAL' vuln-type: 'os,library' hide-progress: true ignore-unfixed: true exit-code: '0' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v2 if: always() with: sarif_file: 'trivy-results.sarif' - name: ghcr.io login uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push ISO image uses: docker/build-push-action@v5 with: context: ./malcolm-iso push: true tags: ghcr.io/${{ github.repository_owner }}/malcolm/malcolm:${{ steps.extract_branch.outputs.branch }}