Skip to content

Commit

Permalink
Setup Github Actions
Browse files Browse the repository at this point in the history
  • Loading branch information
WyriHaximus committed Nov 11, 2019
1 parent ed23820 commit 0e3534b
Show file tree
Hide file tree
Showing 6 changed files with 137 additions and 14 deletions.
21 changes: 21 additions & 0 deletions .docker/security/docker-compose.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
version: '3.2'
services:
postgres:
container_name: clair_postgres
# This image provides a nightly build with updated vulnerability databases
# once setting up clair from scratch can take up to 30 minutes
image: arminc/clair-db:latest
restart: unless-stopped
environment:
POSTGRES_PASSWORD: password

clair:
container_name: clair_clair
image: arminc/clair-local-scan:v2.0.4
restart: unless-stopped
depends_on:
- postgres
ports:
- "6060-6061:6060-6061"
links:
- postgres
96 changes: 96 additions & 0 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
name: Continuous Integration
env:
DOCKER_IMAGE: wyrihaximusnet/php
on:
push:
branches:
- master
pull_request:
schedule:
- cron: '33 7 * * *'
jobs:
lint:
runs-on: ubuntu-latest
strategy:
matrix:
type: [zts, nts]
steps:
- uses: actions/checkout@v1
- name: Lint ${{ matrix.type }}
uses: docker://hadolint/hadolint:latest-debian
with:
entrypoint: hadolint
args: Dockerfile-${{ matrix.type }}
build:
needs: lint
runs-on: ubuntu-latest
strategy:
matrix:
type: [zts, nts]
steps:
- uses: actions/checkout@v1
- run: mkdir ./docker-image/
- run: make build-${{ matrix.type }}
- run: cat ./docker-image/build-${{ matrix.type }}.tags | xargs -I % docker inspect --format='%={{.Id}}:{{index .ContainerConfig.Env 7}}' %
- run: docker save "${DOCKER_IMAGE}" -o ./docker-image/docker_image-${{ matrix.type }}.tar
- uses: actions/upload-artifact@master
with:
name: docker-image-${{ matrix.type }}
path: ./docker-image
scan-vulnerability:
needs: build
runs-on: ubuntu-latest
strategy:
matrix:
type: [zts, nts]
steps:
- uses: actions/checkout@v1
- name: Install clair-scanner
run: |
sudo curl -L https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 -o /usr/local/bin/clair-scanner
sudo chmod +x /usr/local/bin/clair-scanner
- uses: actions/download-artifact@master
with:
name: docker-image-${{ matrix.type }}
path: ./docker-image
- run: docker load --input ./docker-image/docker_image-${{ matrix.type }}.tar
- run: mkdir -p "./clair/${DOCKER_IMAGE}"
- run: make ci-scan-vulnerability
test:
needs: build
runs-on: ubuntu-latest
strategy:
matrix:
type: [zts, nts]
steps:
- uses: actions/checkout@v1
- uses: actions/download-artifact@master
with:
name: docker-image-${{ matrix.type }}
path: ./docker-image
- run: docker load --input ./docker-image/docker_image-${{ matrix.type }}.tar
- run: make test-${{ matrix.type }}
- run: rm -Rf ./docker-image/
push:
needs:
- scan-vulnerability
- test
runs-on: ubuntu-latest
strategy:
matrix:
type: [zts, nts]
steps:
- uses: actions/checkout@v1
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/move-to-github-actions'
- uses: actions/download-artifact@master
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/move-to-github-actions'
with:
name: docker-image-${{ matrix.type }}
path: ./docker-image
- run: docker load --input ./docker-image/docker_image-${{ matrix.type }}.tar
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/move-to-github-actions'
- run: make ci-push-${{ matrix.type }}
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/move-to-github-actions'
env:
DOCKER_USER: ${{ secrets.HUB_USERNAME }}
DOCKER_PASSWORD: ${{ secrets.HUB_PASSCODE }}
3 changes: 3 additions & 0 deletions Dockerfile-nts
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ RUN git fetch \
cp "$EXTENSION_DIR/uv.so" /uv.so
RUN sha256sum /uv.so

## Build ext-meminfo
FROM php:7.3-cli-alpine AS build-meminfo
RUN apk update && \
apk add --no-cache $PHPIZE_DEPS git libuv-dev && \
Expand Down Expand Up @@ -82,8 +83,10 @@ FROM nts-root AS nts-dev-root
# Install docker help scripts
COPY src/php/utils/docker/ /usr/local/bin/

RUN true
# Copy in meminfo extension
COPY --from=build-meminfo /meminfo.so /meminfo.so
RUN true

RUN EXTENSION_DIR=`php-config --extension-dir 2>/dev/null` \
&& mv /*.so "$EXTENSION_DIR/" \
Expand Down
3 changes: 3 additions & 0 deletions Dockerfile-zts
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ RUN git fetch \
cp "$EXTENSION_DIR/uv.so" /uv.so
RUN sha256sum /uv.so

## Build ext-meminfo
FROM php:7.3-zts-alpine AS build-meminfo
RUN apk update && \
apk add --no-cache $PHPIZE_DEPS git libuv-dev && \
Expand Down Expand Up @@ -103,8 +104,10 @@ FROM zts-root AS zts-dev-root
# Install docker help scripts
COPY src/php/utils/docker/ /usr/local/bin/

RUN true
# Copy in meminfo extension
COPY --from=build-meminfo /meminfo.so /meminfo.so
RUN true

RUN EXTENSION_DIR=`php-config --extension-dir 2>/dev/null` \
&& mv /*.so "$EXTENSION_DIR/" \
Expand Down
20 changes: 10 additions & 10 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -22,16 +22,16 @@ build-zts: clean-tags

.NOTPARALLEL: clean-tags
clean-tags:
rm ${current_dir}/tmp/build-${BUILDINGIMAGE}.tags || true
rm ${current_dir}/docker-image/build-${BUILDINGIMAGE}.tags || true

# Docker images push
push-nts: BUILDINGIMAGE=nts
push-nts:
cat ./tmp/build-${BUILDINGIMAGE}.tags | xargs -I % docker push %
cat ./docker-image/build-${BUILDINGIMAGE}.tags | xargs -I % docker push %

push-zts: BUILDINGIMAGE=zts
push-zts:
cat ./tmp/build-${BUILDINGIMAGE}.tags | xargs -I % docker push %
cat ./docker-image/build-${BUILDINGIMAGE}.tags | xargs -I % docker push %

# CI dependencies
ci-docker-login:
Expand All @@ -42,21 +42,21 @@ lint:

test: test-cli test-fpm test-http

test-nts: ./tmp/build-nts.tags
xargs -I % ./test-nts.sh % < ./tmp/build-nts.tags
test-nts: ./docker-image/build-nts.tags
xargs -I % ./test-nts.sh % < ./docker-image/build-nts.tags

test-zts: ./tmp/build-zts.tags
xargs -I % ./test-zts.sh % < ./tmp/build-zts.tags
test-zts: ./docker-image/build-zts.tags
xargs -I % ./test-zts.sh % < ./docker-image/build-zts.tags

scan-vulnerability:
docker-compose -f test/security/docker-compose.yml -p clair-ci up -d
RETRIES=0 && while ! wget -T 10 -q -O /dev/null http://localhost:6060/v1/namespaces ; do sleep 1 ; echo -n "." ; if [ $${RETRIES} -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; RETRIES=$$(($${RETRIES}+1)) ; done
cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log % || echo "% is vulnerable"'
cat ./docker-image/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./docker-imageclair/%.json" -l ./clair/clair.log % || echo "% is vulnerable"'
docker-compose -f test/security/docker-compose.yml -p clair-ci down

ci-scan-vulnerability:
docker-compose -f test/security/docker-compose.yml -p clair-ci up -d
RETRIES=0 && while ! wget -T 10 -q -O /dev/null http://localhost:6060/v1/namespaces ; do sleep 1 ; echo -n "." ; if [ $${RETRIES} -eq 10 ] ; then echo " Timeout, aborting." ; exit 1 ; fi ; RETRIES=$$(($${RETRIES}+1)) ; done
cat ./tmp/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./tmp/clair/%.json" -l ./tmp/clair/clair.log %'; \
cat ./docker-image/build-*.tags | xargs -I % sh -c 'clair-scanner --ip 172.17.0.1 -r "./clair/%.json" -l ./clair/clair.log %'; \
XARGS_EXIT=$$?; \
if [ $${XARGS_EXIT} -eq 123 ]; then find ./tmp/clair/wyrihaximusnet -type f | sed 's/^/-Fjson=@/' | xargs -d'\n' curl -X POST ${WALLE_REPORT_URL} -F channel=team_oz -F buildUrl=https://circleci.com/gh/wyrihaximusnet/docker-php/${CIRCLE_BUILD_NUM}#artifacts/containers/0; else exit $${XARGS_EXIT}; fi
if [ $${XARGS_EXIT} -eq 123 ]; then find ./clair/wyrihaximusnet -type f | sed 's/^/-Fjson=@/' | xargs -d'\n' curl -X POST ${WALLE_REPORT_URL} -F channel=team_oz -F buildUrl=https://circleci.com/gh/wyrihaximusnet/docker-php/${CIRCLE_BUILD_NUM}#artifacts/containers/0; else exit $${XARGS_EXIT}; fi
8 changes: 4 additions & 4 deletions build-php.sh
Original file line number Diff line number Diff line change
Expand Up @@ -21,16 +21,16 @@ declare -r WYRIHAXIMUSNET_TAG_DEV="${WYRIHAXIMUSNET_TAG}-dev"
declare -r WYRIHAXIMUSNET_TAG_ROOT="${WYRIHAXIMUSNET_TAG}-root"
declare -r WYRIHAXIMUSNET_TAG_DEV_ROOT="${WYRIHAXIMUSNET_TAG}-dev-root"

declare -r TAG_FILE="./tmp/build-${DST_IMAGE}.tags"
declare -r TAG_FILE="./docker-image/build-${DST_IMAGE}.tags"

sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${DST_IMAGE}" | docker build --no-cache --pull -t "${WYRIHAXIMUSNET_TAG}" --target="${DST_IMAGE}" -f - . \
&& echo "$WYRIHAXIMUSNET_TAG" >> "$TAG_FILE"

sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${DST_IMAGE}" | docker build --no-cache --pull -t "${WYRIHAXIMUSNET_TAG_DEV}" --target="${DST_IMAGE}-dev" -f - . \
sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${DST_IMAGE}" | docker build --pull -t "${WYRIHAXIMUSNET_TAG_DEV}" --target="${DST_IMAGE}-dev" -f - . \
&& echo "$WYRIHAXIMUSNET_TAG_DEV" >> "$TAG_FILE"

sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${DST_IMAGE}" | docker build --no-cache --pull -t "${WYRIHAXIMUSNET_TAG_ROOT}" --target="${DST_IMAGE}-root" -f - . \
sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${DST_IMAGE}" | docker build --pull -t "${WYRIHAXIMUSNET_TAG_ROOT}" --target="${DST_IMAGE}-root" -f - . \
&& echo "$WYRIHAXIMUSNET_TAG_ROOT" >> "$TAG_FILE"

sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${DST_IMAGE}" | docker build --no-cache --pull -t "${WYRIHAXIMUSNET_TAG_DEV_ROOT}" --target="${DST_IMAGE}-dev-root" -f - . \
sed -E "s/${IMAGE_ORIGINAL_TAG}/${IMAGE_TAG}/g" "Dockerfile-${DST_IMAGE}" | docker build --pull -t "${WYRIHAXIMUSNET_TAG_DEV_ROOT}" --target="${DST_IMAGE}-dev-root" -f - . \
&& echo "$WYRIHAXIMUSNET_TAG_DEV_ROOT" >> "$TAG_FILE"

0 comments on commit 0e3534b

Please sign in to comment.