Also install docker

Use colima on the mac runners
Use bash
2025-05-05 21:21:49 +02:00 · 2024-11-25 18:48:16 +01:00 · 2024-11-25 18:44:04 +01:00 · 2024-11-25 18:37:34 +01:00 · 2024-11-25 18:34:00 +01:00
1 changed files with 30 additions and 2 deletions
--- a/.github/workflows/scan_released.yml
+++ b/.github/workflows/scan_released.yml
@ -10,20 +10,41 @@ jobs:
    strategy:
      matrix:
        include:
-          # - runs-on: ubuntu-latest
-          #  arch: i686
+          - runs-on: ubuntu-latest
+            arch: i686
          - runs-on: macos-latest
            arch: arm64
    runs-on: ${{ matrix.runs-on }}
+    defaults:
+      run:
+        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@v4
+
+      - name: Setup Docker and Colima (macOS only)
+        if: runner.os == 'macOS'
+        run: |
+          brew install docker colima
+          colima start
+          # Wait for Docker daemon to be ready
+          timeout=30
+          while ! docker info >/dev/null 2>&1; do
+            if [ $timeout -le 0 ]; then
+              echo "Timed out waiting for Docker daemon"
+              exit 1
+            fi
+            timeout=$((timeout-1))
+            sleep 1
+          done
+          
      - name: Download container image for the latest release and load it
        run: |
          VERSION=$(curl https://api.github.com/repos/freedomofpress/dangerzone/releases/latest | grep "tag_name" | cut -d '"' -f 4)
          CONTAINER_FILENAME=container-${VERSION:1}-${{ matrix.arch }}.tar.gz
          wget https://github.com/freedomofpress/dangerzone/releases/download/${VERSION}/${CONTAINER_FILENAME} -O ${CONTAINER_FILENAME}
          docker load -i ${CONTAINER_FILENAME}
+
      # NOTE: Scan first without failing, else we won't be able to read the scan
      # report.
      - name: Scan container image (no fail)
@ -34,13 +55,16 @@ jobs:
          fail-build: false
          only-fixed: false
          severity-cutoff: critical
+
      - name: Upload container scan report
        uses: github/codeql-action/upload-sarif@v3
        with:
          sarif_file: ${{ steps.scan_container.outputs.sarif }}
          category: container-${{ matrix.arch }}
+
      - name: Inspect container scan report
        run: cat ${{ steps.scan_container.outputs.sarif }}
+
      - name: Scan container image
        uses: anchore/scan-action@v5
        with:
@ -49,6 +73,10 @@ jobs:
          only-fixed: false
          severity-cutoff: critical

+      - name: Cleanup Colima (macOS only)
+        if: runner.os == 'macOS'
+        run: colima stop
+
  security-scan-app:
    runs-on: ubuntu-latest
    steps:
Author	SHA1	Message	Date
Alexis Métaireau	b84463a6ce	Also install docker Some checks are pending Tests / build-deb (debian bookworm) (push) Blocked by required conditions Details Tests / build-deb (debian bullseye) (push) Blocked by required conditions Details Tests / build-deb (debian trixie) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / build-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / install-deb (debian bookworm) (push) Blocked by required conditions Details Tests / install-deb (debian bullseye) (push) Blocked by required conditions Details Tests / install-deb (debian trixie) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 20.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 22.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.04) (push) Blocked by required conditions Details Tests / install-deb (ubuntu 24.10) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 39) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 40) (push) Blocked by required conditions Details Tests / build-install-rpm (fedora 41) (push) Blocked by required conditions Details Tests / run tests (debian bookworm) (push) Blocked by required conditions Details Tests / run tests (debian bullseye) (push) Blocked by required conditions Details Tests / run tests (debian trixie) (push) Blocked by required conditions Details Tests / run tests (fedora 39) (push) Blocked by required conditions Details Tests / run tests (fedora 40) (push) Blocked by required conditions Details Tests / run tests (fedora 41) (push) Blocked by required conditions Details Tests / run tests (ubuntu 20.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 22.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.04) (push) Blocked by required conditions Details Tests / run tests (ubuntu 24.10) (push) Blocked by required conditions Details Scan released app and container / security-scan-container (arm64, macos-latest) (push) Waiting to run Details Scan released app and container / security-scan-container (i686, ubuntu-latest) (push) Waiting to run Details Scan released app and container / security-scan-app (push) Waiting to run Details	2024-11-25 18:48:16 +01:00
Alexis Métaireau	19eba9ec94	Use colima on the mac runners	2024-11-25 18:44:04 +01:00
Alexis Métaireau	cee13ad9a0	Use bash	2024-11-25 18:37:34 +01:00
Alexis Métaireau	9eb87aa652	Use cut rather than shell expension	2024-11-25 18:34:00 +01:00