mirror of
https://github.com/freedomofpress/dangerzone.git
synced 2025-04-28 18:02:38 +02:00
56663023f5
Some checks failed
Build dev environments / Build dev-env (debian-bookworm) (push) Has been cancelled
Build dev environments / Build dev-env (debian-bullseye) (push) Has been cancelled
Build dev environments / Build dev-env (debian-trixie) (push) Has been cancelled
Build dev environments / Build dev-env (fedora-40) (push) Has been cancelled
Build dev environments / Build dev-env (fedora-41) (push) Has been cancelled
Build dev environments / Build dev-env (ubuntu-20.04) (push) Has been cancelled
Build dev environments / Build dev-env (ubuntu-22.04) (push) Has been cancelled
Build dev environments / Build dev-env (ubuntu-24.04) (push) Has been cancelled
Build dev environments / Build dev-env (ubuntu-24.10) (push) Has been cancelled
Build dev environments / build-container-image (push) Has been cancelled
Tests / run-lint (push) Has been cancelled
Tests / build-container-image (push) Has been cancelled
Tests / Download and cache Tesseract data (push) Has been cancelled
Tests / check-reproducibility (push) Has been cancelled
Scan latest app and container / security-scan-container (ubuntu-24.04) (push) Has been cancelled
Scan latest app and container / security-scan-container (ubuntu-24.04-arm) (push) Has been cancelled
Scan latest app and container / security-scan-app (ubuntu-24.04) (push) Has been cancelled
Scan latest app and container / security-scan-app (ubuntu-24.04-arm) (push) Has been cancelled
Tests / build-deb (ubuntu 22.04) (push) Has been cancelled
Tests / windows (push) Has been cancelled
Tests / macOS (arch64) (push) Has been cancelled
Tests / build-deb (ubuntu 24.04) (push) Has been cancelled
Tests / macOS (x86_64) (push) Has been cancelled
Tests / build-deb (debian bookworm) (push) Has been cancelled
Tests / build-deb (debian bullseye) (push) Has been cancelled
Tests / build-deb (debian trixie) (push) Has been cancelled
Tests / build-deb (ubuntu 20.04) (push) Has been cancelled
Tests / build-deb (ubuntu 24.10) (push) Has been cancelled
Tests / install-deb (debian bookworm) (push) Has been cancelled
Tests / install-deb (debian bullseye) (push) Has been cancelled
Tests / install-deb (debian trixie) (push) Has been cancelled
Tests / install-deb (ubuntu 20.04) (push) Has been cancelled
Tests / install-deb (ubuntu 22.04) (push) Has been cancelled
Tests / install-deb (ubuntu 24.04) (push) Has been cancelled
Tests / install-deb (ubuntu 24.10) (push) Has been cancelled
Tests / build-install-rpm (fedora 40) (push) Has been cancelled
Tests / build-install-rpm (fedora 41) (push) Has been cancelled
Tests / run tests (debian bookworm) (push) Has been cancelled
Tests / run tests (debian bullseye) (push) Has been cancelled
Tests / run tests (debian trixie) (push) Has been cancelled
Tests / run tests (fedora 40) (push) Has been cancelled
Tests / run tests (fedora 41) (push) Has been cancelled
Tests / run tests (ubuntu 20.04) (push) Has been cancelled
Tests / run tests (ubuntu 22.04) (push) Has been cancelled
Tests / run tests (ubuntu 24.04) (push) Has been cancelled
Tests / run tests (ubuntu 24.10) (push) Has been cancelled
Scan ARM images using Anchore's scan action, by utilizing the Ubuntu ARM runners provided by GitHub. While our ARM images are used only in macOS silicon platforms, we can use the Ubuntu ARM runners just for scanning. Closes #1008
98 lines
3 KiB
YAML
98 lines
3 KiB
YAML
name: Scan latest app and container
|
|
on:
|
|
push:
|
|
branches:
|
|
- main
|
|
pull_request:
|
|
schedule:
|
|
- cron: '0 0 * * *' # Run every day at 00:00 UTC.
|
|
workflow_dispatch:
|
|
|
|
jobs:
|
|
security-scan-container:
|
|
strategy:
|
|
matrix:
|
|
runs-on:
|
|
- ubuntu-24.04
|
|
- ubuntu-24.04-arm
|
|
runs-on: ${{ matrix.runs-on }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
with:
|
|
fetch-depth: 0
|
|
- name: Install container build dependencies
|
|
run: |
|
|
sudo apt install pipx
|
|
pipx install poetry
|
|
pipx inject poetry poetry-plugin-export
|
|
poetry install --only package
|
|
- name: Bump date of Debian snapshot archive
|
|
run: |
|
|
date=$(date "+%Y%m%d")
|
|
sed -i "s/DEBIAN_ARCHIVE_DATE=[0-9]\+/DEBIAN_ARCHIVE_DATE=${date}/" Dockerfile.env
|
|
make Dockerfile
|
|
- name: Build container image
|
|
run: python3 ./install/common/build-image.py --runtime docker --no-save
|
|
- name: Get image tag
|
|
id: tag
|
|
run: echo "tag=$(cat share/image-id.txt)" >> $GITHUB_OUTPUT
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan container image (no fail)
|
|
uses: anchore/scan-action@v6
|
|
id: scan_container
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}"
|
|
fail-build: false
|
|
only-fixed: false
|
|
severity-cutoff: critical
|
|
- name: Upload container scan report
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: ${{ steps.scan_container.outputs.sarif }}
|
|
category: container
|
|
- name: Inspect container scan report
|
|
run: cat ${{ steps.scan_container.outputs.sarif }}
|
|
- name: Scan container image
|
|
uses: anchore/scan-action@v6
|
|
with:
|
|
image: "dangerzone.rocks/dangerzone:${{ steps.tag.outputs.tag }}"
|
|
fail-build: true
|
|
only-fixed: false
|
|
severity-cutoff: critical
|
|
|
|
security-scan-app:
|
|
strategy:
|
|
matrix:
|
|
runs-on:
|
|
- ubuntu-24.04
|
|
- ubuntu-24.04-arm
|
|
runs-on: ${{ matrix.runs-on }}
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@v4
|
|
# NOTE: Scan first without failing, else we won't be able to read the scan
|
|
# report.
|
|
- name: Scan application (no fail)
|
|
uses: anchore/scan-action@v6
|
|
id: scan_app
|
|
with:
|
|
path: "."
|
|
fail-build: false
|
|
only-fixed: false
|
|
severity-cutoff: critical
|
|
- name: Upload application scan report
|
|
uses: github/codeql-action/upload-sarif@v3
|
|
with:
|
|
sarif_file: ${{ steps.scan_app.outputs.sarif }}
|
|
category: app
|
|
- name: Inspect application scan report
|
|
run: cat ${{ steps.scan_app.outputs.sarif }}
|
|
- name: Scan application
|
|
uses: anchore/scan-action@v6
|
|
with:
|
|
path: "."
|
|
fail-build: true
|
|
only-fixed: false
|
|
severity-cutoff: critical
|