Update wyrihaximusnet/php Docker tag to v8.4 #567
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Continuous Integration | |
env: | |
DOCKER_IMAGE: wyrihaximusnet/redirect | |
DOCKER_IMAGE_REGISTRIES_SECRET_MAPPING: '{"ghcr.io":"GHCR_TOKEN","docker.io":"HUB_PASSCODE"}' | |
on: | |
push: | |
schedule: | |
- cron: '0 0 * * 0' | |
jobs: | |
registry-matrix: | |
name: Extract registries from registry secret mapping | |
runs-on: ubuntu-latest | |
outputs: | |
registry: ${{ steps.registry-matrix.outputs.registry }} | |
steps: | |
- uses: actions/checkout@v4 | |
- id: registry-matrix | |
name: Extract registries from registry secret mapping | |
run: | | |
echo "::set-output name=registry::$(printenv DOCKER_IMAGE_REGISTRIES_SECRET_MAPPING | jq -c 'keys')" | |
generate-image-strategy: | |
name: Generate Image Strategy | |
runs-on: ubuntu-latest | |
outputs: | |
images: ${{ steps.generate-image-strategy.outputs.images }} | |
steps: | |
- uses: actions/checkout@v4 | |
- id: generate-image-strategy | |
name: Generate Jobs | |
run: | | |
ls images | jq -csR '. + "random" | split("\n")' > images.list | |
cat images.list | |
echo "::set-output name=images::$(cat images.list)" | |
generate-rule-strategy: | |
name: Generate Rules Strategy | |
runs-on: ubuntu-latest | |
outputs: | |
rules: ${{ steps.generate-rule-strategy.outputs.rules }} | |
steps: | |
- uses: actions/checkout@v4 | |
- id: generate-rule-strategy | |
name: Generate Jobs | |
run: | | |
ls tests/rules | jq -csR '. | rtrimstr("\n") | split("\n")' > rules.list | |
cat rules.list | |
echo "::set-output name=rules::$(cat rules.list)" | |
lint-dockerfile: | |
name: Lint ${{ matrix.image }}'s Dockerfile | |
needs: | |
- generate-image-strategy | |
strategy: | |
fail-fast: false | |
matrix: | |
image: ${{ fromJson(needs.generate-image-strategy.outputs.images) }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
if: matrix.image != 'random' | |
- name: Lint Dockerfile | |
if: matrix.image != 'random' | |
uses: docker://hadolint/hadolint:latest-debian | |
with: | |
entrypoint: hadolint | |
args: ./images/${{ matrix.image }}/Dockerfile | |
build-docker-image: | |
name: Build ${{ matrix.image }} Docker | |
strategy: | |
fail-fast: false | |
matrix: | |
image: ${{ fromJson(needs.generate-image-strategy.outputs.images) }} | |
needs: | |
- generate-image-strategy | |
- lint-dockerfile | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- run: cp -R $(echo -e "./images/$(ls ./images/ | shuf -n 1)") ./images/random | |
if: matrix.image == 'random' | |
- run: docker image build --build-arg BUILD_DATE=`date -u +"%Y-%m-%dT%H:%M:%SZ"` --build-arg VCS_REF=`git rev-parse --short HEAD` -t "${DOCKER_IMAGE}:${{ matrix.image }}" --no-cache --build-arg VERSION=$TAG_VERSION ./images/${{ matrix.image }}/ | |
- run: mkdir ./docker-image | |
- run: docker save "${DOCKER_IMAGE}:${{ matrix.image }}" -o ./docker-image/docker_image.tar | |
- uses: actions/upload-artifact@master | |
with: | |
name: docker-image-${{ matrix.image }} | |
path: ./docker-image | |
scan-vulnerability: | |
name: Scan ${{ matrix.image }} for vulnerabilities | |
strategy: | |
fail-fast: false | |
matrix: | |
image: ${{ fromJson(needs.generate-image-strategy.outputs.images) }} | |
needs: | |
- generate-image-strategy | |
- build-docker-image | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/download-artifact@master | |
with: | |
name: docker-image-${{ matrix.image }} | |
path: ./docker-image | |
- run: docker load --input ./docker-image/docker_image.tar | |
- run: rm -Rf ./docker-image/ | |
- run: echo -e "${DOCKER_IMAGE}:${{ matrix.image }}" | xargs -I % sh -c 'docker run -v /tmp/trivy:/var/lib/trivy -v /var/run/docker.sock:/var/run/docker.sock -t aquasec/trivy:latest --cache-dir /var/lib/trivy image --exit-code 1 --no-progress --format table %' | |
tests: | |
name: Test ${{ matrix.image }} against ${{ matrix.rule }} | |
needs: | |
- generate-image-strategy | |
- generate-rule-strategy | |
- scan-vulnerability | |
strategy: | |
fail-fast: false | |
matrix: | |
image: ${{ fromJson(needs.generate-image-strategy.outputs.images) }} | |
rule: ${{ fromJson(needs.generate-rule-strategy.outputs.rules) }} | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: actions/download-artifact@master | |
with: | |
name: docker-image-${{ matrix.image }} | |
path: ./docker-image | |
- run: docker load --input ./docker-image/docker_image.tar | |
- name: Start image ${{ matrix.image }} | |
run: docker run -d --rm -v ${GITHUB_WORKSPACE}/${REDIRECT_CONFIG_FILE}:/etc/redirect/config.yaml ${DOCKER_IMAGE}:${{ matrix.image }} | |
env: | |
IMAGE: ${{ steps.build.outputs.tag }} | |
REDIRECT_CONFIG_FILE: tests/rules/${{ matrix.rule }}/config.yaml | |
- name: Get running image ID | |
id: ps | |
run: printf "::set-output name=id::%s" $(docker ps --format "{{.ID}}") | |
env: | |
IMAGE: ${{ steps.build.outputs.tag }} | |
- name: Get running image IP | |
id: inspect | |
run: printf "::set-output name=ip::%s" $(docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' ${IMAGE_ID}) | |
env: | |
IMAGE_ID: ${{ steps.ps.outputs.id }} | |
- name: Sleep 13 seconds before attempting to connect | |
run: sleep 13 | |
- name: Test that redirect port is reachable | |
run: curl http://${IMAGE_IP}:7132/ | |
env: | |
IMAGE_IP: ${{ steps.inspect.outputs.ip }} | |
- name: Test that metrics port is reachable | |
run: curl http://${IMAGE_IP}:7133/ | |
env: | |
IMAGE_IP: ${{ steps.inspect.outputs.ip }} | |
- name: Run unit tests ${{ matrix.rule }} against ${{ matrix.image }} | |
run: docker run -i loadimpact/k6 run -u 1000 -d 30s -e IMAGE_IP=${IMAGE_IP} -< ${SCRIPT_FILEIMAGE} | |
env: | |
IMAGE: ${{ matrix.image }} | |
IMAGE_IP: ${{ steps.inspect.outputs.ip }} | |
IMAGE_ID: ${{ steps.ps.outputs.id }} | |
SCRIPT_FILEIMAGE: ./tests/rules/${{ matrix.rule }}/unit.js | |
- name: Run metrics tests ${{ matrix.rule }} against ${{ matrix.image }} | |
run: docker run -i loadimpact/k6 run -u 10 -d 10s -e IMAGE_IP=${IMAGE_IP} -< ${SCRIPT_FILEIMAGE} | |
env: | |
IMAGE: ${{ matrix.image }} | |
IMAGE_IP: ${{ steps.inspect.outputs.ip }} | |
IMAGE_ID: ${{ steps.ps.outputs.id }} | |
SCRIPT_FILEIMAGE: ./tests/rules/${{ matrix.rule }}/metrics.js | |
- name: Docker logs for image ${{ matrix.image }} | |
run: docker logs ${IMAGE_ID} | |
env: | |
IMAGE_ID: ${{ steps.ps.outputs.id }} | |
push-image: | |
if: (github.event_name == 'push' || github.event_name == 'schedule') && github.ref == 'refs/heads/master' | |
name: Push ${{ matrix.image }} to ${{ matrix.registry }} | |
strategy: | |
fail-fast: false | |
matrix: | |
registry: ${{ fromJson(needs.registry-matrix.outputs.registry) }} | |
image: ${{ fromJson(needs.generate-image-strategy.outputs.images) }} | |
needs: | |
- generate-image-strategy | |
- tests | |
- registry-matrix | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/download-artifact@master | |
with: | |
name: docker-image-${{ matrix.image }} | |
path: ./docker-image | |
- run: docker load --input ./docker-image/docker_image.tar | |
- run: rm -Rf ./docker-image/ | |
- name: Login to ${{ matrix.registry }} | |
run: | | |
echo "${{ env.DOCKER_PASSWORD }}" | \ | |
docker login ${{ matrix.registry }} \ | |
--username "${{ env.DOCKER_USER }}" \ | |
--password-stdin | |
env: | |
DOCKER_USER: ${{ secrets.HUB_USERNAME }} | |
DOCKER_PASSWORD: ${{ secrets[fromJson(env.DOCKER_IMAGE_REGISTRIES_SECRET_MAPPING)[matrix.registry]] }} | |
- name: Docker info | |
run: docker info | |
- run: docker tag ${DOCKER_IMAGE}:${{ matrix.image }} ${{ matrix.registry }}/${DOCKER_IMAGE}:${{ matrix.image }} | |
- name: Echo full tag | |
run: echo -e "${{ matrix.registry }}/${DOCKER_IMAGE}:${{ matrix.image }}" | |
- name: Push image to Docker Hub | |
run: docker push "${{ matrix.registry }}/${DOCKER_IMAGE}:${{ matrix.image }}" |