@@ -36,26 +36,117 @@ jobs:
3636 CodeQL :
3737 needs : validation
3838 runs-on : ubuntu-latest
39+ name : Analyze TypeScript
40+ permissions :
41+ security-events : write
42+ packages : read
43+ actions : read
44+ contents : read
45+
46+ strategy :
47+ fail-fast : false
48+ matrix :
49+ include :
50+ - language : javascript-typescript
51+ build-mode : none
52+
3953 steps :
40- - name : Checkout
54+ - name : Checkout repository
4155 uses : actions/checkout@v4
4256
43- - name : CodeQL
44- uses : ./.github/workflows/codeql.yaml
57+ - name : Initialize CodeQL
58+ uses : github/codeql-action/init@v3
59+ with :
60+ languages : ${{ matrix.language }}
61+ build-mode : ${{ matrix.build-mode }}
62+ queries : security-extended
63+
64+ - if : matrix.build-mode == 'manual'
65+ shell : bash
66+ run : |
67+ echo 'If you are using a "manual" build mode for one or more of the' \
68+ 'languages you are analyzing, replace this with the commands to build' \
69+ 'your code, for example:'
70+ echo ' make bootstrap'
71+ echo ' make release'
72+ exit 1
73+
74+ name : Perform CodeQL Analysis
75+ uses : github/codeql-action/analyze@v3
76+ with :
77+ category : " /language:${{ matrix.language }}"
78+
79+ - name : Set Marker for Workflow Completion
80+ run : echo "codeql_complete=true" >> $GITHUB_ENV
4581
4682 Anchore :
4783 needs : validation
4884 runs-on : ubuntu-latest
4985 steps :
50- - name : Checkout
51- uses : actions/checkout@v4
86+ - name : Set up Grype installation path
87+ run : echo "$HOME/bin" >> $GITHUB_PATH
88+
89+ - name : Download Grype
90+ run : |
91+ curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b $HOME/bin
92+
93+ uses : actions/checkout@v4
94+
95+ - name : Build the Container image
96+ run : docker build . --file Dockerfile --tag localbuild/testimage:latest
5297
53- - name : Anchore
54- uses : ./.github/workflows/anchore.yaml
98+ - name : Run Grype test
99+ run : grype -o sarif localbuild/testimage:latest > results.sarif
100+
101+ - name : Upload Anchore scan SARIF report
102+ uses : github/codeql-action/upload-sarif@v3
103+ with :
104+ sarif_file : ./results.sarif
55105
56106 test-building :
57107 needs : [CodeQL, Anchore]
58108 runs-on : ubuntu-latest
59109 steps :
60- - name : Test build
61- uses : ./.github/workflows/build-test.yaml
110+ - name : Checkout repository
111+ uses : actions/checkout@v4
112+
113+ - name : Set up Node.js version from .nvmrc
114+ run : |
115+ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash
116+ export NVM_DIR="$HOME/.nvm"
117+ [ -s "$NVM_DIR/nvm.sh" ] && . "$NVM_DIR/nvm.sh"
118+ nvm install
119+ nvm use
120+ node -v
121+ npm -v
122+
123+ name : Set up QEMU
124+ uses : docker/setup-qemu-action@v3
125+
126+ - name : Set up Docker Buildx
127+ uses : docker/setup-buildx-action@v3
128+
129+ - name : Login to Github Container Registry
130+ uses : docker/login-action@v3
131+ with :
132+ registry : ghcr.io
133+ username : ${{ github.repository_owner }}
134+ password : ${{ secrets.GITHUB_TOKEN }}
135+
136+ - name : Generate Docker tags
137+ uses : docker/metadata-action@v5
138+ id : metadata
139+ with :
140+ images : ghcr.io/${{ github.repository }}
141+ tags : |
142+ type=raw,enable=true,priority=200,prefix=,suffix=,value=${{ github.sha }}
143+
144+ name : Build and Push Docker Images
145+ uses : docker/build-push-action@v6
146+ with :
147+ platforms : linux/amd64,linux/arm64
148+ push : false
149+ tags : ${{ steps.metadata.outputs.tags }}
150+ labels : ${{ steps.metadata.outputs.labels }}
151+ cache-from : type=gha
152+ cache-to : type=gha,mode=max
0 commit comments