chaos/docker-salt-master
Archived
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2025-11-20. You can view files and clone it, but cannot push or open issues or pull requests.
Files
581808b8fa059b56ad7b0bb8a58ea95c7f202c0f
docker-salt-master/.github/workflows/build-and-test.yml
Carlos Álvaro 581808b8fa ci: Add periodic code scan
2020-10-14 19:19:26 +02:00

216 lines
6.6 KiB
YAML
Raw Blame History

name: Build and test Docker image
on:
pull_request:
branches:
- master
env:
IMAGE_NAME: localhost:5000/cdalvaro/docker-salt-master:${{ github.sha }}
REGISTRY_PATH: ${{ github.workspace }}/registry
CACHE_PATH: /tmp/.buildx-cache
jobs:
build:
name: Build
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v2
- name: Set up QEMU
uses: docker/setup-qemu-action@v1
- name: Start Docker registry
run: |
docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v1
with:
driver-opts: network=host
- name: Cache Docker layers
uses: actions/cache@v2
with:
path: ${{ env.CACHE_PATH }}
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Build docker-salt-master image
uses: docker/build-push-action@v2
with:
context: .
file: ./Dockerfile
platforms: linux/amd64,linux/arm64
cache-from: |
type=local,src=${{ env.CACHE_PATH }}
ghcr.io/cdalvaro/docker-salt-master:latest
cache-to: type=local,dest=${{ env.CACHE_PATH }}
push: true
tags: ${{ env.IMAGE_NAME }}
- name: Stop Docker registry
run: docker stop registry
- name: Upload Docker registry data for testing
uses: actions/upload-artifact@v2
with:
name: docker-registry-data
path: ${{ env.REGISTRY_PATH }}/
test:
name: Test
runs-on: ubuntu-latest
needs: build
strategy:
matrix:
platform: [linux/amd64, linux/arm64]
env:
DOCKER_CLI_EXPERIMENTAL: enabled
SALTAPI_URL: https://localhost:8000/
SALTAPI_USER: salt_api
SALTAPI_PASS: 4wesome-Pass0rd
SALTAPI_EAUTH: pam
steps:
- name: Download Docker registry data from build job
uses: actions/download-artifact@v2
with:
name: docker-registry-data
path: ${{ env.REGISTRY_PATH }}
- name: Enable Docker experimental
run: |
# Enable docker daemon experimental support.
echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
# Install QEMU multi-architecture support for docker buildx.
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
- name: Start Docker registry
run: |
docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
- name: Docker inspect
run: docker buildx imagetools inspect ${IMAGE_NAME}
- name: Import Docker images
run: docker pull --platform ${{ matrix.platform }} ${IMAGE_NAME}
- name: Launch docker container
run: |
# Create configuration files
mkdir -p config/
cat > config/salt-api.conf <<EOF
external_auth:
${SALTAPI_EAUTH}:
${SALTAPI_USER}:
- .*
- '@runner'
- '@wheel'
- '@jobs'
EOF
# Run test instance
docker run --rm --detach --name saltstack_master \
--publish 4505:4505 --publish 4506:4506 --publish 8000:8000 \
--env 'SALT_API_SERVICE_ENABLED=true' \
--env 'SALT_API_USER_PASS=${{ env.SALTAPI_PASS }}' \
--volume $(pwd)/config/:/home/salt/data/config/ \
${IMAGE_NAME}
- name: Show container info
run: docker container ls
- name: Wait for salt-master bootup
run: sleep 20
- name: Show salt versions
run: docker exec saltstack_master salt --versions
- name: Test image calling healthcheck
run: docker exec saltstack_master /usr/local/sbin/healthcheck
- name: Test salt-api authentication
id: salt_api_auth
run: |
SALTAPI_TOKEN=$(curl -sSk https://localhost:8000/login \
-H 'Accept: application/x-yaml' \
-d username=${{ env.SALTAPI_USER }} \
-d password=${{ env.SALTAPI_PASS }} \
-d eauth=${{ env.SALTAPI_EAUTH }} | grep 'token:' | cut -d' ' -f 4)
[ -n "${SALTAPI_TOKEN}" ] || exit 1
echo "::set-output name=token::${SALTAPI_TOKEN}"
- name: Test salt-api command
run: |
curl -sSk https://localhost:8000 \
-H 'Accept: application/x-yaml' \
-H 'X-Auth-Token: ${{ steps.salt_api_auth.outputs.token }}' \
-d client=runner \
-d tgt='*' \
-d fun=test.stream
- name: Setup Python
uses: actions/setup-python@v2
with:
python-version: 3.8
- name: Install salt-pepper
run: pip install salt-pepper
- name: Test salt-pepper
run: pepper --client runner test.stream
- name: Cleanup
run: |
docker stop saltstack_master registry
docker image rm ${IMAGE_NAME}
security-analysis:
name: Security analysis
runs-on: ubuntu-latest
needs: build
steps:
- name: Download Docker registry data from build job
uses: actions/download-artifact@v2
with:
name: docker-registry-data
path: ${{ env.REGISTRY_PATH }}
- name: Enable Docker experimental
run: |
# Enable docker daemon experimental support.
echo '{"experimental": true}' | sudo tee /etc/docker/daemon.json
sudo systemctl restart docker
# Install QEMU multi-architecture support for docker buildx.
docker run --rm --privileged multiarch/qemu-user-static --reset -p yes
- name: Start Docker registry
run: |
docker run -d -p 5000:5000 -v ${REGISTRY_PATH}:/var/lib/registry --name registry registry:2
- name: Import Docker images
run: |
RETRY_MAX=5
for i in $(seq 1 $RETRY_MAX); do
[ "$i" != "1" ] && echo "Retrying docker pull"
docker pull --platform linux/amd64 ${IMAGE_NAME} && break
echo "Command failed with code $?"
done
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_NAME }}
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'HIGH,CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
Reference in New Issue View Git Blame Copy Permalink