Skip to content

feat: Add SBOM generation and vulnerability scanning in workflows #63

feat: Add SBOM generation and vulnerability scanning in workflows

feat: Add SBOM generation and vulnerability scanning in workflows #63

name: Test build stream-sprout 🚧
on:
pull_request:
branches:
- main
paths:
- .github/workflows/*.yml
- stream-sprout
- debian/**
- flake.nix
- package.nix
- Containerfile
- snap/snapcraft.yaml
push:
branches:
- main
paths:
- .github/workflows/*.yml
- stream-sprout
- debian/**
- flake.nix
- package.nix
- Containerfile
- snap/snapcraft.yaml
workflow_dispatch:
# TODO: arm64 runner
# https://github.blog/changelog/2024-06-03-actions-arm-based-linux-and-windows-runners-are-now-in-public-beta/
jobs:
test-deb-build:
runs-on: ubuntu-24.04
steps:
- name: "Checkout 🥡"
uses: actions/checkout@v4
- name: "Build & Test .deb 🍥"
env:
DEBFULLNAME: "Martin Wimpress"
DEBEMAIL: "code@wimpress.io"
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: |
sudo apt-get -y update
sudo apt-get -y install debhelper devscripts
REL_VER=$(grep "^readonly VERSION" stream-sprout | cut -d'"' -f2)
rm debian/changelog
dch --package stream-sprout --newversion="${REL_VER}-1" --distribution=unstable "New upstream release." --create
dpkg-buildpackage --build=binary --no-check-builddeps --compression=gzip
sudo apt-get -y install ../stream-sprout_${REL_VER}-1_all.deb
test-nix-build:
runs-on: ubuntu-24.04
permissions:
id-token: "write"
contents: "read"
steps:
- name: "Checkout 🥡"
uses: "actions/checkout@v4"
- name: "Install Nix ❄️"
uses: "DeterminateSystems/nix-installer-action@v13"
- name: "Enable Magic Nix Cache 🪄"
uses: "DeterminateSystems/magic-nix-cache-action@v7"
- name: "Build & Test .nix ❄️"
run: |
nix build .#stream-sprout
tree ./result
test-container-build:
runs-on: ubuntu-24.04
steps:
- name: "Checkout 🥡"
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Container Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Get stream-sprout version 🔢
id: get_version
run: |
STREAM_SPROUT_VER=$(grep "^readonly VERSION" stream-sprout | cut -d'"' -f2)
echo "STREAM_SPROUT_VER=$STREAM_SPROUT_VER" >> $GITHUB_ENV
- name: "Build Container 🐋"
uses: docker/build-push-action@v6
with:
context: .
file: ./Containerfile
push: false
tags: |
ghcr.io/${{ github.repository }}:latest-alpine
ghcr.io/${{ github.repository }}:${{ env.STREAM_SPROUT_VER }}-alpine
ghcr.io/${{ github.repository }}:${{ github.sha }}-alpine
platforms: linux/amd64, linux/arm64
- name: Logout from Container Registry
run: docker logout ghcr.io
test-snap-build:
runs-on: ubuntu-24.04
steps:
- name: Checkout 🥡
uses: actions/checkout@v4
- name: Build snap 🐊
uses: snapcore/action-build@v1
id: snapcraft
- name: Show log 🪵
if: ${{ failure() }}
run: |
cat /home/runner/.local/state/snapcraft/log/snapcraft*.log
- name: Review snap 🕵️
uses: diddlesnaps/snapcraft-review-action@v1
with:
snap: ${{ steps.snapcraft.outputs.snap }}
isClassic: false
- name: Upload artifacts ⤴️
uses: actions/upload-artifact@v2
with:
name: stream-sprout-snap
path: ${{ steps.snapcraft.outputs.snap}}