github actions satt opp

Rapporteket · Jan 27, 2025 · cf22705 · cf22705
1 parent 4192819
commit cf22705
Show file tree

Hide file tree

Showing 3 changed files with 170 additions and 0 deletions.
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -0,0 +1,59 @@
+name: Publish Docker image
+on:
+  release:
+    types: [published]
+  push:
+    branches: [ "main", "nhn" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '0 21 * * 6' # run every Saturday at 21
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  push_to_registries:
+    name: Push Docker image to docker hub
+    runs-on: ubuntu-latest
+    env:
+      IMAGE_NAME: ${{ github.repository }}
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: R setup
+        uses: r-lib/actions/setup-r@v2
+      - name: Build package (tarball)
+        run: R CMD build .
+      - name: Lint Dockerfile
+        uses: hadolint/[email protected]
+        with:
+          dockerfile: "Dockerfile"
+      - name: Prepare tags
+        id: docker_meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=schedule,pattern=weekly
+            type=semver,pattern={{major}}.{{minor}}.{{patch}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to DockerHub
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+      - name: Build image and push to Docker Hub
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          push: ${{ github.event_name != 'pull_request' }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
+          build-args: GH_PAT=${{ secrets.GITHUB_TOKEN }}
diff --git a/.github/workflows/harbor.yaml b/.github/workflows/harbor.yaml
@@ -0,0 +1,58 @@
+name: Publish Docker image to Harbor
+on:
+  release:
+    types: [published]
+  push:
+    branches:
+        - main
+  pull_request:
+    branches:
+        - main
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  build:
+    name: Push Docker image to Harbor
+    runs-on: ubuntu-latest
+    env:
+        IMAGE_NAME: ${{ github.repository }}
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+      - name: Lint Dockerfile
+        uses: hadolint/[email protected]
+        with:
+          dockerfile: "Dockerfile"
+      - name: R setup
+        uses: r-lib/actions/setup-r@v2
+      - name: Build package (tarball)
+        run: R CMD build .
+      - name: Prepare tags
+        id: docker_meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          flavor: |
+            latest=false
+          tags: |
+            type=ref,event=branch
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+      - name: Login to Harbor
+        if: github.event_name == 'release'
+        run: |
+          echo ${{ secrets.HARBOR_PASSWORD }} | docker login --username ${{ secrets.HARBOR_USERNAME }} --password-stdin ${{ secrets.HARBOR_REGISTRY }}
+      - name: Build image and push to Harbor
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          file: ./Dockerfile
+          tags: ${{ secrets.HARBOR_REGISTRY }}/${{ steps.docker_meta.outputs.tags }}
+          push: ${{ github.event_name == 'release' }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
diff --git a/.github/workflows/snyk.yml b/.github/workflows/snyk.yml
@@ -0,0 +1,53 @@
+name: Snyk Container
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+  schedule:
+    - cron: '30 22 * * 5'
+
+jobs:
+  snyk:
+    runs-on: ubuntu-latest
+    name: norgast-snyk
+    steps:
+    - uses: actions/checkout@v4
+    - name: R setup
+      uses: r-lib/actions/setup-r@v2
+    - name: Build package (tarball)
+      run: R CMD build .
+    - name: Build docker image
+      run: docker build -t norgast-snyk .
+    - name: Run Snyk to check Docker image for vulnerabilities
+      # Snyk can be used to break the build when it detects vulnerabilities.
+      # In this case we want to upload the issues to GitHub Code Scanning
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: norgast-snyk
+        args: --file=Dockerfile --severity-threshold=high
+    - name: Upload result to GitHub Code Scanning
+      uses: github/codeql-action/upload-sarif@v3
+      with:
+        sarif_file: snyk.sarif
+    - name: Monitor image in Snyk UI
+      continue-on-error: true
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        command: monitor
+        image: norgast-snyk
+        args: --file=Dockerfile --severity-threshold=high --org=b034af62-43be-40c7-95e8-fdc56d6f3092
+    - name: Accept only vulnerability levels below high 
+      continue-on-error: false
+      uses: snyk/actions/docker@master
+      env:
+        SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+      with:
+        image: norgast-snyk
+        args: --file=Dockerfile --severity-threshold=high