diff --git a/.docker/prod-oldstable.Dockerfile b/.docker/prod-oldstable.Dockerfile index d43da964e..470e6f5e1 100644 --- a/.docker/prod-oldstable.Dockerfile +++ b/.docker/prod-oldstable.Dockerfile @@ -34,17 +34,21 @@ RUN apt-get update && apt-get install --no-install-recommends --no-install-sugge libpopt0 \ libcurl4-gnutls-dev \ libcurl4 \ - libcgreen1-dev \ + # libcgreen1-dev \ libhiredis-dev \ libkrb5-dev \ && rm -rf /var/lib/apt/lists/* +RUN curl -L -o cgreen.tar.gz https://github.com/cgreen-devs/cgreen/archive/refs/tags/1.6.3.tar.gz -k +RUN tar -xzf cgreen.tar.gz && cd cgreen-1.6.3 +RUN make install +RUN ldconfig COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/ RUN cmake -DCMAKE_BUILD_TYPE=Release -DINSTALL_OLD_SYNC_SCRIPT=OFF -B/build /source RUN DESTDIR=/install cmake --build /build -- install +# TODO: add rust? FROM registry.community.greenbone.net/community/gvm-libs:${GVM_LIBS_VERSION} -ARG TARGETPLATFORM RUN apt-get update && apt-get install --no-install-recommends --no-install-suggests -y \ bison \ libglib2.0-0 \ @@ -75,11 +79,6 @@ RUN apt-get update && apt-get install --no-install-recommends --no-install-sugge zlib1g\ && rm -rf /var/lib/apt/lists/* COPY .docker/openvas.conf /etc/openvas/ -# must be pre built within the rust dir and moved to the bin dir -# usually this image is created within in a ci ensuring that the -# binary is available. -COPY assets/$TARGETPLATFORM/scannerctl /usr/local/bin/scannerctl -RUN chmod +x /usr/local/bin/scannerctl COPY --from=build /install/ / COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/ COPY --from=openvas-smb /usr/local/bin/ /usr/local/bin/ diff --git a/.docker/prod-testing.Dockerfile b/.docker/prod-testing.Dockerfile index c3175e2ed..1f3a51273 100644 --- a/.docker/prod-testing.Dockerfile +++ b/.docker/prod-testing.Dockerfile @@ -4,6 +4,7 @@ ARG REPOSITORY=greenbone/openvas-scanner ARG GVM_LIBS_VERSION=testing-edge FROM greenbone/openvas-smb:testing-edge AS openvas-smb +FROM rust AS rust FROM registry.community.greenbone.net/community/gvm-libs:${GVM_LIBS_VERSION} AS build COPY . /source @@ -42,8 +43,17 @@ COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/ RUN cmake -DCMAKE_BUILD_TYPE=Release -DINSTALL_OLD_SYNC_SCRIPT=OFF -B/build /source RUN DESTDIR=/install cmake --build /build -- install +COPY --from=rust /usr/local/cargo/ /usr/local/cargo/ +COPY --from=rust /usr/local/rustup/ /usr/local/rustup/ +ENV RUSTUP_HOME=/usr/local/rustup \ + CARGO_HOME=/usr/local/cargo \ + PATH=/usr/local/cargo/bin:$PATH +RUN apt update && apt install -y ca-certificates +RUN cargo build --release +RUN cp target/release/openvasd /install/usr/local/bin +RUN cp target/release/scannerctl /install/usr/local/bin + FROM registry.community.greenbone.net/community/gvm-libs:${GVM_LIBS_VERSION} -ARG TARGETPLATFORM RUN apt-get update RUN apt-get install --no-install-recommends --no-install-suggests -y \ bison \ @@ -76,11 +86,6 @@ RUN apt-get install --no-install-recommends --no-install-suggests -y \ zlib1g RUN rm -rf /var/lib/apt/lists/* COPY .docker/openvas.conf /etc/openvas/ -# must be pre built within the rust dir and moved to the bin dir -# usually this image is created within in a ci ensuring that the -# binary is available. -COPY assets/$TARGETPLATFORM/scannerctl /usr/local/bin/scannerctl -RUN chmod +x /usr/local/bin/scannerctl COPY --from=build /install/ / COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/ COPY --from=openvas-smb /usr/local/bin/ /usr/local/bin/ diff --git a/.docker/prod.Dockerfile b/.docker/prod.Dockerfile index 029a162a2..81b0d373a 100644 --- a/.docker/prod.Dockerfile +++ b/.docker/prod.Dockerfile @@ -2,6 +2,7 @@ ARG VERSION=edge # this allows to work on forked repository ARG REPOSITORY=greenbone/openvas-scanner +FROM rust AS rust FROM greenbone/openvas-smb AS openvas-smb FROM registry.community.greenbone.net/community/gvm-libs:${VERSION} AS build @@ -10,9 +11,20 @@ RUN sh /source/.github/install-openvas-dependencies.sh COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/ RUN cmake -DCMAKE_BUILD_TYPE=Release -DINSTALL_OLD_SYNC_SCRIPT=OFF -B/build /source RUN DESTDIR=/install cmake --build /build -- install +WORKDIR /source/rust +COPY --from=rust /usr/local/cargo/ /usr/local/cargo/ +COPY --from=rust /usr/local/rustup/ /usr/local/rustup/ +ENV RUSTUP_HOME=/usr/local/rustup \ + CARGO_HOME=/usr/local/cargo \ + PATH=/usr/local/cargo/bin:$PATH +RUN apt update && apt install -y ca-certificates +RUN cargo build --release +RUN cp target/release/openvasd /install/usr/local/bin +RUN cp target/release/scannerctl /install/usr/local/bin +# Do we want to copy feed verifier as well? +# RUN cp release/feed-verifier /install/bin FROM registry.community.greenbone.net/community/gvm-libs:${VERSION} -ARG TARGETPLATFORM RUN apt-get update && apt-get install --no-install-recommends --no-install-suggests -y \ bison \ libglib2.0-0 \ @@ -42,13 +54,11 @@ RUN apt-get update && apt-get install --no-install-recommends --no-install-sugge libssh-4 \ && rm -rf /var/lib/apt/lists/* COPY .docker/openvas.conf /etc/openvas/ + + # must be pre built within the rust dir and moved to the bin dir # usually this image is created within in a ci ensuring that the # binary is available. -COPY assets/$TARGETPLATFORM/scannerctl /usr/local/bin/scannerctl -COPY assets/$TARGETPLATFORM/openvasd /usr/local/bin/openvasd -RUN chmod +x /usr/local/bin/scannerctl -RUN chmod +x /usr/local/bin/openvasd COPY --from=build /install/ / COPY --from=openvas-smb /usr/local/lib/ /usr/local/lib/ COPY --from=openvas-smb /usr/local/bin/ /usr/local/bin/ diff --git a/.github/actions/compile-aarch64/action.yml b/.github/actions/compile-aarch64/action.yml new file mode 100644 index 000000000..46400c365 --- /dev/null +++ b/.github/actions/compile-aarch64/action.yml @@ -0,0 +1,32 @@ +name: "Compile Rust aarch64" +runs: + using: "composite" + steps: + - uses: ./.github/actions/setup-rust + - run: cargo install cross || true + shell: bash + - run: CROSS_CONFIG=Cross.toml cross -v build --release --target aarch64-unknown-linux-gnu + working-directory: rust + shell: bash + - name: "patch for debian stable" + working-directory: rust + run: | + find . -type f -name "scannerctl" + patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/aarch64-unknown-linux-gnu/release/scannerctl + patchelf --replace-needed libz.so libz.so.1 target/aarch64-unknown-linux-gnu/release/scannerctl + - run: mkdir assets/ + shell: bash + - run: mkdir -p assets/linux/arm64 + shell: bash + - run: mv rust/target/aarch64-unknown-linux-gnu/release/openvasd assets/linux/arm64/openvasd + shell: bash + - run: mv rust/target/aarch64-unknown-linux-gnu/release/scannerctl assets/linux/arm64/scannerctl + shell: bash + - run: mv rust/target/aarch64-unknown-linux-gnu/release/feed-verifier assets/linux/arm64/feed-verifier + shell: bash + - name: archive + uses: actions/upload-artifact@v4 + with: + name: rs-binaries + path: assets/* + retention-days: 1 diff --git a/.github/actions/compile-x86_64/action.yml b/.github/actions/compile-x86_64/action.yml new file mode 100644 index 000000000..edb2da700 --- /dev/null +++ b/.github/actions/compile-x86_64/action.yml @@ -0,0 +1,33 @@ +name: "Compile Rust x86_64" +runs: + using: "composite" + steps: + - uses: ./.github/actions/setup-rust + - run: cargo install cross || true + shell: bash + - run: CROSS_CONFIG=Cross.toml cross build --release --target x86_64-unknown-linux-gnu + working-directory: rust + shell: bash + - name: "patch for debian stable" + working-directory: rust + shell: bash + run: | + find . -type f -name "scannerctl" + patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/x86_64-unknown-linux-gnu/release/scannerctl + patchelf --replace-needed libz.so libz.so.1 target/x86_64-unknown-linux-gnu/release/scannerctl + - run: mkdir assets/ + shell: bash + - run: mkdir -p assets/linux/amd64 + shell: bash + - run: mv rust/target/x86_64-unknown-linux-gnu/release/openvasd assets/linux/amd64/openvasd + shell: bash + - run: mv rust/target/x86_64-unknown-linux-gnu/release/scannerctl assets/linux/amd64/scannerctl + shell: bash + - run: mv rust/target/x86_64-unknown-linux-gnu/release/feed-verifier assets/linux/amd64/feed-verifier + shell: bash + - name: archive + uses: actions/upload-artifact@v4 + with: + name: rs-binaries + path: assets/* + retention-days: 1 diff --git a/.github/actions/setup-rust/action.yml b/.github/actions/setup-rust/action.yml index be188d042..21e5cf184 100644 --- a/.github/actions/setup-rust/action.yml +++ b/.github/actions/setup-rust/action.yml @@ -3,6 +3,15 @@ description: "Install necessary dependencies and set up Rust stable" runs: using: "composite" steps: + - uses: actions/cache@v4 + with: + path: | + ~/.cargo/bin/ + ~/.cargo/registry/index/ + ~/.cargo/registry/cache/ + ~/.cargo/git/db/ + rust/target/ + key: ${{ runner.os }}-cargo-${{ hashFiles('rust/Cargo.lock') }} - run: sudo apt update || true shell: bash - run: sudo apt-get install -y libpcap-dev diff --git a/.github/install-openvas-dependencies.sh b/.github/install-openvas-dependencies.sh index 1f80d8bf9..23670d2b1 100755 --- a/.github/install-openvas-dependencies.sh +++ b/.github/install-openvas-dependencies.sh @@ -35,7 +35,7 @@ apt-get update && apt-get install --no-install-recommends --no-install-suggests libhiredis-dev \ && rm -rf /var/lib/apt/lists/* -curl -L -o cgreen.tar.gz https://github.com/cgreen-devs/cgreen/archive/refs/tags/1.6.2.tar.gz -k -tar -xzf cgreen.tar.gz && cd cgreen-1.6.2 +curl -L -o cgreen.tar.gz https://github.com/cgreen-devs/cgreen/archive/refs/tags/1.6.3.tar.gz -k +tar -xzf cgreen.tar.gz && cd cgreen-1.6.3 make install ldconfig diff --git a/.github/prepare-feed.sh b/.github/prepare-feed.sh index c64963687..9c1802eab 100644 --- a/.github/prepare-feed.sh +++ b/.github/prepare-feed.sh @@ -4,7 +4,7 @@ # workflow. [ -z $FEED_DIR ] && FEED_DIR="/var/lib/openvas/plugins" DOCKER_CMD=docker -FEED_IMAGE="greenbone/vulnerability-tests" +FEED_IMAGE="registry.community.greenbone.net/community/vulnerability-tests" set -e printf "Copying feed $FEED_IMAGE " FEED_VERSION=$($DOCKER_CMD run --rm $FEED_IMAGE sh -c 'ls /var/lib/openvas/' | sort -r | head -n 1) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index c06118f2c..65ff32e1a 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -19,42 +19,10 @@ jobs: runs-on: "ubuntu-latest" steps: - uses: actions/checkout@v4 - - uses: actions/cache@v4 - with: - path: | - ~/.cargo/bin/ - ~/.cargo/registry/index/ - ~/.cargo/registry/cache/ - ~/.cargo/git/db/ - rust/target/ - key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }} - - run: rustup update stable && rustup default stable - # ignore failing install, it may already be installed - - run: cargo install cross || true - - run: CROSS_CONFIG=Cross.toml cross -v build --release --target aarch64-unknown-linux-gnu + - uses: ./.github/actions/setup-rust + # we just check if it is compilable, the actual compilation is now done in: + # - in the Dockefiles + # - in functional.yml (x86_64) only + # - in release.yml (aarch64, x86_64) + - run: cargo check working-directory: rust - - run: CROSS_CONFIG=Cross.toml cross build --release --target x86_64-unknown-linux-gnu - working-directory: rust - - name: "patch for debian stable" - working-directory: rust - run: | - find . -type f -name "scannerctl" - patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/aarch64-unknown-linux-gnu/release/scannerctl - patchelf --replace-needed libpcap.so.1 libpcap.so.0.8 target/x86_64-unknown-linux-gnu/release/scannerctl - patchelf --replace-needed libz.so libz.so.1 target/aarch64-unknown-linux-gnu/release/scannerctl - patchelf --replace-needed libz.so libz.so.1 target/x86_64-unknown-linux-gnu/release/scannerctl - - run: mkdir assets/ - - run: mkdir -p assets/linux/amd64 - - run: mkdir -p assets/linux/arm64 - - run: mv rust/target/aarch64-unknown-linux-gnu/release/openvasd assets/linux/arm64/openvasd - - run: mv rust/target/x86_64-unknown-linux-gnu/release/openvasd assets/linux/amd64/openvasd - - run: mv rust/target/aarch64-unknown-linux-gnu/release/scannerctl assets/linux/arm64/scannerctl - - run: mv rust/target/x86_64-unknown-linux-gnu/release/scannerctl assets/linux/amd64/scannerctl - - run: mv rust/target/aarch64-unknown-linux-gnu/release/feed-verifier assets/linux/arm64/feed-verifier - - run: mv rust/target/x86_64-unknown-linux-gnu/release/feed-verifier assets/linux/amd64/feed-verifier - - name: archive - uses: actions/upload-artifact@v4 - with: - name: rs-binaries - path: assets/* - retention-days: 1 diff --git a/.github/workflows/control.yml b/.github/workflows/control.yml index 66c02d748..300ca871e 100644 --- a/.github/workflows/control.yml +++ b/.github/workflows/control.yml @@ -75,15 +75,14 @@ jobs: name: unit-tests uses: ./.github/workflows/tests.yml build: - needs: [unittests] uses: ./.github/workflows/build.yml linting: uses: ./.github/workflows/linting.yml functional: - needs: [build] + needs: [unittests, build] uses: ./.github/workflows/functional.yaml container: - needs: [build, init, functional] + needs: [build, init] uses: ./.github/workflows/push-container.yml secrets: dockerhub_user: ${{ secrets.DOCKERHUB_USERNAME }} diff --git a/.github/workflows/functional.yaml b/.github/workflows/functional.yaml index 46e67782f..c87e01717 100644 --- a/.github/workflows/functional.yaml +++ b/.github/workflows/functional.yaml @@ -22,9 +22,14 @@ jobs: - run: docker run --rm test ldd /usr/local/sbin/openvas - run: docker run --rm test ldd /usr/local/sbin/openvas | grep libopenvas_wmiclient - run: docker rmi test || true - # TESTS that are possible before pushing an image + build-rs: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./.github/actions/compile-x86_64 tests: runs-on: ubuntu-latest + needs: [build-rs] services: redis: image: redis diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 78d2cdd40..add88ebb5 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -28,7 +28,7 @@ jobs: steps: - uses: actions/checkout@v4 - uses: ./.github/actions/setup-rust - - run: cargo install typos-cli + - run: cargo install typos-cli || true - run: typos Rust-Audit: runs-on: ubuntu-latest @@ -37,7 +37,7 @@ jobs: working-directory: rust steps: - uses: actions/checkout@v4 - - run: cargo install cargo-audit + - run: cargo install cargo-audit || true - run: cargo audit License-Headers: runs-on: ubuntu-latest diff --git a/.github/workflows/push-container-oldstable.yml b/.github/workflows/push-container-oldstable.yml index dddb33621..c859f38d0 100644 --- a/.github/workflows/push-container-oldstable.yml +++ b/.github/workflows/push-container-oldstable.yml @@ -17,45 +17,30 @@ on: jobs: debian_oldstable: - name: debian:oldstable - runs-on: ubuntu-latest + name: ghcr:debian:oldstable + runs-on: "ubuntu-latest" steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 + - name: Checkout repository + uses: actions/checkout@v4 + - name: Container build and push 3rd gen + id: build-and-push + uses: greenbone/actions/container-build-push-generic@v3 with: - name: rs-binaries - path: assets - - name: "Set labels and tags" - id: old_stable_meta - uses: docker/metadata-action@v5 - with: - images: ${{ github.repository }} - labels: | + build-docker-file: .docker/prod.Dockerfile + build-args: | + REPOSITORY=${{ github.repository }} + cosign-key: ${{ secrets.cosign_key_opensight }} + cosign-key-password: ${{ secrets.cosign_password_opensight }} + # The tlog function does not currently support an ed25519 key. + cosign-tlog-upload: "false" + image-labels: | org.opencontainers.image.vendor=Greenbone org.opencontainers.image.base.name=greenbone/gvm-libs - flavor: latest=false # no auto latest container tag for git tags - tags: | - # for the images provided for debian:oldstable we just provide - # oldstable on an new version or oldstable-edge when it is on main. - # oldstable-branch-sha on a branch + image-tags: | type=raw,value=oldstable,enable=${{ inputs.is_latest_tag }} type=raw,value=oldstable-edge,enable=${{ github.ref_name == 'main' }} type=raw,value=oldstable-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }} type=ref,event=pr - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - username: ${{ secrets.dockerhub_user }} - password: ${{ secrets.dockerhub_token }} - - name: Build and push - uses: docker/build-push-action@v6 - with: - context: . - push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }} - file: .docker/prod-oldstable.Dockerfile - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.old_stable_meta.outputs.tags }} - labels: ${{ steps.old_stable_meta.outputs.labels }} + registry: ${{ vars.IMAGE_REGISTRY }} + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/push-container-testing.yml b/.github/workflows/push-container-testing.yml index 80532c320..d17a463e7 100644 --- a/.github/workflows/push-container-testing.yml +++ b/.github/workflows/push-container-testing.yml @@ -16,46 +16,32 @@ on: required: true jobs: + # TODO: do we need to push or is building enough? debian_testing: - name: debian:testing - runs-on: ubuntu-latest + name: ghcr:debian:testing + runs-on: "ubuntu-latest" steps: - - uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 + - name: Checkout repository + uses: actions/checkout@v4 + - name: Container build and push 3rd gen + id: build-and-push + uses: greenbone/actions/container-build-push-generic@v3 with: - name: rs-binaries - path: assets - - name: "Set labels and tags" - id: test_meta - uses: docker/metadata-action@v5 - with: - images: ${{ github.repository }} - labels: | + build-docker-file: .docker/prod.Dockerfile + build-args: | + REPOSITORY=${{ github.repository }} + cosign-key: ${{ secrets.cosign_key_opensight }} + cosign-key-password: ${{ secrets.cosign_password_opensight }} + # The tlog function does not currently support an ed25519 key. + cosign-tlog-upload: "false" + image-labels: | org.opencontainers.image.vendor=Greenbone org.opencontainers.image.base.name=greenbone/gvm-libs - flavor: latest=false # no auto latest container tag for git tags - tags: | - # for the images provided for debian:testing we just provide - # testing on an new version or testing-edge when it is on main. - # testing-branch-sha on a branch + image-tags: | type=raw,value=testing,enable=${{ inputs.is_latest_tag }} type=raw,value=testing-edge,enable=${{ github.ref_name == 'main' }} type=raw,value=testing-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }} type=ref,event=pr - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - username: ${{ secrets.dockerhub_user }} - password: ${{ secrets.dockerhub_token }} - - name: Build and push Container image - uses: docker/build-push-action@v6 - with: - context: . - push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }} - file: .docker/prod-testing.Dockerfile - platforms: linux/amd64,linux/arm64 - tags: ${{ steps.test_meta.outputs.tags }} - labels: ${{ steps.test_meta.outputs.labels }} + registry: ${{ vars.IMAGE_REGISTRY }} + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/push-container.yml b/.github/workflows/push-container.yml index dbad106eb..45db1d7fc 100644 --- a/.github/workflows/push-container.yml +++ b/.github/workflows/push-container.yml @@ -41,26 +41,29 @@ permissions: pull-requests: write jobs: - debian_stable: - name: debian:stable - runs-on: ubuntu-latest + + debian_stable_arm64: + name: ghcr:debian:stable:arm64 + runs-on: self-hosted-generic-arm64 steps: - - name: Checkout + - name: Checkout repository uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 - with: - name: rs-binaries - path: assets - - name: "Set labels and tags" - id: meta - uses: docker/metadata-action@v5 + - name: Container build and push 3rd gen + id: build-and-push + uses: greenbone/actions/container-build-push-generic@v3 with: - images: ${{ github.repository }} - labels: | + image-platforms: linux/arm64 + build-docker-file: .docker/prod.Dockerfile + build-args: | + REPOSITORY=${{ github.repository }} + cosign-key: ${{ secrets.cosign_key_opensight }} + cosign-key-password: ${{ secrets.cosign_password_opensight }} + # The tlog function does not currently support an ed25519 key. + cosign-tlog-upload: "false" + image-labels: | org.opencontainers.image.vendor=Greenbone org.opencontainers.image.base.name=greenbone/gvm-libs - flavor: latest=false # no auto latest container tag for git tags - tags: | + image-tags: | # when IS_LATEST_TAG is set create a stable and a latest tag type=raw,value=latest,enable=${{ inputs.is_latest_tag }} type=raw,value=stable,enable=${{ inputs.is_latest_tag }} @@ -73,37 +76,16 @@ jobs: type=raw,value={{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }} # use pr-$PR_ID for pull requests (will not be uploaded) type=ref,event=pr - - name: Login to DockerHub - if: github.event_name != 'pull_request' - uses: docker/login-action@v3 - with: - username: ${{ secrets.dockerhub_user }} - password: ${{ secrets.dockerhub_token }} - - - uses: docker/setup-qemu-action@v3 - - uses: docker/setup-buildx-action@v3 - - name: Build and push - uses: docker/build-push-action@v6 - with: - context: . - push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }} - file: .docker/prod.Dockerfile - build-args: | - REPOSITORY=${{ github.repository }} - platforms: linux/amd64,linux/aarch64 - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - - ghcr_debian_stable: + registry: ${{ vars.IMAGE_REGISTRY }} + registry-username: ${{ github.actor }} + registry-password: ${{ secrets.GITHUB_TOKEN }} + + debian_stable: name: ghcr:debian:stable runs-on: "ubuntu-latest" steps: - name: Checkout repository uses: actions/checkout@v4 - - uses: actions/download-artifact@v4 - with: - name: rs-binaries - path: assets - name: Container build and push 3rd gen id: build-and-push uses: greenbone/actions/container-build-push-generic@v3 @@ -145,8 +127,6 @@ jobs: image-labels: | org.opencontainers.image.vendor=Greenbone org.opencontainers.image.base.name=greenbone/gvm-libs - artifact-name: rs-binaries - artifact-path: assets service: openvas-scanner secrets: COSIGN_KEY_OPENSIGHT: ${{ secrets.cosign_key_opensight }}