fix: Dockerfile to reduce vulnerabilities #18
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
# About steps requiring the GITGUARDIAN_API_KEY: | |
# | |
# For security reasons, secrets are not available when a workflow is triggered by a pull request from a fork. This | |
# causes all steps requiring the GITGUARDIAN_API_KEY to fail. To avoid this, we skip those steps when we are triggered | |
# by a pull request from a fork. | |
on: | |
pull_request: | |
push: | |
branches: | |
- '*' | |
tags-ignore: | |
- '*' | |
paths-ignore: | |
- 'doc/**' | |
- 'README.md' | |
jobs: | |
lint: | |
name: Lint package | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Set up Python 3.8 | |
uses: actions/setup-python@v5 | |
with: | |
python-version: 3.8 | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install pipenv==2023.10.3 pre-commit | |
pipenv install --dev --skip-lock | |
- uses: actions/cache@v3 | |
with: | |
path: ~/.cache/pre-commit | |
key: pre-commit|${{ env.pythonLocation }}|${{ hashFiles('.pre-commit-config.yaml') }} | |
- name: Install pre-commit hooks | |
run: pre-commit install --install-hooks | |
- name: Skip ggshield hooks when running from a fork | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ github.event.pull_request.head.repo.fork }} | |
run: | | |
echo "SKIP=ggshield,ggshield-local" >> $GITHUB_ENV | |
- name: Run pre-commit checks | |
run: | | |
pre-commit run --show-diff-on-failure --all-files | |
env: | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
- name: Check commit messages | |
if: github.event_name == 'pull_request' | |
run: | | |
PR_REF="${GITHUB_REF%/merge}/head" | |
git fetch origin "$PR_REF" | |
if git log --format=%s "origin/$GITHUB_BASE_REF..FETCH_HEAD" | grep '^fixup!' ; then | |
echo 'Error: this pull request contains fixup commits. Squash them.' | |
exit 1 | |
fi | |
# In case `git log` fails | |
exit "${PIPESTATUS[0]}" | |
build: | |
name: Build and Test | |
runs-on: ${{ matrix.os }} | |
env: | |
# We skip pipenv lockfile by default, because a Pipfile.lock should only | |
# be used for the Python version it was generated for. | |
PIPENV_SKIP_LOCK: 1 | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [ubuntu-latest, macos-latest, windows-2022] | |
python-version: ['3.8', '3.9', '3.10', '3.11'] | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# Get enough commits to run `ggshield secret scan commit-range` on ourselves | |
fetch-depth: 10 | |
- name: Set up Python ${{ matrix.python-version }} | |
uses: actions/setup-python@v5 | |
with: | |
python-version: ${{ matrix.python-version }} | |
- name: Use Pipfile.lock on locked version of Python | |
# Keep version in sync with scripts/update-pipfile-lock/Dockerfile | |
if: matrix.python-version == '3.10' | |
run: | | |
echo "PIPENV_SKIP_LOCK=0" >> $GITHUB_ENV | |
- name: Install dependencies | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install --upgrade pipenv==2023.10.3 | |
pipenv install --system --dev | |
# Hack: workaround urllib3 still being installed on windows-2022 builder | |
pip install --force-reinstall 'urllib3<2' | |
- name: Install Windows dev dependencies | |
if: matrix.os == 'windows-2022' | |
run: | | |
# Those are win32-only dependencies from pytest | |
python -m pip install atomicwrites colorama | |
- name: Override base Docker image used for functional tests on Windows | |
if: matrix.os == 'windows-2022' | |
# This is required because GitHub Windows runner is not configured to | |
# run Linux-based Docker images | |
shell: bash | |
run: | | |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV | |
- name: Ensure a clean package installation | |
run: | | |
pip install build wheel check-wheel-contents | |
python -m build --wheel | |
# The created wheel (.whl) file will be found and analyzed within the `dist/` folder | |
check-wheel-contents dist/ | |
- name: Run unit tests | |
run: | | |
coverage run --source ggshield -m pytest --disable-pytest-warnings --disable-socket tests/unit | |
- name: Gather coverage report | |
run: | | |
coverage report --fail-under=80 | |
coverage xml | |
- uses: codecov/codecov-action@v3 | |
with: | |
file: ./coverage.xml | |
flags: unittests | |
name: codecov-umbrella | |
fail_ci_if_error: false | |
- name: Run functional tests | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
shell: bash | |
run: | | |
make functest | |
env: | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }} | |
build-standalone: | |
name: Standalone exe | |
runs-on: ${{ matrix.os }} | |
strategy: | |
fail-fast: false | |
matrix: | |
os: | |
- ubuntu-latest | |
- macos-latest | |
- windows-2022 | |
- macos-14 | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
# Get enough commits to run `ggshield secret scan commit-range` on ourselves | |
fetch-depth: 10 | |
- name: Set up Python 3.10 | |
uses: actions/setup-python@v4 | |
with: | |
python-version: '3.10' | |
- name: Install normal dependencies | |
run: | | |
python -m pip install --upgrade pip | |
python -m pip install --upgrade pipenv==2023.10.3 | |
pipenv install --system --dev | |
env: | |
# Disable lock otherwise Windows-only dependencies like colorama are not installed | |
PIPENV_SKIP_LOCK: 1 | |
- name: Install standalone-specific dependencies | |
run: | | |
python -m pip install --upgrade pyinstaller | |
- name: Build | |
shell: bash | |
run: | | |
scripts/build-standalone-exe | |
- name: Upload artifacts | |
uses: actions/upload-artifact@v4 | |
with: | |
name: ggshield-standalone-${{ matrix.os }} | |
path: | | |
dist/ggshield-standalone-*.gz | |
dist/ggshield-standalone-*.zip | |
- name: Override base Docker image used for functional tests on Windows | |
if: matrix.os == 'windows-2022' | |
# This is required because GitHub Windows runner is not configured to | |
# run Linux-based Docker images | |
shell: bash | |
run: | | |
echo "GGTEST_DOCKER_IMAGE=mcr.microsoft.com/windows/nanoserver:ltsc2022" >> $GITHUB_ENV | |
- name: Functional tests | |
shell: bash | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
run: | | |
scripts/build-standalone-exe functests | |
env: | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
TEST_KNOWN_SECRET: ${{ secrets.TEST_KNOWN_SECRET }} | |
build_packages: | |
# This job ensures the build-packages script is tested on each build, not only at release time | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
# Warning: changes on this step should be reflected in workflows/tag.yml | |
- name: Install packaging tools | |
shell: bash | |
run: | | |
curl -L https://github.com/goreleaser/nfpm/releases/download/v2.15.0/nfpm_amd64.deb -o nfpm_amd64.deb | |
sudo dpkg -i nfpm_amd64.deb | |
pip install shiv==1.0.1 build | |
# Append the abbreviated git sha1 to the version number to avoid confusing | |
# these packages with those produced at release time | |
- name: Fake version number | |
shell: bash | |
run: | | |
version=$(git describe --tags | sed -e 's/^v//' -e 's/-[0-9]*-g/+/') | |
echo "Set version number to '$version'" | |
sed -i "s/__version__ = .*/__version__ = \"$version\"/" ggshield/__init__.py | |
- name: Create packages | |
shell: bash | |
run: scripts/build-packages/build-packages | |
# Make packages downloadable from the workflow page | |
- name: Upload packages | |
uses: actions/upload-artifact@v3 | |
with: | |
name: packages | |
path: | | |
dist | |
packages | |
test_github_secret_scan_action: | |
name: Test GitHub action for `secret scan` | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Scan commits for hardcoded secrets | |
uses: ./actions-unstable/secret | |
env: | |
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
GITHUB_PUSH_BASE_SHA: ${{ github.event.base }} | |
GITHUB_DEFAULT_BRANCH: ${{ github.event.repository.default_branch }} | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
test_github_iac_scan_action: | |
name: Test GitHub action for `iac scan` | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Scan commits for IaC vulnerabilities | |
uses: ./actions-unstable/iac | |
with: | |
args: . | |
env: | |
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
test_github_sca_scan_action: | |
name: Test GitHub action for `sca scan` | |
# See note about steps requiring the GITGUARDIAN_API at the top of this file | |
if: ${{ !github.event.pull_request.head.repo.fork }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Scan commits for SCA vulnerabilities | |
uses: ./actions-unstable/sca | |
with: | |
args: . | |
env: | |
GITHUB_PUSH_BEFORE_SHA: ${{ github.event.before }} | |
GITGUARDIAN_API_KEY: ${{ secrets.GITGUARDIAN_API_KEY }} | |
GITGUARDIAN_API_URL: ${{ secrets.GITGUARDIAN_API_URL }} | |
dockerhub-unstable: | |
name: Push Docker image to Docker Hub | |
runs-on: ubuntu-latest | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
needs: | |
- lint | |
- build | |
- test_github_iac_scan_action | |
- test_github_sca_scan_action | |
- test_github_secret_scan_action | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Build and push | |
uses: docker/build-push-action@v1 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
repository: gitguardian/ggshield | |
tags: unstable | |
github_packages-unstable: | |
name: Push Docker image to GitHub Packages | |
runs-on: ubuntu-latest | |
if: github.ref == 'refs/heads/main' && github.event_name == 'push' | |
needs: | |
- lint | |
- build | |
- test_github_iac_scan_action | |
- test_github_sca_scan_action | |
- test_github_secret_scan_action | |
steps: | |
- name: Check out the repo | |
uses: actions/checkout@v4 | |
- name: Push to GitHub Packages | |
uses: docker/build-push-action@v1 | |
with: | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
registry: docker.pkg.github.com | |
repository: gitguardian/ggshield/ggshield | |
tags: unstable |