-
Notifications
You must be signed in to change notification settings - Fork 22
112 lines (93 loc) · 4.17 KB
/
ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
name: CI
on:
push:
branches:
- 'release/**'
pull_request:
env:
ALIAS_VERSION: '8.2'
VERSION_FOR_ALIAS: '8.2.20'
jobs:
ci:
name: Build PHP ${{ matrix.php-version }}
runs-on: ubuntu-latest
continue-on-error: true
strategy:
matrix:
php-version:
- '8.2.20'
- '8.2.19'
- '8.2.18'
- '8.2.17'
- '8.2.16'
- '8.2.15'
- '8.2.14'
- '8.2.13'
- '8.2.12'
- '8.2.11'
- '8.2.10'
- '8.2.9'
- '8.2.8'
- '8.2.7'
- '8.2.6'
- '8.2.5'
- '8.2.4'
- '8.2.3'
- '8.2.2'
- '8.2.1'
- '8.2.0'
steps:
- name: "Checkout code"
uses: actions/checkout@v2
- name: "Build Alpine"
run: ./build_alpine_version.sh ${{ matrix.php-version }}
- name: "Check Alpine -i"
run: docker run --rm -t exozet/php-fpm:${{ matrix.php-version }}-alpine php -i
- name: "Check Alpine -v"
run: docker run --rm -t exozet/php-fpm:${{ matrix.php-version }}-alpine php -v
- name: "Build standard"
run: ./build_version.sh ${{ matrix.php-version }}
- name: "Check Standard -i"
run: docker run --rm -t exozet/php-fpm:${{ matrix.php-version }} php -i
- name: "Check Standard -v"
run: docker run --rm -t exozet/php-fpm:${{ matrix.php-version }} php -v
- name: Run Alpine Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'exozet/php-fpm:${{ matrix.php-version }}-alpine'
format: 'table'
exit-code: '0' # we don't break the build if vulnerabilities are included!
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
- if: contains(github.ref, 'refs/heads/release/') && matrix.php-version == env.VERSION_FOR_ALIAS
name: Run Alpine Trivy vulnerability scanner and upload to github security tab
uses: aquasecurity/trivy-action@master
with:
image-ref: 'exozet/php-fpm:${{ matrix.php-version }}-alpine'
format: 'sarif'
output: 'trivy-results.sarif'
- if: contains(github.ref, 'refs/heads/release/') && matrix.php-version == env.VERSION_FOR_ALIAS
name: Upload Alpine Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v1
with:
sarif_file: 'trivy-results.sarif'
- if: contains(github.ref, 'refs/heads/release/')
name: Login to DockerHub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- if: contains(github.ref, 'refs/heads/release/')
name: Login to Quay.io
uses: docker/login-action@v1
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_PASSWORD }}
- if: contains(github.ref, 'refs/heads/release/') && matrix.php-version == env.VERSION_FOR_ALIAS
name: "Push PHP ${{ matrix.php-version }} and for version alias ${{ env.ALIAS_VERSION }}"
run: ./push_version.sh ${{ matrix.php-version }} ${{ env.ALIAS_VERSION }}
- if: contains(github.ref, 'refs/heads/release/') && matrix.php-version != env.VERSION_FOR_ALIAS
name: "Push PHP ${{ matrix.php-version }}"
run: ./push_version.sh ${{ matrix.php-version }}