.github/workflows/build_tiber.yml

name: dockerfiles-build

on:
  workflow_call:
  workflow_dispatch:
  pull_request:
  push:
    branches: [ "main" ]

permissions:
  contents: read

env:
  BUILD_TYPE: "Release"
  DOCKER_IMAGE_BASE: "ghcr.io/openvisualcloud/intel-tiber-broadcast-suite"
  DOCKER_IMAGE_NAME: "tiber-broadcast-suite"
  DOCKER_IMAGE_TAG: "${{ github.sha }}"
  DEBIAN_FRONTEND: "noninteractive"
  TRIVY_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-db"
  TRIVY_JAVA_DB_REPOSITORY: "public.ecr.aws/aquasecurity/trivy-java-db"

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

jobs:
  docker:
    name: "Dockerfile build for Intel® Tiber™ Broadcast Suite"
    runs-on: ubuntu-22.04
    timeout-minutes: 120
    permissions:
      contents: read
      security-events: write
    env:
      BUILDKIT_STEP_LOG_MAX_SIZE: 50000000
      BUILDKIT_STEP_LOG_MAX_SPEED: 10000000
      DOCKER_TMPDIR: "/mnt/docker/docker-tmp"
    steps:
    - name: "OS-Configuration: Preparation: Harden Runner"
      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
      with:
        egress-policy: audit

    - name: "OS-Configuration: Report memory, block-dev and free disk space."
      run: |
        sudo free -h
        sudo lsblk
        sudo df -h

    - name: "OS-Configuration: Disable SWAP in OS, create mnt points, show settings."
      shell: bash
      run: |
        export SWAP_FILE="$(sudo swapon --show=NAME | tail -n 1)"
        sudo swapoff "${SWAP_FILE}"
        sudo rm "${SWAP_FILE}"
        sudo mkdir -p "/mnt/docker/docker-d" "/mnt/docker/docker-tmp"

    - name: "OS-Configuration: Add data-root and other JSON changes to dockerd, reload it."
      run: |
        sudo chmod 666 /etc/docker/daemon.json
        echo "$(sudo jq '. += {"data-root":"/mnt/docker/docker-d","log-driver":"json-file","log-format":"text","log-level":"info","log-opts":{"cache-disabled":"false","cache-max-file":"5","cache-max-size":"20m","max-file":"5","max-size":"10m"}}' /etc/docker/daemon.json)" > /etc/docker/daemon.json
        sudo chmod 644 /etc/docker/daemon.json
        sudo systemctl daemon-reload
        sudo systemctl restart docker
        sudo cat "/etc/docker/daemon.json"

    - name: "Configuration: Docker with Buildx Toolkit set up"
      uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
      with:
        buildkitd-flags: "--debug --allow-insecure-entitlement security.insecure --allow-insecure-entitlement network.host"
        platforms: "linux/amd64"
        driver-opts: memory=14Gib,memory-swap=25Gib,env.BUILDKIT_STEP_LOG_MAX_SIZE=50000000,env.BUILDKIT_STEP_LOG_MAX_SPEED=10000000

    - name: "Validation: Build/Push Dokcerfile"
      uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
      with:
        file: Dockerfile
        push: false
        load: true
        target: final-stage
        tags: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}"
        platforms: "linux/amd64"
        cache-from: type=gha,scope=${{ env.DOCKER_IMAGE_NAME }}
        cache-to: type=gha,mode=max,scope=${{ env.DOCKER_IMAGE_NAME }}

    - name: "Validation: Run Trivy vulnerability scanner on image"
      uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
      continue-on-error: true
      with:
        image-ref: "${{ env.DOCKER_IMAGE_BASE }}/${{ env.DOCKER_IMAGE_NAME }}:${{ env.DOCKER_IMAGE_TAG }}"
        output: "trivy-image-scan-tiber-${{ env.DOCKER_IMAGE_TAG }}.sarif"
        format: "sarif"

    - name: "Finish: Upload Trivy scan results to GitHub Security tab"
      uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
      continue-on-error: true
      with:
        sarif_file: "trivy-image-scan-tiber-${{ env.DOCKER_IMAGE_TAG }}.sarif"

  trivy-config-scan:
    name: "trivy config scans"
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      security-events: write
    steps:
    - name: "Preparation: Harden Runner"
      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
      with:
        egress-policy: audit

    - name: "Preparation: Repository Checkout"
      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

    - name: Run Trivy 'config' type vulnerability scan.
      uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
      with:
        scan-type: 'config'
        hide-progress: false
        ignore-unfixed: true
        format: 'sarif'
        output: 'trivy-config-scan-tiber.sarif'
        severity: 'CRITICAL,HIGH,MEDIUM'

    - name: Upload Trivy scan results to GitHub Security tab
      uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
      if: always()
      with:
        sarif_file: 'trivy-config-scan-tiber.sarif'

  trivy-fs-scan:
    name: "trivy fs scans"
    runs-on: ubuntu-22.04
    permissions:
      contents: read
      security-events: write
    steps:
    - name: "Preparation: Harden Runner"
      uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
      with:
        egress-policy: audit

    - name: "Preparation: Repository Checkout"
      uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6

    - name: Run Trivy 'fs' type vulnerability scanner.
      uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0
      with:
        scan-type: 'fs'
        ignore-unfixed: true
        format: 'sarif'
        output: 'trivy-fs-scan-tiber.sarif'
        severity: 'CRITICAL,HIGH,MEDIUM'

    - name: Upload Trivy scan results to GitHub Security tab
      if: always()
      uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
      with:
          sarif_file: 'trivy-fs-scan-tiber.sarif'