Security audit: fix 32 confirmed vulnerabilities (10 critical / 16 high / 5 medium / 1 low) #476
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build & Test Docker Images | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - tikismaker | |
| tags: | |
| - '*' | |
| pull_request: | |
| branches: | |
| - main | |
| - tikismaker | |
| - 'release/*' | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| jobs: | |
| build_and_test: | |
| runs-on: ubuntu-latest | |
| env: | |
| CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v6 | |
| - name: Update version in package.json | |
| if: github.ref_type == 'tag' | |
| run: | | |
| TAG_NAME="${GITHUB_REF#refs/tags/v}" | |
| jq --arg version "$TAG_NAME" '.version = $version' package.json > package.json.tmp && mv package.json.tmp package.json | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: | | |
| ${{ github.repository }} | |
| ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=ref,event=tag | |
| type=raw,value=latest,enable=${{ github.ref_type == 'tag' && !contains(github.ref_name, '-') }} | |
| type=raw,value=main,enable=${{ github.ref == 'refs/heads/main' }} | |
| type=raw,value=tikismaker,enable=${{ github.ref == 'refs/heads/tikismaker' }} | |
| # Verification of unauthorized changes in the workflows | |
| - name: Check ci.yml and app.yml | |
| if: github.event_name == 'pull_request' | |
| run: | | |
| git diff --name-only ${{ github.before }} ${{ github.sha }} | grep -Eq "^.github/workflows/(ci.yml|app.yml)$" && echo "Modifying or deleting ci.yml or app.yml is not allowed" && exit 1 || echo "Everything is fine" | |
| - name: Set up Bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - name: Install Dependencies | |
| run: bun install | |
| - name: Lint (Biome) | |
| run: make lint | |
| - name: Unit Tests + 90% Coverage | |
| run: make test-unit-ci | |
| - name: Integration Tests | |
| run: make test-integration | |
| - name: Build CSS (prod) | |
| run: make css | |
| - name: Bundle JavaScript | |
| run: make bundle | |
| - name: Frontend Tests + Coverage | |
| run: make test-frontend | |
| - name: Upload coverage to Codecov | |
| if: env.CODECOV_TOKEN != '' | |
| uses: codecov/codecov-action@v6 | |
| with: | |
| files: ./coverage/bun/lcov.info,./coverage/vitest/lcov.info | |
| token: ${{ env.CODECOV_TOKEN }} | |
| fail_ci_if_error: false | |
| flags: unittests,frontend | |
| - name: Upload test results to Codecov | |
| if: ${{ !cancelled() && env.CODECOV_TOKEN != '' }} | |
| uses: codecov/codecov-action@v6 | |
| with: | |
| files: ./coverage/bun/junit.xml,./coverage/vitest/junit.xml | |
| token: ${{ env.CODECOV_TOKEN }} | |
| report_type: test_results | |
| - name: Upload bundle analysis to Codecov | |
| if: env.CODECOV_TOKEN != '' | |
| run: node scripts/upload-bundle-analysis.js | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Build Docker Image | |
| run: make build | |
| - name: Login to DockerHub | |
| if: github.repository == 'exelearning/exelearning' && github.event_name != 'pull_request' | |
| uses: docker/login-action@v4 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| - name: Login to GHCR | |
| if: github.repository == 'exelearning/exelearning' && github.event_name != 'pull_request' | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push | |
| if: github.repository == 'exelearning/exelearning' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/tikismaker' || startsWith(github.ref, 'refs/tags/')) | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| platforms: linux/amd64,linux/arm64 | |
| build-args: | | |
| VERSION=${{ steps.meta.outputs.version }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Scan image with Trivy (GHCR) only on main branch | |
| if: github.repository == 'exelearning/exelearning' && github.ref == 'refs/heads/main' && github.event_name != 'pull_request' | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ghcr.io/${{ github.repository }}:main | |
| format: 'table' | |
| exit-code: '0' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Hadolint Action | |
| uses: hadolint/hadolint-action@v3.3.0 | |
| with: | |
| format: sarif | |
| output-file: hadolint-results.sarif | |
| no-fail: true | |
| - name: Upload SARIF results | |
| if: github.repository == 'exelearning/exelearning' && github.event_name != 'pull_request' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: hadolint-results.sarif | |
| category: hadolint-dockerfile | |
| - name: Docker Hub Description | |
| if: github.repository == 'exelearning/exelearning' && startsWith(github.ref, 'refs/tags/') | |
| uses: peter-evans/dockerhub-description@v5 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
| short-description: ${{ github.event.repository.description }} | |
| enable-url-completion: true |