hedgehog-iso-build-docker-wrap-push-ghcr

watchdog python library to v6.0.0 #254

Summary
Jobs
- build
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml at 60b0128

	name: hedgehog-iso-build-docker-wrap-push-ghcr

	on:
	push:
	branches:
	- main
	- development
	paths:
	- 'hedgehog-iso/**'
	- 'shared/bin/*'
	- '.trigger_iso_workflow_build'
	- '.github/workflows/hedgehog-iso-build-docker-wrap-push-ghcr.yml'
	workflow_dispatch:
	repository_dispatch:

	jobs:
	build:
	runs-on: ubuntu-22.04
	permissions:
	actions: write
	packages: write
	contents: read
	security-events: write
	defaults:
	run:
	shell: bash
	steps:
	-
	name: Cancel previous run in progress
	uses: styfle/[email protected]
	with:
	ignore_sha: true
	all_but_latest: true
	access_token: ${{ secrets.GITHUB_TOKEN }}
	-
	name: Set up QEMU
	uses: docker/setup-qemu-action@v3
	-
	name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v3
	with:
	driver-opts: \|
	image=moby/buildkit:master
	-
	name: Build environment setup
	run: \|
	sudo docker rmi $(docker image ls -aq) >/dev/null 2>&1 \|\| true
	sudo rm -rf \
	"$AGENT_TOOLSDIRECTORY" \
	/opt/ghc \
	/usr/lib/jvm \
	/usr/local/.ghcup \
	/usr/local/lib/android \
	/usr/local/share/powershell \
	/usr/share/dotnet \
	/usr/share/swift >/dev/null 2>&1 \|\| true
	sudo env DEBIAN_FRONTEND=noninteractive apt-get -q -y update >/dev/null 2>&1
	sudo env DEBIAN_FRONTEND=noninteractive apt-get -q -y --purge remove \
	azure-cli \
	dotnet* \
	firefox \
	google-chrome-stable \
	google-cloud-cli \
	microsoft-edge-stable \
	mono-* \
	mysql* \
	postgresql* \
	powershell \
	temurin* >/dev/null 2>&1 \|\| true
	sudo env DEBIAN_FRONTEND=noninteractive apt-get -q -y --purge autoremove >/dev/null 2>&1 \|\| true
	sudo env DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y -q \
	apt-transport-https \
	bc \
	build-essential \
	ca-certificates \
	curl \
	debhelper-compat \
	debian-archive-keyring \
	debootstrap \
	genisoimage \
	gettext \
	git \
	gnupg2 \
	imagemagick \
	jq \
	po4a \
	rsync \
	software-properties-common \
	squashfs-tools \
	virt-what \
	xorriso
	git clone --depth=1 --single-branch --recurse-submodules --shallow-submodules --branch='debian/1%20230131' 'https://salsa.debian.org/live-team/live-build.git' /tmp/live-build
	cd /tmp/live-build
	dpkg-buildpackage -b -uc -us
	cd /tmp
	sudo dpkg -i /tmp/live-build*.deb
	sudo rm -rf /tmp/live-build /tmp/live-build*.deb
	-
	name: Checkout
	uses: actions/checkout@v4
	-
	name: Extract branch name
	shell: bash
	run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
	id: extract_branch
	-
	name: Extract commit SHA
	shell: bash
	run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
	id: extract_commit_sha
	-
	name: Extract Malcolm version
	shell: bash
	run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose-dev.yml \| awk '{print $2}' \| cut -d':' -f2 \| uniq -c \| sort -nr \| awk '{print $2}' \| head -n 1)" >> $GITHUB_OUTPUT
	id: extract_malcolm_version
	-
	name: Build image
	run: \|
	sudo rm -rf ${GITHUB_WORKSPACE}/.git
	cp -r ./shared ./docs ./_config.yml ./_includes ./_layouts ./Gemfile ./README.md ./malcolm-iso/htpdate ./hedgehog-iso
	cp ./scripts/malcolm_utils.py ./hedgehog-iso/shared/bin/
	cp ./scripts/documentation_build.sh ./hedgehog-iso/docs/
	mkdir -p ./hedgehog-iso/suricata
	cp -r ./suricata/rules-default ./hedgehog-iso/suricata/
	mkdir -p ./hedgehog-iso/nginx
	cp -r ./nginx/landingpage/css ./hedgehog-iso/nginx/
	cp -r ./nginx/landingpage/js ./hedgehog-iso/nginx/
	pushd ./hedgehog-iso
	echo "${{ steps.extract_malcolm_version.outputs.mversion }}" > ./shared/version.txt
	echo "${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}" > ./shared/maxmind_license.txt
	echo "${{ secrets.MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/maxmind_url.txt
	echo "${{ secrets.ZEEK_DEB_ALTERNATE_DOWNLOAD_URL }}" > ./shared/zeek_url.txt
	echo "GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}" > ./shared/environment.chroot
	echo "VCS_REVSION=${{ steps.extract_commit_sha.outputs.sha }}" > ./shared/environment.chroot
	echo "BUILD_JOBS=2" > ./shared/environment.chroot
	sudo /usr/bin/env bash ./build.sh
	rm -rf ./shared/ ./docs/ ./_config.yml ./_includes ./_layouts /Gemfile ./README.md ./suricata
	sudo chmod 644 ./hedgehog-.
	popd
	-
	name: Run Trivy vulnerability scanner
	if: ${{ matrix.platform == 'linux/amd64' }}
	id: trivy-scan
	uses: aquasecurity/[email protected]
	env:
	TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
	with:
	scan-type: 'fs'
	scan-ref: './hedgehog-iso'
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'HIGH,CRITICAL'
	vuln-type: 'os,library'
	hide-progress: true
	ignore-unfixed: true
	exit-code: '0'
	-
	name: Upload Trivy scan results to GitHub Security tab
	if: ${{ matrix.platform == 'linux/amd64' }}
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: 'trivy-results.sarif'
	-
	name: ghcr.io login
	uses: docker/login-action@v3
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	-
	name: Build and push ISO image
	uses: docker/build-push-action@v5
	with:
	context: ./hedgehog-iso
	push: true
	provenance: false
	tags: ghcr.io/${{ github.repository_owner }}/malcolm/hedgehog:${{ steps.extract_branch.outputs.branch }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

watchdog python library to v6.0.0 #254

Workflow file

watchdog python library to v6.0.0 #254

Jobs

Run details

Workflow file for this run