diff --git a/.github/workflows/anchore.yml b/.github/workflows/anchore.yml new file mode 100644 index 0000000..80e3f95 --- /dev/null +++ b/.github/workflows/anchore.yml @@ -0,0 +1,45 @@ +# This workflow uses actions that are not certified by GitHub. +# They are provided by a third-party and are governed by +# separate terms of service, privacy policy, and support +# documentation. + +# This workflow checks out code, builds an image, performs a container image +# vulnerability scan with Anchore's Grype tool, and integrates the results with GitHub Advanced Security +# code scanning feature. For more information on the Anchore scan action usage +# and parameters, see https://github.com/anchore/scan-action. For more +# information on Anchore's container image scanning tool Grype, see +# https://github.com/anchore/grype +name: Anchore Container Scan + +on: + push: + branches: [ main ] + pull_request: + branches: [ main ] + schedule: + - cron: '45 5 * * 1' + +permissions: + contents: read + +jobs: + Anchore-Build-Scan: + permissions: + contents: read # for actions/checkout to fetch code + security-events: write # for github/codeql-action/upload-sarif to upload SARIF results + runs-on: ubuntu-latest + steps: + - name: Checkout the code + uses: actions/checkout@v3 + + - name: Scan current project + id: scan + uses: anchore/scan-action@v3 + with: + path: "." + acs-report-enable: true + + - name: Upload Anchore Scan Report + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/README.md b/README.md index d06bab2..0a3708d 100644 --- a/README.md +++ b/README.md @@ -1,4 +1,7 @@ -# github-runner-base +[![Create Release](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/create-release.yml/badge.svg)](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/create-release.yml) +[![Anchore Container Scan](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/anchore.yml/badge.svg)](https://github.com/fullstack-devops/github-actions-runner/actions/workflows/anchore.yml) + +# GitHub Actions Custom Runner Container images with Github Actions Runner. Different flavored images with preinstalled tools and software for builds with limited internet access and non root privileges. Ideal for building software in enterprise environments of large organizations that often restrict internet access. @@ -6,17 +9,17 @@ Software builds can be built there using a [Nexus Repository](https://de.sonatyp Support: If you need help or a feature just open an issue! -Package / Images: ghcr.io/fullstack-devops/github-actions-runner +Package / Images: `ghcr.io/fullstack-devops/github-actions-runner` Available Tags: -| Name (tag) | Installed Tools/ Software | Description | -|-------------------------|-----------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------| -| `latest-base` | libffi-dev, libicu-dev, build-essential, libssl-dev, ca-certificates, jq, sed, grep, git, curl, wget, zip | Base runner with nothing fancy installed
[Dockerfile](images/base/Dockerfile) | -| `latest-kaniko-sidecar` | kaniko | Sidecar used by other runner images to build containers without root privileges | -| `latest-ansible-k8s` | base-image + ansible, helm, kubectl, skopeo | Runner specialized for automated k8s deployments via ansible
For more Details see [Dockerfile](images/ansible-k8s/Dockerfile) | -| `latest-fullstacked` | base-image + maven, openjdk-11, nodejs, go, yarn, angular/cli, helm | Runner with a bunch of tools to build your hole application
For more Details see [Dockerfile](images/fullstacked/Dockerfile) | - -> Hint: `latest can be replaced with an spezfic release version for more stability` +| Name (tag) | Installed Tools/ Software | Description | +|-------------------------|-----------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------------| +| `latest-base` | libffi-dev, libicu-dev, build-essential, libssl-dev, ca-certificates, jq, sed, grep, git, curl, wget, zip | Base runner with nothing fancy installed
[Dockerfile](images/base/Dockerfile) | +| `latest-kaniko-sidecar` | kaniko | Sidecar used by other runner images to build containers without root privileges | +| `latest-ansible-k8s` | base-image + ansible, helm, kubectl, skopeo | Runner specialized for automated k8s deployments via ansible
For more Details see [Dockerfile](images/ansible-k8s/Dockerfile) | +| `latest-fullstacked` | base-image + maven, openjdk-11, nodejs, go, yarn, angular/cli, helm | Runner with a bunch of tools to build your hole application
For more Details see [Dockerfile](images/fullstacked/Dockerfile) | + +> Hint: `latest` can be replaced with an specific release version for more stability in your environment. --- diff --git a/images/base/Dockerfile b/images/base/Dockerfile index 6b9708e..fd9294d 100644 --- a/images/base/Dockerfile +++ b/images/base/Dockerfile @@ -12,7 +12,7 @@ ENV GH_RUNNER_WORKDIR="/home/${USERNAME}" ENV GH_KANIKO_WORKDIR="/kaniko/workspace" # https://github.com/actions/runner/releases -ENV GH_RUNNER_VERSION=2.290.1 +ENV GH_RUNNER_VERSION=2.291.1 ENV GH_RUNNER_LABELS=ubuntu-20.04 ENV AWESOME_CI_VERSION 0.11.3