Merge pull request #6 from OpenVoxProject/update_ci

rwaffen · web-flow · commit f680ad953f4b · 2025-11-24T15:17:12.000+01:00
chore(ci): add GitHub Actions workflows for build, CI, and security scanning
diff --git a/.github/workflows/build_container.yml b/.github/workflows/build_container.yml
@@ -0,0 +1,122 @@
+---
+name: 📦 Build and Publish
+
+on:
+  push:
+    branches:
+      - 'main'
+    tags:
+      - '*'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  setup-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      build_matrix: ${{ steps.set-build-matrix.outputs.build_matrix }}
+      tag_matrix: ${{ steps.set-tag-matrix.outputs.tag_matrix }}
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v6
+
+      - name: 'Setup yq'
+        uses: dcarbone/install-yq-action@v1.3.1
+
+      - id: set-build-matrix
+        run: echo "build_matrix=$(bash matrix.sh build)" >> $GITHUB_OUTPUT
+
+      - id: set-tag-matrix
+        run: echo "tag_matrix=$(bash matrix.sh tag)" >> $GITHUB_OUTPUT
+
+  build-and-push-container:
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      contents: read
+      packages: write
+    needs: setup-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.build_matrix) }}
+    steps:
+      - name: Build Vox Pupuli OpenBolt Container v${{ matrix.rubygem_openbolt }}-${{ matrix.platform }}
+        uses: voxpupuli/gha-build-and-publish-a-container@v2
+        with:
+          registry_password: ${{ secrets.GITHUB_TOKEN }}
+          build_args: |
+            BASE_IMAGE=${{ matrix.base_image }}
+            RUBYGEM_BUNDLER=${{ matrix.rubygem_bundler }}
+            RUBYGEM_OPENBOLT=${{ matrix.rubygem_openbolt }}
+          build_arch: linux/${{ matrix.platform }}
+          buildfile: Containerfile
+          docker_username: voxpupulibot
+          docker_password: ${{ secrets.DOCKERHUB_BOT_ADMIN_TOKEN }}
+          tags: |
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-${{ matrix.platform }}
+
+  create-multiarch-manifests:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
+    needs:
+      - setup-matrix
+      - build-and-push-container
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.tag_matrix) }}
+    steps:
+      - name: Log in to the ghcr.io registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Log in to the docker.io registry
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: voxpupulibot
+          password: ${{ secrets.DOCKERHUB_BOT_ADMIN_TOKEN }}
+
+      - name: Create multiarch manifests
+        run: |
+          docker buildx imagetools create -t ghcr.io/${{ github.repository_owner }}/openbolt:${{ matrix.rubygem_openbolt }}-${{ github.ref_name }} \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-arm64 \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-amd64
+
+          docker buildx imagetools create -t ghcr.io/${{ github.repository_owner }}/openbolt:${{ matrix.rubygem_openbolt }}-latest \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-arm64 \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-amd64
+
+          docker buildx imagetools create -t ghcr.io/${{ github.repository_owner }}/openbolt:latest \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-arm64 \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-amd64
+
+          docker buildx imagetools create -t docker.io/${{ github.repository_owner }}/openbolt:${{ matrix.rubygem_openbolt }}-${{ github.ref_name }} \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-arm64 \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-amd64
+
+          docker buildx imagetools create -t docker.io/${{ github.repository_owner }}/openbolt:${{ matrix.rubygem_openbolt }}-latest \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-arm64 \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-amd64
+
+          docker buildx imagetools create -t docker.io/${{ github.repository_owner }}/openbolt:latest \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-arm64 \
+            ghcr.io/${{ github.repository_owner }}/openbolt:${{ github.sha }}-v${{ matrix.rubygem_openbolt }}-amd64
+
+  update-dockerhub-description:
+    runs-on: ubuntu-latest
+    needs:
+      - create-multiarch-manifests
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v6
+
+      - name: Update Docker Hub Description
+        uses: peter-evans/dockerhub-description@v5
+        with:
+          username: voxpupulibot
+          password: ${{ secrets.DOCKERHUB_BOT_ADMIN_TOKEN }}
+          repository: voxpupuli/openbolt
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -0,0 +1,91 @@
+---
+name: 🚦 CI
+
+on:
+  pull_request:
+    branches:
+      - main
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  setup-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      build_matrix: ${{ steps.set-build-matrix.outputs.build_matrix }}
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v5
+
+      - name: 'Setup yq'
+        uses: dcarbone/install-yq-action@v1.3.1
+
+      - id: set-build-matrix
+        run: echo "build_matrix=$(bash matrix.sh build)" >> $GITHUB_OUTPUT
+
+  build_ci_container:
+    name: Build ${{ matrix.platform }} CI container
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+      pull-requests: write
+    needs: setup-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.build_matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v5
+
+      - name: Build image
+        uses: docker/build-push-action@v6
+        with:
+          file: Containerfile
+          tags: 'ci/openbolt:${{ matrix.rubygem_openbolt }}'
+          push: false
+          platforms: linux/${{ matrix.platform }}
+          build-args: |
+            BASE_IMAGE=${{ matrix.base_image }}
+            RUBYGEM_BUNDLER=${{ matrix.rubygem_bundler }}
+            RUBYGEM_OPENBOLT=${{ matrix.rubygem_openbolt }}
+
+      - name: Clone voxpupuli/puppet-example repository
+        uses: actions/checkout@v5
+        with:
+          repository: voxpupuli/puppet-example
+
+      - name: Test container
+        run: |
+          docker run --rm -v $PWD:/repo:Z ci/openbolt:${{ matrix.rubygem_openbolt }} -h
+
+  tests:
+    needs:
+      - build_ci_container
+    runs-on: ubuntu-latest
+    name: Test suite
+    steps:
+      - run: echo Test suite completed
+
+  dependabot:
+    permissions:
+      contents: write
+    name: 'Dependabot auto-merge'
+    needs:
+      - tests
+    runs-on: ubuntu-latest
+    if: ${{ github.actor == 'dependabot[bot]' && github.event_name == 'pull_request'}}
+    steps:
+      - name: Dependabot metadata
+        id: metadata
+        uses: dependabot/fetch-metadata@v2.4.0
+        with:
+          github-token: '${{ secrets.GITHUB_TOKEN }}'
+
+      - name: Enable auto-merge for Dependabot PRs
+        run: gh pr merge --auto --merge "$PR_URL"
+        env:
+          PR_URL: ${{github.event.pull_request.html_url}}
+          GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
diff --git a/.github/workflows/security_scanning.yml b/.github/workflows/security_scanning.yml
@@ -0,0 +1,69 @@
+---
+name: 🕵️ Security Scanning
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+    branches:
+      - main
+
+permissions:
+  contents: read
+
+jobs:
+  setup-matrix:
+    runs-on: ubuntu-latest
+    outputs:
+      build_matrix: ${{ steps.set-build-matrix.outputs.build_matrix }}
+    steps:
+      - name: Source checkout
+        uses: actions/checkout@v6
+
+      - name: 'Setup yq'
+        uses: dcarbone/install-yq-action@v1.3.1
+
+      - id: set-build-matrix
+        run: echo "build_matrix=$(bash matrix.sh build)" >> $GITHUB_OUTPUT
+
+  scan_ci_container:
+    name: 'Scan CI container'
+    runs-on: ${{ matrix.runner }}
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+    needs: setup-matrix
+    strategy:
+      matrix: ${{ fromJson(needs.setup-matrix.outputs.build_matrix) }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v6
+
+      - name: Build CI container
+        uses: docker/build-push-action@v6
+        with:
+          tags: 'ci/openbolt:${{ matrix.rubygem_openbolt }}'
+          push: false
+          file: Containerfile
+          platforms: linux/${{ matrix.platform }}
+          build-args: |
+            BASE_IMAGE=${{ matrix.base_image }}
+            RUBYGEM_BUNDLER=${{ matrix.rubygem_bundler }}
+            RUBYGEM_OPENBOLT=${{ matrix.rubygem_openbolt }}
+
+      - name: Scan image with Anchore Grype
+        uses: anchore/scan-action@v7
+        id: scan
+        with:
+          image: 'ci/openbolt:${{ matrix.rubygem_openbolt }}'
+          fail-build: false
+
+      - name: Inspect action SARIF report
+        run: jq . ${{ steps.scan.outputs.sarif }}
+
+      - name: Upload Anchore scan SARIF report
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
