revert temporary docker and trivy changes (#8833)
This commit is contained in:
Chris Lu
42
.github/workflows/container_latest.yml
vendored
42
.github/workflows/container_latest.yml
vendored
@@ -26,7 +26,6 @@ on:
|
|||||||
|
|
||||||
permissions:
|
permissions:
|
||||||
contents: read
|
contents: read
|
||||||
security-events: write
|
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
setup:
|
setup:
|
||||||
@@ -150,48 +149,9 @@ jobs:
|
|||||||
# Remove Go build cache
|
# Remove Go build cache
|
||||||
sudo rm -rf /tmp/go-build*
|
sudo rm -rf /tmp/go-build*
|
||||||
|
|
||||||
trivy-scan:
|
|
||||||
runs-on: ubuntu-latest
|
|
||||||
needs: [setup, build]
|
|
||||||
strategy:
|
|
||||||
matrix:
|
|
||||||
variant: ${{ fromJSON(needs.setup.outputs.variants) }}
|
|
||||||
steps:
|
|
||||||
- name: Configure variant
|
|
||||||
id: config
|
|
||||||
run: |
|
|
||||||
if [ "${{ matrix.variant }}" == "large_disk" ]; then
|
|
||||||
echo "tag_suffix=_large_disk" >> $GITHUB_OUTPUT
|
|
||||||
else
|
|
||||||
echo "tag_suffix=" >> $GITHUB_OUTPUT
|
|
||||||
fi
|
|
||||||
- name: Login to GHCR
|
|
||||||
uses: docker/login-action@v4
|
|
||||||
with:
|
|
||||||
registry: ghcr.io
|
|
||||||
username: ${{ secrets.GHCR_USERNAME }}
|
|
||||||
password: ${{ secrets.GHCR_TOKEN }}
|
|
||||||
- name: Run Trivy vulnerability scanner
|
|
||||||
# Pin to SHA — mutable tags were compromised (GHSA-69fq-xp46-6x23)
|
|
||||||
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
|
|
||||||
with:
|
|
||||||
# Scan amd64 only — OS packages are identical across architectures
|
|
||||||
# since they all use the same alpine base, so a single-arch scan
|
|
||||||
# provides sufficient coverage without multiplying CI time.
|
|
||||||
image-ref: ghcr.io/chrislusf/seaweedfs:${{ github.event_name == 'workflow_dispatch' && github.event.inputs.image_tag || 'latest' }}${{ steps.config.outputs.tag_suffix }}-amd64
|
|
||||||
format: sarif
|
|
||||||
output: trivy-results.sarif
|
|
||||||
severity: HIGH,CRITICAL
|
|
||||||
exit-code: '1'
|
|
||||||
- name: Upload Trivy scan results to GitHub Security
|
|
||||||
uses: github/codeql-action/upload-sarif@v3
|
|
||||||
if: always()
|
|
||||||
with:
|
|
||||||
sarif_file: trivy-results.sarif
|
|
||||||
|
|
||||||
create-manifest:
|
create-manifest:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
needs: [setup, build, trivy-scan]
|
needs: [setup, build]
|
||||||
if: github.event_name != 'pull_request'
|
if: github.event_name != 'pull_request'
|
||||||
strategy:
|
strategy:
|
||||||
matrix:
|
matrix:
|
||||||
|
|||||||
@@ -79,9 +79,5 @@ RUN mkdir -p /data/filerldb2 && \
|
|||||||
VOLUME /data
|
VOLUME /data
|
||||||
WORKDIR /data
|
WORKDIR /data
|
||||||
|
|
||||||
# Run as non-root by default (satisfies security scanners).
|
# Entrypoint will handle permission fixes and user switching
|
||||||
# Use `docker run --user root` if you need the entrypoint to fix
|
|
||||||
# /data volume ownership before dropping privileges.
|
|
||||||
USER seaweed
|
|
||||||
|
|
||||||
ENTRYPOINT ["/entrypoint.sh"]
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
|
|||||||
@@ -37,9 +37,5 @@ RUN mkdir -p /data/filerldb2 && \
|
|||||||
VOLUME /data
|
VOLUME /data
|
||||||
WORKDIR /data
|
WORKDIR /data
|
||||||
|
|
||||||
# Run as non-root by default (satisfies security scanners).
|
# Entrypoint will handle permission fixes and user switching
|
||||||
# Use `docker run --user root` if you need the entrypoint to fix
|
|
||||||
# /data volume ownership before dropping privileges.
|
|
||||||
USER seaweed
|
|
||||||
|
|
||||||
ENTRYPOINT ["/entrypoint.sh"]
|
ENTRYPOINT ["/entrypoint.sh"]
|
||||||
|
|||||||
Reference in New Issue
Block a user