chore(release): prepare v1.8.1 #67
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI Validation | |
| on: | |
| push: | |
| branches: [main] | |
| pull_request: | |
| branches: [main] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| env: | |
| IMAGE_NAME: ghcr.io/devrail-dev/dev-toolchain | |
| IMAGE_TAG: local | |
| jobs: | |
| build-and-validate: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| # Phase 1: Build the image | |
| - name: Build container image | |
| run: docker build -t ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} . | |
| # Phase 2: Self-validate with make check | |
| - name: Run make check (shellcheck + shfmt) | |
| run: | | |
| docker run --rm \ | |
| -v "$(pwd):/workspace" \ | |
| -w /workspace \ | |
| ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \ | |
| make _check | |
| # Phase 2b: Validate tool version manifest | |
| - name: Validate tool version manifest | |
| run: | | |
| docker run --rm \ | |
| ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \ | |
| bash /opt/devrail/scripts/report-tool-versions.sh \ | |
| | jq . | |
| # Phase 3: Security scans | |
| # Blocking scan: OS packages only. We control the base image and can act on | |
| # these. ignore-unfixed skips CVEs with no Debian patch available yet. | |
| - name: Run trivy OS package scan (blocking) | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| with: | |
| image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
| severity: CRITICAL,HIGH | |
| ignore-unfixed: 'true' | |
| vuln-type: os | |
| exit-code: 1 | |
| format: table | |
| # Advisory scan: full image (OS + Go binaries + Python packages). Results | |
| # are uploaded to the GitHub Security tab for visibility. Not blocking | |
| # because Go binary CVEs depend on upstream tool releases we don't control. | |
| - name: Run trivy full scan (SARIF, advisory) | |
| uses: aquasecurity/trivy-action@0.28.0 | |
| if: always() | |
| with: | |
| image-ref: ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} | |
| severity: CRITICAL,HIGH | |
| ignore-unfixed: 'true' | |
| exit-code: 0 | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Upload SARIF results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - name: Run gitleaks scan | |
| run: | | |
| docker run --rm \ | |
| -v "$(pwd):/workspace" \ | |
| -w /workspace \ | |
| ${{ env.IMAGE_NAME }}:${{ env.IMAGE_TAG }} \ | |
| gitleaks detect --source /workspace --verbose | |
| # Image signing placeholder — actual signing should be added to build.yml | |
| # when images are published to GHCR. CI builds are local-only and not pushed, | |
| # so signing here has no effect. This job serves as documentation of the | |
| # intended cosign verification workflow. | |
| sign-image: | |
| needs: [build-and-validate] | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Note on image signing | |
| run: | | |
| echo "Image signing is performed during the build workflow (build.yml)" | |
| echo "when images are published to GHCR. CI only builds locally." | |
| echo "" | |
| echo "Consumers can verify published images with:" | |
| echo " cosign verify \\" | |
| echo " --certificate-oidc-issuer https://token.actions.githubusercontent.com \\" | |
| echo " --certificate-identity-regexp 'github.com/devrail-dev/dev-toolchain' \\" | |
| echo " ghcr.io/devrail-dev/dev-toolchain:v1" |