github-starred/flowsint
2
0
Fork 0
mirror of https://github.com/reconurge/flowsint.git synced 2026-04-29 02:39:41 -05:00
Code Issues 229 Packages Projects Releases 11 Wiki Activity

feat(chore): update deploy components

Browse Source
This commit is contained in:
dextmorgn
2026-01-25 20:45:22 +01:00
parent 7d33b813de
commit a178ef1bcd
17 changed files with 624 additions and 20978 deletions
Download Patch File Download Diff File Expand all files Collapse all files

157
.github/workflows/images.yml vendored
View File

@@ -1,18 +1,34 @@
name: images
name: Build and Push Docker Images
on:
push:
tags:
- "v*"
env:
REGISTRY_DOCKERHUB: docker.io
REGISTRY_GHCR: ghcr.io
jobs:
build:
environment: production
build-frontend:
name: Build Frontend
runs-on: ubuntu-latest
environment: production
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
@@ -26,33 +42,132 @@ jobs:
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ github.repository_owner }}/flowsint-app
ghcr.io/${{ github.repository_owner }}/flowsint-app
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push
uses: docker/build-push-action@v6
with:
context: ./flowsint-app
file: ./flowsint-app/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: true
sbom: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository_owner }}/flowsint-app:${{ github.ref_name }}
format: "sarif"
output: "trivy-frontend.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy-frontend.sarif"
build-backend:
name: Build Backend
runs-on: ubuntu-latest
environment: production
permissions:
contents: read
packages: write
security-events: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push frontend
uses: docker/build-push-action@v6
- name: Login to Docker Hub
uses: docker/login-action@v3
with:
platforms: linux/amd64,linux/arm64
push: true
context: "{{defaultContext}}:flowsint-app"
tags: |
${{ github.repository_owner }}/flowsint-app:${{ github.ref_name }}
${{ github.repository_owner }}/flowsint-app:latest
ghcr.io/${{ github.repository_owner }}/flowsint-app:${{ github.ref_name }}
ghcr.io/${{ github.repository_owner }}/flowsint-app:latest
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build and push backend
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v5
with:
images: |
${{ github.repository_owner }}/flowsint-api
ghcr.io/${{ github.repository_owner }}/flowsint-api
tags: |
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=raw,value=latest,enable={{is_default_branch}}
- name: Build and push
uses: docker/build-push-action@v6
with:
context: .
file: ./flowsint-api/Dockerfile
target: production
platforms: linux/amd64,linux/arm64
push: true
target: prod
file: ./flowsint-api/Dockerfile
tags: |
${{ github.repository_owner }}/flowsint-api:${{ github.ref_name }}
${{ github.repository_owner }}/flowsint-api:latest
ghcr.io/${{ github.repository_owner }}/flowsint-api:${{ github.ref_name }}
ghcr.io/${{ github.repository_owner }}/flowsint-api:latest
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
provenance: true
sbom: true
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ghcr.io/${{ github.repository_owner }}/flowsint-api:${{ github.ref_name }}
format: "sarif"
output: "trivy-backend.sarif"
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: "trivy-backend.sarif"
security-summary:
name: Security Summary
runs-on: ubuntu-latest
needs: [build-frontend, build-backend]
if: always()
steps:
- name: Summary
run: |
echo "## Build Summary" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "| Image | Status |" >> $GITHUB_STEP_SUMMARY
echo "|-------|--------|" >> $GITHUB_STEP_SUMMARY
echo "| Frontend | ${{ needs.build-frontend.result }} |" >> $GITHUB_STEP_SUMMARY
echo "| Backend | ${{ needs.build-backend.result }} |" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Security scans uploaded to GitHub Security tab." >> $GITHUB_STEP_SUMMARY