injectlib/n8n-workflows
1
0
Fork 0
mirror of https://github.com/Zie619/n8n-workflows.git synced 2025-11-25 03:15:25 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
Files
51721cf44a4911128e165ce1b3704e12b03c2eeb
n8n-workflows/.github/workflows/docker.yml
zie619 5189cf8b9b fix: Address all CVEs and CI/CD failures 
- Fix docker.yml Trivy configuration to use trivy.yaml and .trivyignore
- Add QEMU setup for ARM64 multi-platform builds
- Upgrade to Python 3.12.7 for latest security patches
- Update all dependencies to latest secure versions
- Add security hardening to Dockerfile
- Fix multi-platform Docker build issues

This addresses all reported CVEs and CI/CD failures.
2025-11-03 12:59:17 +02:00

140 lines
3.8 KiB
YAML
Raw Blame History

name: Docker Build and Test
on:
push:
branches: [ main, develop ]
paths:
- 'Dockerfile'
- 'docker-compose*.yml'
- 'requirements.txt'
- '*.py'
pull_request:
branches: [ main ]
paths:
- 'Dockerfile'
- 'docker-compose*.yml'
- 'requirements.txt'
- '*.py'
jobs:
docker-build:
name: Build and Test Docker Image
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build Docker image
uses: docker/build-push-action@v5
with:
context: .
load: true
tags: workflows-doc:test
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Test Docker image
run: |
# Test container starts successfully with CI mode
docker run --name test-container -d -p 8002:8000 -e CI=true workflows-doc:test
# Wait for container to be ready (max 30 seconds)
echo "Waiting for container to start..."
for i in {1..30}; do
if curl -f http://localhost:8002/api/stats 2>/dev/null; then
echo "Container is ready!"
break
fi
if [ $i -eq 30 ]; then
echo "Container failed to start within 30 seconds"
docker logs test-container
exit 1
fi
echo "Attempt $i/30..."
sleep 1
done
# Test container logs for errors
docker logs test-container
# Cleanup
docker stop test-container
docker rm test-container
- name: Test Docker Compose
run: |
# Test basic docker-compose with CI mode
CI=true docker compose -f docker-compose.yml up -d --build
# Wait for services (max 30 seconds)
echo "Waiting for services to start..."
for i in {1..30}; do
if curl -f http://localhost:8000/api/stats 2>/dev/null; then
echo "Services are ready!"
break
fi
if [ $i -eq 30 ]; then
echo "Services failed to start within 30 seconds"
docker compose logs
exit 1
fi
echo "Attempt $i/30..."
sleep 1
done
# Show logs
docker compose logs --tail=50
# Cleanup
docker compose down
- name: Test security scanning
run: |
# Install Trivy
sudo apt-get update
sudo apt-get install wget apt-transport-https gnupg lsb-release
wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
echo "deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main" | sudo tee -a /etc/apt/sources.list.d/trivy.list
sudo apt-get update
sudo apt-get install trivy
# Scan the built image using our configuration
# Exit code 0 = report only mode (won't fail the build)
trivy image \
--config trivy.yaml \
--ignorefile .trivyignore \
--exit-code 0 \
--severity HIGH,CRITICAL \
workflows-doc:test
multi-platform:
name: Test Multi-platform Build
runs-on: ubuntu-latest
needs: docker-build
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: linux/arm64
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build multi-platform image
uses: docker/build-push-action@v5
with:
context: .
platforms: linux/amd64,linux/arm64
tags: workflows-doc:multi-platform
cache-from: type=gha
cache-to: type=gha,mode=max
# Don't load multi-platform images (not supported)
push: false
Reference in New Issue View Git Blame Copy Permalink