akanealw/Charon
1
0
Fork 0
Code Issues Pull Requests Actions 16 Packages Projects Releases Wiki Activity

fix: use double quotes for environment variable assignments in workflows

Browse Source 
- Updated environment variable assignments in multiple workflow files to use double quotes for consistency and to prevent potential issues with variable expansion.
- Refactored echo commands to group multiple lines into a single block for improved readability in the following workflows:
  - release-goreleaser.yml
  - renovate_prune.yml
  - security-pr.yml
  - security-weekly-rebuild.yml
  - supply-chain-pr.yml
  - supply-chain-verify.yml
  - update-geolite2.yml
  - waf-integration.yml
  - weekly-nightly-promotion.yml
This commit is contained in:
GitHub Actions
2026-02-08 10:18:40 +00:00
parent ef5efd2e33
commit ee48c2e716
25 changed files with 812 additions and 689 deletions
Download Patch File Download Diff File Expand all files Collapse all files

132
.github/workflows/docker-build.yml vendored
View File

@@ -65,7 +65,7 @@ jobs:
- name: Normalize image name
run: |
IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV"
- name: Determine skip condition
id: skip
env:
@@ -104,8 +104,8 @@ jobs:
echo "Force building on feature branch (PR)"
fi
echo "skip_build=$should_skip" >> $GITHUB_OUTPUT
echo "is_feature_push=$is_feature_push" >> $GITHUB_OUTPUT
echo "skip_build=$should_skip" >> "$GITHUB_OUTPUT"
echo "is_feature_push=$is_feature_push" >> "$GITHUB_OUTPUT"
- name: Set up QEMU
if: steps.skip.outputs.skip_build != 'true'
@@ -119,7 +119,7 @@ jobs:
run: |
docker pull alpine:3.23.3
DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' alpine:3.23.3)
echo "image=$DIGEST" >> $GITHUB_OUTPUT
echo "image=$DIGEST" >> "$GITHUB_OUTPUT"
- name: Log in to GitHub Container Registry
if: steps.skip.outputs.skip_build != 'true'
@@ -142,7 +142,7 @@ jobs:
id: branch-tags
run: |
BRANCH_NAME="${TRIGGER_REF#refs/heads/}"
SHORT_SHA="$(echo ${{ env.TRIGGER_HEAD_SHA }} | cut -c1-7)"
SHORT_SHA="$(echo "${{ env.TRIGGER_HEAD_SHA }}" | cut -c1-7)"
sanitize_tag() {
local raw="$1"
@@ -150,15 +150,19 @@ jobs:
local sanitized
sanitized=$(echo "$raw" | tr '[:upper:]' '[:lower:]')
sanitized=$(echo "$sanitized" | sed 's/[^a-z0-9-]/-/g' | sed 's/--*/-/g')
sanitized=$(echo "$sanitized" | sed 's/^[^a-z0-9]*//' | sed 's/[^a-z0-9-]*$//')
sanitized=${sanitized//[^a-z0-9-]/-}
while [[ "$sanitized" == *"--"* ]]; do
sanitized=${sanitized//--/-}
done
sanitized=${sanitized##[^a-z0-9]*}
sanitized=${sanitized%%[^a-z0-9-]*}
if [ -z "$sanitized" ]; then
sanitized="branch"
fi
sanitized=$(echo "$sanitized" | cut -c1-"$max_len")
sanitized=$(echo "$sanitized" | sed 's/^[^a-z0-9]*//')
sanitized=${sanitized##[^a-z0-9]*}
if [ -z "$sanitized" ]; then
sanitized="branch"
fi
@@ -170,11 +174,11 @@ jobs:
BASE_BRANCH=$(sanitize_tag "${BRANCH_NAME}" 120)
BRANCH_SHA_TAG="${BASE_BRANCH}-${SHORT_SHA}"
echo "branch_sha_tag=${BRANCH_SHA_TAG}" >> $GITHUB_OUTPUT
echo "branch_sha_tag=${BRANCH_SHA_TAG}" >> "$GITHUB_OUTPUT"
if [[ "$TRIGGER_REF" == refs/heads/feature/* ]]; then
echo "feature_branch_tag=${SANITIZED_BRANCH}" >> $GITHUB_OUTPUT
echo "feature_branch_sha_tag=${BRANCH_SHA_TAG}" >> $GITHUB_OUTPUT
echo "feature_branch_tag=${SANITIZED_BRANCH}" >> "$GITHUB_OUTPUT"
echo "feature_branch_sha_tag=${BRANCH_SHA_TAG}" >> "$GITHUB_OUTPUT"
fi
- name: Generate Docker metadata
@@ -260,7 +264,7 @@ jobs:
# Extract digest for downstream jobs (format: sha256:xxxxx)
DIGEST=$(cat /tmp/image-digest.txt)
echo "digest=${DIGEST}" >> $GITHUB_OUTPUT
echo "digest=${DIGEST}" >> "$GITHUB_OUTPUT"
echo "✅ Build complete. Digest: ${DIGEST}"
# For PRs only, pull the image back locally for artifact creation
@@ -355,13 +359,13 @@ jobs:
echo ""
echo "==> Caddy version:"
timeout 30s docker run --rm --pull=never $IMAGE_REF caddy version || echo "⚠️ Caddy version check timed out or failed"
timeout 30s docker run --rm --pull=never "$IMAGE_REF" caddy version || echo "⚠️ Caddy version check timed out or failed"
echo ""
echo "==> Extracting Caddy binary for inspection..."
CONTAINER_ID=$(docker create --pull=never $IMAGE_REF)
docker cp ${CONTAINER_ID}:/usr/bin/caddy ./caddy_binary
docker rm ${CONTAINER_ID}
CONTAINER_ID=$(docker create --pull=never "$IMAGE_REF")
docker cp "${CONTAINER_ID}:/usr/bin/caddy" ./caddy_binary
docker rm "$CONTAINER_ID"
# Determine the image reference based on event type
if [ "${{ env.TRIGGER_EVENT }}" = "pull_request" ]; then
@@ -451,17 +455,17 @@ jobs:
echo ""
echo "==> CrowdSec cscli version:"
timeout 30s docker run --rm --pull=never $IMAGE_REF cscli version || echo "⚠️ CrowdSec version check timed out or failed (may not be installed for this architecture)"
timeout 30s docker run --rm --pull=never "$IMAGE_REF" cscli version || echo "⚠️ CrowdSec version check timed out or failed (may not be installed for this architecture)"
echo ""
echo "==> Extracting cscli binary for inspection..."
CONTAINER_ID=$(docker create --pull=never $IMAGE_REF)
docker cp ${CONTAINER_ID}:/usr/local/bin/cscli ./cscli_binary 2>/dev/null || {
CONTAINER_ID=$(docker create --pull=never "$IMAGE_REF")
docker cp "${CONTAINER_ID}:/usr/local/bin/cscli" ./cscli_binary 2>/dev/null || {
echo "⚠️ cscli binary not found - CrowdSec may not be available for this architecture"
docker rm ${CONTAINER_ID}
docker rm "$CONTAINER_ID"
exit 0
}
docker rm ${CONTAINER_ID}
docker rm "$CONTAINER_ID"
echo ""
echo "==> Checking if Go toolchain is available locally..."
@@ -533,9 +537,9 @@ jobs:
id: trivy-check
run: |
if [ -f trivy-results.sarif ]; then
echo "exists=true" >> $GITHUB_OUTPUT
echo "exists=true" >> "$GITHUB_OUTPUT"
else
echo "exists=false" >> $GITHUB_OUTPUT
echo "exists=false" >> "$GITHUB_OUTPUT"
fi
- name: Upload Trivy results
@@ -597,15 +601,17 @@ jobs:
- name: Create summary
if: steps.skip.outputs.skip_build != 'true'
run: |
echo "## 🎉 Docker Image Built Successfully!" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "### 📦 Image Details" >> $GITHUB_STEP_SUMMARY
echo "- **GHCR**: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}" >> $GITHUB_STEP_SUMMARY
echo "- **Docker Hub**: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}" >> $GITHUB_STEP_SUMMARY
echo "- **Tags**: " >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
echo "${{ steps.meta.outputs.tags }}" >> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
{
echo "## 🎉 Docker Image Built Successfully!"
echo ""
echo "### 📦 Image Details"
echo "- **GHCR**: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}"
echo "- **Docker Hub**: ${{ env.DOCKERHUB_REGISTRY }}/${{ env.IMAGE_NAME }}"
echo "- **Tags**: "
echo '```'
echo "${{ steps.meta.outputs.tags }}"
echo '```'
} >> "$GITHUB_STEP_SUMMARY"
scan-pr-image:
name: Security Scan PR Image
@@ -621,15 +627,15 @@ jobs:
- name: Normalize image name
run: |
IMAGE_NAME=$(echo "${{ env.IMAGE_NAME }}" | tr '[:upper:]' '[:lower:]')
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV"
- name: Determine PR image tag
id: pr-image
run: |
SHORT_SHA=$(echo "${{ env.TRIGGER_HEAD_SHA }}" | cut -c1-7)
SHORT_SHA="$(echo "${{ env.TRIGGER_HEAD_SHA }}" | cut -c1-7)"
PR_TAG="pr-${{ env.TRIGGER_PR_NUMBER }}-${SHORT_SHA}"
echo "tag=${PR_TAG}" >> $GITHUB_OUTPUT
echo "image_ref=${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${PR_TAG}" >> $GITHUB_OUTPUT
echo "tag=${PR_TAG}" >> "$GITHUB_OUTPUT"
echo "image_ref=${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${PR_TAG}" >> "$GITHUB_OUTPUT"
- name: Log in to GitHub Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
@@ -692,12 +698,14 @@ jobs:
- name: Create scan summary
if: always()
run: |
echo "## 🔒 PR Image Security Scan" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "- **Image**: ${{ steps.pr-image.outputs.image_ref }}" >> $GITHUB_STEP_SUMMARY
echo "- **PR**: #${{ env.TRIGGER_PR_NUMBER }}" >> $GITHUB_STEP_SUMMARY
echo "- **Commit**: ${{ env.TRIGGER_HEAD_SHA }}" >> $GITHUB_STEP_SUMMARY
echo "- **Scan Status**: ${{ steps.trivy-scan.outcome == 'success' && '✅ No critical vulnerabilities' || '❌ Vulnerabilities detected' }}" >> $GITHUB_STEP_SUMMARY
{
echo "## 🔒 PR Image Security Scan"
echo ""
echo "- **Image**: ${{ steps.pr-image.outputs.image_ref }}"
echo "- **PR**: #${{ env.TRIGGER_PR_NUMBER }}"
echo "- **Commit**: ${{ env.TRIGGER_HEAD_SHA }}"
echo "- **Scan Status**: ${{ steps.trivy-scan.outcome == 'success' && '✅ No critical vulnerabilities' || '❌ Vulnerabilities detected' }}"
} >> "$GITHUB_STEP_SUMMARY"
test-image:
name: Test Docker Image
@@ -715,19 +723,25 @@ jobs:
run: |
raw="${{ github.repository_owner }}/${{ github.event.repository.name }}"
IMAGE_NAME=$(echo "$raw" | tr '[:upper:]' '[:lower:]')
echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV
echo "IMAGE_NAME=${IMAGE_NAME}" >> "$GITHUB_ENV"
- name: Determine image tag
id: tag
run: |
if [[ "${{ env.TRIGGER_REF }}" == "refs/heads/main" ]]; then
echo "tag=latest" >> $GITHUB_OUTPUT
elif [[ "${{ env.TRIGGER_REF }}" == "refs/heads/development" ]]; then
echo "tag=dev" >> $GITHUB_OUTPUT
elif [[ "${{ env.TRIGGER_REF }}" == refs/tags/v* ]]; then
echo "tag=${TRIGGER_REF#refs/tags/v}" >> $GITHUB_OUTPUT
else
echo "tag=sha-$(echo ${{ env.TRIGGER_HEAD_SHA }} | cut -c1-7)" >> $GITHUB_OUTPUT
fi
TRIGGER_REF="${{ env.TRIGGER_REF }}"
case "$TRIGGER_REF" in
refs/heads/main)
echo "tag=latest" >> "$GITHUB_OUTPUT"
;;
refs/heads/development)
echo "tag=dev" >> "$GITHUB_OUTPUT"
;;
refs/tags/v*)
echo "tag=${TRIGGER_REF#refs/tags/v}" >> "$GITHUB_OUTPUT"
;;
*)
echo "tag=sha-$(echo "${{ env.TRIGGER_HEAD_SHA }}" | cut -c1-7)" >> "$GITHUB_OUTPUT"
;;
esac
- name: Log in to GitHub Container Registry
uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0
@@ -737,7 +751,7 @@ jobs:
password: ${{ secrets.GITHUB_TOKEN }}
- name: Pull Docker image
run: docker pull ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}
run: docker pull "${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}"
- name: Create Docker Network
run: docker network create charon-test-net
@@ -756,7 +770,7 @@ jobs:
--network charon-test-net \
-p 8080:8080 \
-p 80:80 \
${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}
"${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}"
# Wait for container to be healthy (max 3 minutes)
echo "Waiting for container to start..."
@@ -784,7 +798,9 @@ jobs:
- name: Create test summary
if: always()
run: |
echo "## 🧪 Docker Image Test Results" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "- **Image**: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}" >> $GITHUB_STEP_SUMMARY
echo "- **Integration Test**: ${{ job.status == 'success' && '✅ Passed' || '❌ Failed' }}" >> $GITHUB_STEP_SUMMARY
{
echo "## 🧪 Docker Image Test Results"
echo ""
echo "- **Image**: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.tag.outputs.tag }}"
echo "- **Integration Test**: ${{ job.status == 'success' && '✅ Passed' || '❌ Failed' }}"
} >> "$GITHUB_STEP_SUMMARY"