testing cisagov#717, refactoring github build workflows

Author: mmguero

.github/workflows/dashboards-helper-build-and-push-ghcr.yml

@@ -26,107 +26,7 @@ on:
 
 jobs:
   docker:
-    runs-on: ${{ matrix.os }}
-    permissions:
-      actions: write
-      packages: write
-      contents: read
-      security-events: write
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-24.04
-            arch: amd64
-            platform: linux/amd64
-          - os: ubuntu-24.04-arm
-            arch: arm64
-            platform: linux/arm64
-    steps:
-      -
-        name: Cancel previous run in progress
-        uses: styfle/cancel-workflow-action@0.12.1
-        with:
-          ignore_sha: true
-          all_but_latest: true
-          access_token: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Generate build timestamp
-        shell: bash
-        run: echo "btimestamp=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
-        id: generate_build_timestamp
-      -
-        name: Extract branch name
-        shell: bash
-        run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
-        id: extract_branch
-      -
-        name: Generate arch tag suffix
-        shell: bash
-        run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' || ( echo -n '-' ; echo "${{ matrix.platform }}" | cut -d '/' -f 2) )" >> $GITHUB_OUTPUT
-        id: arch_tag_suffix
-      -
-        name: Extract commit SHA
-        shell: bash
-        run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-        id: extract_commit_sha
-      -
-        name: Extract Malcolm version
-        shell: bash
-        run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose-dev.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT
-        id: extract_malcolm_version
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          driver-opts: |
-            image=moby/buildkit:master
-      -
-        name: Log in to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfiles/dashboards-helper.Dockerfile
-          build-args: |
-            TARGETPLATFORM=${{ matrix.platform }}
-            MALCOLM_VERSION=${{ steps.extract_malcolm_version.outputs.mversion }}
-            BUILD_DATE=${{ steps.generate_build_timestamp.outputs.btimestamp }}
-            VCS_REVISION=${{ steps.extract_commit_sha.outputs.sha }}
-          push: true
-          provenance: false
-          platforms: ${{ matrix.platform }}
-          tags: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards-helper:${{ steps.extract_branch.outputs.branch }}${{ steps.arch_tag_suffix.outputs.archtag }}
-      -
-        name: Run Trivy vulnerability scanner
-        if: ${{ matrix.platform == 'linux/amd64' }}
-        id: trivy-scan
-        uses: aquasecurity/trivy-action@0.29.0
-        env:
-          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
-        with:
-          scan-type: 'image'
-          scanners: 'vuln'
-          image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dashboards-helper:${{ steps.extract_branch.outputs.branch }}${{ steps.arch_tag_suffix.outputs.archtag }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'HIGH,CRITICAL'
-          vuln-type: 'os,library'
-          hide-progress: true
-          ignore-unfixed: true
-          exit-code: '0'
-      -
-        name: Upload Trivy scan results to GitHub Security tab
-        if: ${{ matrix.platform == 'linux/amd64' }}
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
+    uses: ./.github/workflows/docker-build-push-scan.yml
+    with:
+      service: dashboards-helper
+      dockerfile: ./Dockerfiles/dashboards-helper.Dockerfile

.github/workflows/dirinit-build-and-push-ghcr.yml

@@ -14,107 +14,7 @@ on:
 
 jobs:
   docker:
-    runs-on: ${{ matrix.os }}
-    permissions:
-      actions: write
-      packages: write
-      contents: read
-      security-events: write
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-24.04
-            arch: amd64
-            platform: linux/amd64
-          - os: ubuntu-24.04-arm
-            arch: arm64
-            platform: linux/arm64
-    steps:
-      -
-        name: Cancel previous run in progress
-        uses: styfle/cancel-workflow-action@0.12.1
-        with:
-          ignore_sha: true
-          all_but_latest: true
-          access_token: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Generate build timestamp
-        shell: bash
-        run: echo "btimestamp=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
-        id: generate_build_timestamp
-      -
-        name: Extract branch name
-        shell: bash
-        run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
-        id: extract_branch
-      -
-        name: Generate arch tag suffix
-        shell: bash
-        run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' || ( echo -n '-' ; echo "${{ matrix.platform }}" | cut -d '/' -f 2) )" >> $GITHUB_OUTPUT
-        id: arch_tag_suffix
-      -
-        name: Extract commit SHA
-        shell: bash
-        run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-        id: extract_commit_sha
-      -
-        name: Extract Malcolm version
-        shell: bash
-        run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose-dev.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT
-        id: extract_malcolm_version
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          driver-opts: |
-            image=moby/buildkit:master
-      -
-        name: Log in to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfiles/dirinit.Dockerfile
-          build-args: |
-            TARGETPLATFORM=${{ matrix.platform }}
-            MALCOLM_VERSION=${{ steps.extract_malcolm_version.outputs.mversion }}
-            BUILD_DATE=${{ steps.generate_build_timestamp.outputs.btimestamp }}
-            VCS_REVISION=${{ steps.extract_commit_sha.outputs.sha }}
-          push: true
-          provenance: false
-          platforms: ${{ matrix.platform }}
-          tags: ghcr.io/${{ github.repository_owner }}/malcolm/dirinit:${{ steps.extract_branch.outputs.branch }}${{ steps.arch_tag_suffix.outputs.archtag }}
-      -
-        name: Run Trivy vulnerability scanner
-        if: ${{ matrix.platform == 'linux/amd64' }}
-        id: trivy-scan
-        uses: aquasecurity/trivy-action@0.29.0
-        env:
-          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
-        with:
-          scan-type: 'image'
-          scanners: 'vuln'
-          image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/dirinit:${{ steps.extract_branch.outputs.branch }}${{ steps.arch_tag_suffix.outputs.archtag }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'HIGH,CRITICAL'
-          vuln-type: 'os,library'
-          hide-progress: true
-          ignore-unfixed: true
-          exit-code: '0'
-      -
-        name: Upload Trivy scan results to GitHub Security tab
-        if: ${{ matrix.platform == 'linux/amd64' }}
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
+    uses: ./.github/workflows/docker-build-push-scan.yml
+    with:
+      service: dirinit
+      dockerfile: ./Dockerfiles/dirinit.Dockerfile

.github/workflows/docker-build-push-scan.yml

@@ -17,6 +17,8 @@ on:
         required: false
       maxmind_alternate_url:
         required: false
+      zeek_deb_alternate_download_url:
+        required: false
 
 jobs:
   docker:
@@ -97,8 +99,10 @@ jobs:
             MALCOLM_VERSION=${{ steps.extract_malcolm_version.outputs.mversion }}
             BUILD_DATE=${{ steps.generate_build_timestamp.outputs.btimestamp }}
             VCS_REVISION=${{ steps.extract_commit_sha.outputs.sha }}
+            GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
             ${{ secrets.maxmind_license_key && format('MAXMIND_GEOIP_DB_LICENSE_KEY={0}', secrets.maxmind_license_key) || '' }}
             ${{ secrets.maxmind_alternate_url && format('MAXMIND_GEOIP_DB_ALTERNATE_DOWNLOAD_URL={0}', secrets.maxmind_alternate_url) || '' }}
+            ${{ secrets.zeek_deb_alternate_download_url && format('ZEEK_DEB_ALTERNATE_DOWNLOAD_URL={0}', secrets.zeek_deb_alternate_download_url) || '' }}
             ${{ inputs.extra_build_args || '' }}
           push: true
           provenance: false

.github/workflows/file-monitor-build-and-push-ghcr.yml

@@ -22,107 +22,7 @@ on:
 
 jobs:
   docker:
-    runs-on: ${{ matrix.os }}
-    permissions:
-      actions: write
-      packages: write
-      contents: read
-      security-events: write
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-24.04
-            arch: amd64
-            platform: linux/amd64
-          - os: ubuntu-24.04-arm
-            arch: arm64
-            platform: linux/arm64
-    steps:
-      -
-        name: Cancel previous run in progress
-        uses: styfle/cancel-workflow-action@0.12.1
-        with:
-          ignore_sha: true
-          all_but_latest: true
-          access_token: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Checkout
-        uses: actions/checkout@v4
-      -
-        name: Generate build timestamp
-        shell: bash
-        run: echo "btimestamp=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_OUTPUT
-        id: generate_build_timestamp
-      -
-        name: Extract branch name
-        shell: bash
-        run: echo "branch=$(echo ${GITHUB_REF#refs/heads/})" >> $GITHUB_OUTPUT
-        id: extract_branch
-      -
-        name: Generate arch tag suffix
-        shell: bash
-        run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' || ( echo -n '-' ; echo "${{ matrix.platform }}" | cut -d '/' -f 2) )" >> $GITHUB_OUTPUT
-        id: arch_tag_suffix
-      -
-        name: Extract commit SHA
-        shell: bash
-        run: echo "sha=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
-        id: extract_commit_sha
-      -
-        name: Extract Malcolm version
-        shell: bash
-        run: echo "mversion=$(grep -P "^\s+image:.*/malcolm/" docker-compose-dev.yml | awk '{print $2}' | cut -d':' -f2 | uniq -c | sort -nr | awk '{print $2}' | head -n 1)" >> $GITHUB_OUTPUT
-        id: extract_malcolm_version
-      -
-        name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
-        with:
-          driver-opts: |
-            image=moby/buildkit:master
-      -
-        name: Log in to registry
-        uses: docker/login-action@v3
-        with:
-          registry: ghcr.io
-          username: ${{ github.repository_owner }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-      -
-        name: Build and push
-        uses: docker/build-push-action@v6
-        with:
-          context: .
-          file: ./Dockerfiles/file-monitor.Dockerfile
-          build-args: |
-            TARGETPLATFORM=${{ matrix.platform }}
-            MALCOLM_VERSION=${{ steps.extract_malcolm_version.outputs.mversion }}
-            BUILD_DATE=${{ steps.generate_build_timestamp.outputs.btimestamp }}
-            VCS_REVISION=${{ steps.extract_commit_sha.outputs.sha }}
-          push: true
-          provenance: false
-          platforms: ${{ matrix.platform }}
-          tags: ghcr.io/${{ github.repository_owner }}/malcolm/file-monitor:${{ steps.extract_branch.outputs.branch }}${{ steps.arch_tag_suffix.outputs.archtag }}
-      -
-        name: Run Trivy vulnerability scanner
-        if: ${{ matrix.platform == 'linux/amd64' }}
-        id: trivy-scan
-        uses: aquasecurity/trivy-action@0.29.0
-        env:
-          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
-        with:
-          scan-type: 'image'
-          scanners: 'vuln'
-          image-ref: ghcr.io/${{ github.repository_owner }}/malcolm/file-monitor:${{ steps.extract_branch.outputs.branch }}${{ steps.arch_tag_suffix.outputs.archtag }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'HIGH,CRITICAL'
-          vuln-type: 'os,library'
-          hide-progress: true
-          ignore-unfixed: true
-          exit-code: '0'
-      -
-        name: Upload Trivy scan results to GitHub Security tab
-        if: ${{ matrix.platform == 'linux/amd64' }}
-        uses: github/codeql-action/upload-sarif@v3
-        with:
-          sarif_file: 'trivy-results.sarif'
+    uses: ./.github/workflows/docker-build-push-scan.yml
+    with:
+      service: file-monitor
+      dockerfile: ./Dockerfiles/file-monitor.Dockerfile