-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathTaskfile.yml
More file actions
71 lines (60 loc) · 1.95 KB
/
Copy pathTaskfile.yml
File metadata and controls
71 lines (60 loc) · 1.95 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# SPDX-FileCopyrightText: 2026 OpenSerbia
# SPDX-License-Identifier: MIT
# https://taskfile.dev
version: '3'
vars:
IMAGE: ghcr.io/openserbia/github-runner
# Image ref that scan/sbom/smoke operate on. Defaults to the locally-built
# :latest; CI overrides it per arch leg, e.g.
# `task scan sbom smoke REF=$IMAGE:latest-arm64`.
REF: '{{.IMAGE}}:latest'
tasks:
build:
desc: Build the image (:latest)
cmds:
- docker build -t {{.IMAGE}}:latest .
scan:
desc: Trivy — fail on FIXABLE CRITICAL, report HIGH+CRITICAL
cmds:
# --ignore-unfixed: the Ubuntu base carries kernel-header CVEs in
# linux-libc-dev that are fixed=none and DON'T apply to a container (it
# uses the host kernel). Gating on those would make the build permanently
# red. So the gate fails only on CRITICALs that HAVE a fix — the actionable
# ones (e.g. the git-lfs Go-stdlib CVE the Dockerfile recompiles away).
- trivy image --exit-code 1 --severity CRITICAL --ignore-unfixed --ignorefile .trivyignore {{.REF}}
# Visibility report (non-gating) — fixable HIGH+CRITICAL.
- trivy image --severity HIGH,CRITICAL --ignore-unfixed --ignorefile .trivyignore {{.REF}}
sbom:
desc: Generate CycloneDX SBOM
cmds:
- syft {{.REF}} -o cyclonedx-json=sbom.cdx.json
smoke:
desc: Smoke-test the built image (runner binary + toolchain present & sane)
cmds:
- ./test/smoke.sh {{.REF}}
test:go:
desc: Run the Go entrypoint unit tests
cmds:
- go test ./...
lint:go:
desc: Run golangci-lint (the strict shared openserbia config)
cmds:
- golangci-lint run
fmt:go:
desc: Apply gci + gofumpt formatting
cmds:
- golangci-lint fmt
tidy:
desc: Tidy Go modules
cmds:
- go mod tidy
ci:
desc: build -> scan -> sbom -> smoke (no push)
cmds:
- task: build
- task: scan
- task: sbom
- task: smoke
default:
cmds:
- task -l