CI/CD Improvements

zuedev · zuedev · commit 80b3835efd5e · 2026-01-15T09:39:17.000Z
- Automated security scanning (Trivy, Snyk)
- Automated testing of container startup
- Multi-stage builds to reduce image size
- Cache layer optimization
diff --git a/.forgejo/workflows/docker-publish.yml b/.forgejo/workflows/docker-publish.yml
@@ -0,0 +1,156 @@
+name: Build and Publish Docker Image
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "v*"
+  pull_request:
+    branches:
+      - main
+
+env:
+  REGISTRY: codeberg.org
+  IMAGE_NAME: ${{ github.repository }}
+
+jobs:
+  # ===========================================================================
+  # Security Scanning Job
+  # ===========================================================================
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release -y
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy -y
+
+      - name: Run Trivy vulnerability scanner (filesystem)
+        run: trivy fs --severity CRITICAL,HIGH,MEDIUM --exit-code 0 .
+
+  # ===========================================================================
+  # Build and Test Job
+  # ===========================================================================
+  build-and-test:
+    name: Build and Test
+    runs-on: ubuntu-latest
+    needs: security-scan
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      # Build image for testing
+      - name: Build Docker image for testing
+        run: |
+          docker build -t hytale-server:test .
+
+      # Container startup test
+      - name: Test container startup
+        run: |
+          echo "Starting container startup test..."
+
+          # Run container with dummy tokens (will fail auth but tests container mechanics)
+          docker run -d --name test-container \
+            -e HYTALE_SERVER_SESSION_TOKEN=test-session \
+            -e HYTALE_SERVER_IDENTITY_TOKEN=test-identity \
+            -e HYTALE_SERVER_OWNER_UUID=test-uuid \
+            hytale-server:test
+
+          # Wait for container to initialize
+          sleep 10
+
+          # Check if container is running
+          if docker ps | grep -q test-container; then
+            echo "✓ Container started successfully"
+          else
+            echo "✗ Container failed to start"
+            docker logs test-container
+            exit 1
+          fi
+
+          # Verify Java is available in container
+          docker exec test-container java -version
+          echo "✓ Java runtime verified"
+
+          # Verify entrypoint script exists and is executable
+          docker exec test-container test -x /app/entrypoint.sh
+          echo "✓ Entrypoint script is executable"
+
+          # Verify downloader binary exists
+          docker exec test-container test -x /app/hytale-downloader-linux-amd64
+          echo "✓ Hytale downloader binary present"
+
+          # Cleanup
+          docker stop test-container
+          docker rm test-container
+          echo "✓ All startup tests passed"
+
+      # Install Trivy for image scanning
+      - name: Install Trivy
+        run: |
+          sudo apt-get install wget apt-transport-https gnupg lsb-release -y
+          wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
+          echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
+          sudo apt-get update
+          sudo apt-get install trivy -y
+
+      # Scan built image for vulnerabilities
+      - name: Run Trivy vulnerability scanner (image)
+        run: trivy image --severity CRITICAL,HIGH,MEDIUM --exit-code 0 hytale-server:test
+
+  # ===========================================================================
+  # Push Job (only on main branch or tags)
+  # ===========================================================================
+  push:
+    name: Push Image
+    runs-on: ubuntu-latest
+    needs: build-and-test
+    if: github.event_name != 'pull_request'
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Log in to Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ secrets.REGISTRY_USERNAME }}
+          password: ${{ secrets.REGISTRY_TOKEN }}
+
+      - name: Extract metadata (tags, labels)
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
+          tags: |
+            type=ref,event=branch
+            type=semver,pattern={{version}}
+            type=semver,pattern={{major}}.{{minor}}
+            type=semver,pattern={{major}}
+            type=sha
+
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: linux/amd64
diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
@@ -15,11 +15,46 @@ env:
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
-  build-and-push:
+  # ===========================================================================
+  # Security Scanning Job
+  # ===========================================================================
+  security-scan:
+    name: Security Scan
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner (filesystem)
+        uses: aquasecurity/trivy-action@master
+        with:
+          scan-type: "fs"
+          scan-ref: "."
+          format: "sarif"
+          output: "trivy-fs-results.sarif"
+          severity: "CRITICAL,HIGH,MEDIUM"
+
+      - name: Upload Trivy filesystem scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: "trivy-fs-results.sarif"
+          category: "trivy-filesystem"
+
+  # ===========================================================================
+  # Build and Test Job
+  # ===========================================================================
+  build-and-test:
+    name: Build and Test
     runs-on: ubuntu-latest
     permissions:
       contents: read
       packages: write
+      security-events: write
 
     steps:
       - name: Checkout repository
@@ -28,14 +63,6 @@ jobs:
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v3
 
-      - name: Log in to Container Registry
-        if: github.event_name != 'pull_request'
-        uses: docker/login-action@v3
-        with:
-          registry: ${{ env.REGISTRY }}
-          username: ${{ github.actor }}
-          password: ${{ secrets.GITHUB_TOKEN }}
-
       - name: Extract metadata (tags, labels)
         id: meta
         uses: docker/metadata-action@v5
@@ -48,12 +75,122 @@ jobs:
             type=semver,pattern={{major}}
             type=sha
 
+      # Build image for testing (not pushed yet)
+      - name: Build Docker image for testing
+        uses: docker/build-push-action@v6
+        with:
+          context: .
+          load: true
+          tags: ${{ env.IMAGE_NAME }}:test
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+
+      # Container startup test
+      - name: Test container startup
+        run: |
+          echo "Starting container startup test..."
+
+          # Run container with dummy tokens (will fail auth but tests container mechanics)
+          docker run -d --name test-container \
+            -e HYTALE_SERVER_SESSION_TOKEN=test-session \
+            -e HYTALE_SERVER_IDENTITY_TOKEN=test-identity \
+            -e HYTALE_SERVER_OWNER_UUID=test-uuid \
+            ${{ env.IMAGE_NAME }}:test
+
+          # Wait for container to initialize
+          sleep 10
+
+          # Check if container is running
+          if docker ps | grep -q test-container; then
+            echo "✓ Container started successfully"
+          else
+            echo "✗ Container failed to start"
+            docker logs test-container
+            exit 1
+          fi
+
+          # Verify Java is available in container
+          docker exec test-container java -version
+          echo "✓ Java runtime verified"
+
+          # Verify entrypoint script exists and is executable
+          docker exec test-container test -x /app/entrypoint.sh
+          echo "✓ Entrypoint script is executable"
+
+          # Verify downloader binary exists
+          docker exec test-container test -x /app/hytale-downloader-linux-amd64
+          echo "✓ Hytale downloader binary present"
+
+          # Cleanup
+          docker stop test-container
+          docker rm test-container
+          echo "✓ All startup tests passed"
+
+      # Scan built image for vulnerabilities
+      - name: Run Trivy vulnerability scanner (image)
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:test
+          format: "sarif"
+          output: "trivy-image-results.sarif"
+          severity: "CRITICAL,HIGH,MEDIUM"
+
+      - name: Upload Trivy image scan results
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: "trivy-image-results.sarif"
+          category: "trivy-image"
+
+      # Log in and push only on main branch or tags
+      - name: Log in to Container Registry
+        if: github.event_name != 'pull_request'
+        uses: docker/login-action@v3
+        with:
+          registry: ${{ env.REGISTRY }}
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
       - name: Build and push Docker image
+        if: github.event_name != 'pull_request'
         uses: docker/build-push-action@v6
         with:
           context: .
-          push: ${{ github.event_name != 'pull_request' }}
+          push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
           cache-from: type=gha
           cache-to: type=gha,mode=max
+          platforms: linux/amd64
+
+  # ===========================================================================
+  # Snyk Security Scan (Optional - requires SNYK_TOKEN secret)
+  # ===========================================================================
+  snyk-scan:
+    name: Snyk Security Scan
+    runs-on: ubuntu-latest
+    if: github.event_name != 'pull_request'
+    permissions:
+      contents: read
+      security-events: write
+    continue-on-error: true
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Run Snyk to check Docker image for vulnerabilities
+        uses: snyk/actions/docker@master
+        continue-on-error: true
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
+        with:
+          image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main
+          args: --file=Dockerfile --severity-threshold=high
+
+      - name: Upload Snyk results to GitHub Security
+        uses: github/codeql-action/upload-sarif@v3
+        if: always()
+        with:
+          sarif_file: snyk.sarif
+          category: "snyk"
diff --git a/Dockerfile b/Dockerfile
