1515 IMAGE_NAME : ${{ github.repository }}
1616
1717jobs :
18- # ===========================================================================
19- # Security Scanning Job
20- # ===========================================================================
21- security-scan :
22- name : Security Scan
23- runs-on : ubuntu-latest
24- permissions :
25- contents : read
26- security-events : write
27-
28- steps :
29- - name : Checkout repository
30- uses : actions/checkout@v4
31-
32- - name : Run Trivy vulnerability scanner (filesystem)
33- uses : aquasecurity/trivy-action@master
34- with :
35- scan-type : " fs"
36- scan-ref : " ."
37- format : " sarif"
38- output : " trivy-fs-results.sarif"
39- severity : " CRITICAL,HIGH,MEDIUM"
40-
41- - name : Upload Trivy filesystem scan results
42- uses : github/codeql-action/upload-sarif@v3
43- if : always()
44- with :
45- sarif_file : " trivy-fs-results.sarif"
46- category : " trivy-filesystem"
47-
48- # ===========================================================================
49- # Build and Test Job
50- # ===========================================================================
51- build-and-test :
52- name : Build and Test
18+ build-and-push :
5319 runs-on : ubuntu-latest
5420 permissions :
5521 contents : read
5622 packages : write
57- security-events : write
5823
5924 steps :
6025 - name : Checkout repository
6328 - name : Set up Docker Buildx
6429 uses : docker/setup-buildx-action@v3
6530
31+ - name : Log in to Container Registry
32+ if : github.event_name != 'pull_request'
33+ uses : docker/login-action@v3
34+ with :
35+ registry : ${{ env.REGISTRY }}
36+ username : ${{ github.actor }}
37+ password : ${{ secrets.GITHUB_TOKEN }}
38+
6639 - name : Extract metadata (tags, labels)
6740 id : meta
6841 uses : docker/metadata-action@v5
@@ -75,122 +48,12 @@ jobs:
7548 type=semver,pattern={{major}}
7649 type=sha
7750
78- # Build image for testing (not pushed yet)
79- - name : Build Docker image for testing
80- uses : docker/build-push-action@v6
81- with :
82- context : .
83- load : true
84- tags : ${{ env.IMAGE_NAME }}:test
85- cache-from : type=gha
86- cache-to : type=gha,mode=max
87-
88- # Container startup test
89- - name : Test container startup
90- run : |
91- echo "Starting container startup test..."
92-
93- # Run container with dummy tokens (will fail auth but tests container mechanics)
94- docker run -d --name test-container \
95- -e HYTALE_SERVER_SESSION_TOKEN=test-session \
96- -e HYTALE_SERVER_IDENTITY_TOKEN=test-identity \
97- -e HYTALE_SERVER_OWNER_UUID=test-uuid \
98- ${{ env.IMAGE_NAME }}:test
99-
100- # Wait for container to initialize
101- sleep 10
102-
103- # Check if container is running
104- if docker ps | grep -q test-container; then
105- echo "✓ Container started successfully"
106- else
107- echo "✗ Container failed to start"
108- docker logs test-container
109- exit 1
110- fi
111-
112- # Verify Java is available in container
113- docker exec test-container java -version
114- echo "✓ Java runtime verified"
115-
116- # Verify entrypoint script exists and is executable
117- docker exec test-container test -x /app/entrypoint.sh
118- echo "✓ Entrypoint script is executable"
119-
120- # Verify downloader binary exists
121- docker exec test-container test -x /app/hytale-downloader-linux-amd64
122- echo "✓ Hytale downloader binary present"
123-
124- # Cleanup
125- docker stop test-container
126- docker rm test-container
127- echo "✓ All startup tests passed"
128-
129- # Scan built image for vulnerabilities
130- - name : Run Trivy vulnerability scanner (image)
131- uses : aquasecurity/trivy-action@master
132- with :
133- image-ref : ${{ env.IMAGE_NAME }}:test
134- format : " sarif"
135- output : " trivy-image-results.sarif"
136- severity : " CRITICAL,HIGH,MEDIUM"
137-
138- - name : Upload Trivy image scan results
139- uses : github/codeql-action/upload-sarif@v3
140- if : always()
141- with :
142- sarif_file : " trivy-image-results.sarif"
143- category : " trivy-image"
144-
145- # Log in and push only on main branch or tags
146- - name : Log in to Container Registry
147- if : github.event_name != 'pull_request'
148- uses : docker/login-action@v3
149- with :
150- registry : ${{ env.REGISTRY }}
151- username : ${{ github.actor }}
152- password : ${{ secrets.GITHUB_TOKEN }}
153-
15451name : Build and push Docker image
155- if : github.event_name != 'pull_request'
15652 uses : docker/build-push-action@v6
15753 with :
15854 context : .
159- push : true
55+ push : ${{ github.event_name != 'pull_request' }}
16056 tags : ${{ steps.meta.outputs.tags }}
16157 labels : ${{ steps.meta.outputs.labels }}
16258 cache-from : type=gha
16359 cache-to : type=gha,mode=max
164- platforms : linux/amd64
165-
166- # ===========================================================================
167- # Snyk Security Scan (Optional - requires SNYK_TOKEN secret)
168- # ===========================================================================
169- snyk-scan :
170- name : Snyk Security Scan
171- runs-on : ubuntu-latest
172- if : github.event_name != 'pull_request'
173- permissions :
174- contents : read
175- security-events : write
176- continue-on-error : true
177-
178- steps :
179- - name : Checkout repository
180- uses : actions/checkout@v4
181-
182- - name : Run Snyk to check Docker image for vulnerabilities
183- uses : snyk/actions/docker@master
184- continue-on-error : true
185- env :
186- SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
187- with :
188- image : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:main
189- args : --file=Dockerfile --severity-threshold=high
190-
191- - name : Upload Snyk results to GitHub Security
192- uses : github/codeql-action/upload-sarif@v3
193- if : always()
194- with :
195- sarif_file : snyk.sarif
196- category : " snyk"
0 commit comments