-
Notifications
You must be signed in to change notification settings - Fork 5
203 lines (178 loc) · 5.74 KB
/
devcontainer.yml
File metadata and controls
203 lines (178 loc) · 5.74 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
name: DevContainer CI
on:
push:
branches: [ main, develop ]
paths:
- '.devcontainer/**'
- '.github/workflows/devcontainer.yml'
pull_request:
branches: [ main, develop ]
paths:
- '.devcontainer/**'
- '.github/workflows/devcontainer.yml'
workflow_dispatch:
env:
REGISTRY: ghcr.io
IMAGE_NAME: aimdb-dev/devcontainer
jobs:
build-devcontainer:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@v6
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Log in to Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@v4
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v6
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=ref,event=branch
type=ref,event=pr
type=sha,prefix=sha-
type=raw,value=latest,enable={{is_default_branch}}
- name: Build devcontainer image
uses: docker/build-push-action@v7
with:
context: .devcontainer
file: .devcontainer/Dockerfile
platforms: linux/amd64
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
USERNAME=vscode
USER_UID=1000
USER_GID=1000
test-devcontainer:
runs-on: ubuntu-latest
needs: build-devcontainer
if: github.event_name == 'pull_request' || github.event_name == 'push'
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
submodules: recursive
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Build test image
uses: docker/build-push-action@v7
with:
context: .devcontainer
file: .devcontainer/Dockerfile
load: true
tags: aimdb-devcontainer:test
cache-from: type=gha
build-args: |
USERNAME=vscode
USER_UID=1000
USER_GID=1000
- name: Test Rust installation
run: |
docker run --rm aimdb-devcontainer:test bash -c "
rustc --version &&
cargo --version &&
rustup --version
"
- name: Test embedded targets
run: |
docker run --rm aimdb-devcontainer:test bash -c "
rustup target list --installed | grep -E 'thumbv(6m|7[em])-none-eab[hi]'
"
- name: Test development tools
run: |
docker run --rm aimdb-devcontainer:test bash -c "
cargo audit --version &&
cargo watch --version &&
cargo expand --version &&
(probe-rs --version || echo 'probe-rs not installed - this is OK')
"
- name: Test system dependencies
run: |
docker run --rm aimdb-devcontainer:test bash -c "
gcc --version &&
arm-none-eabi-gcc --version &&
protoc --version &&
pkg-config --version
"
- name: Test user permissions
run: |
docker run --rm aimdb-devcontainer:test bash -c "
whoami &&
id &&
sudo echo 'sudo works' &&
touch /tmp/test-file &&
ls -la /tmp/test-file
"
- name: Test AimDB workspace setup
run: |
docker run --rm -v ${{ github.workspace }}:/aimdb aimdb-devcontainer:test bash -c "
cd /aimdb &&
ls -la &&
# Test if we can run basic cargo commands (if Cargo.toml exists)
if [ -f Cargo.toml ]; then
cargo check --version || echo 'No Cargo.toml found, skipping cargo check'
else
echo 'No Cargo.toml found yet - this is expected for early development'
fi
"
security-scan:
runs-on: ubuntu-latest
needs: build-devcontainer
if: github.event_name != 'pull_request'
permissions:
contents: read
security-events: write
actions: read
steps:
- name: Checkout repository
uses: actions/checkout@v6
with:
submodules: recursive
- name: Free up disk space
run: |
echo "Disk space before cleanup:"
df -h
sudo rm -rf /usr/share/dotnet
sudo rm -rf /usr/local/lib/android
sudo rm -rf /opt/ghc
sudo rm -rf /opt/hostedtoolcache/CodeQL
sudo docker image prune -af
sudo apt-get clean
echo "Disk space after cleanup:"
df -h
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v4
- name: Build image for scanning
uses: docker/build-push-action@v7
with:
context: .devcontainer
file: .devcontainer/Dockerfile
load: true
tags: aimdb-devcontainer:scan
cache-from: type=gha
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: aimdb-devcontainer:scan
format: 'sarif'
output: 'trivy-results.sarif'
skip-dirs: '/usr/share/dotnet,/usr/local/lib/android'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v4
if: always()
with:
sarif_file: 'trivy-results.sarif'