Skip to content

Add backend Docker build/push workflow and improve Snyk IaC workflow #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
echska merged 1 commit into from
May 9, 2026
Merged

Add backend Docker build/push workflow and improve Snyk IaC workflow #11

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
52 changes: 52 additions & 0 deletions .github/workflows/backend-docker.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,52 @@
name: Build and Push Backend Docker Image

on:
push:
branches: [ "main" ]
paths:
- "parental-control-system/backend/**"
- ".github/workflows/backend-docker.yml"
workflow_dispatch:

permissions:
contents: read
packages: write

env:
IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/parental-control-backend

jobs:
docker:
runs-on: ubuntu-latest

steps:
- name: Checkout
uses: actions/checkout@v4

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Extract metadata (tags, labels)
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.IMAGE_NAME }}
tags: |
type=sha
type=raw,value=latest
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Restrict latest publishes to main

Because this workflow also allows workflow_dispatch, a manual run selected on any non-main ref will still publish the raw latest tag here. That can overwrite the production-looking GHCR tag with unmerged backend code; either gate this tag/push to refs/heads/main or avoid publishing latest for manual non-main runs.

Useful? React with 👍 / 👎.


- name: Build and push
uses: docker/build-push-action@v6
with:
context: ./parental-control-system/backend
file: ./parental-control-system/backend/Dockerfile
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
54 changes: 18 additions & 36 deletions .github/workflows/snyk-infrastructure.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,54 +1,36 @@
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.

# A sample workflow which checks out your Infrastructure as Code Configuration files,
# such as Kubernetes, Helm & Terraform and scans them for any security issues.
# The results are then uploaded to GitHub Security Code Scanning
#
# For more examples, including how to limit scans to only high-severity issues
# and fail PR checks, see https://github.com/snyk/actions/

name: Snyk Infrastructure as Code

on:
push:
branches: [ "main" ]
branches: [ main ]
pull_request:
# The branches below must be a subset of the branches above
branches: [ "main" ]
schedule:
- cron: '25 17 * * 1'
branches: [ main ]
Comment on lines 3 to +7
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Restore scheduled IaC scans

This on: block now only runs Snyk on pushes and PRs, whereas the previous workflow also had a weekly Monday schedule. That means IaC findings that appear because Snyk's rules change, or because existing configuration becomes newly vulnerable, will not be refreshed in code scanning until someone happens to change the repository; keep the scheduled trigger if continuous infrastructure scanning is still expected.

Useful? React with 👍 / 👎.


permissions:
contents: read
security-events: write
actions: read

jobs:
snyk:
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
runs-on: ubuntu-latest
container:
image: snyk/snyk:alpine
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Use a glibc-based Snyk job container

Running the whole job in the snyk/snyk:alpine container also moves the JavaScript actions in this job (actions/checkout@v4 and github/codeql-action/upload-sarif@v4) into an Alpine/musl environment. Those actions are executed with the runner's bundled Node binary, which expects glibc, so the workflow can fail before Snyk ever scans; use a glibc-based Snyk image or run only the CLI invocation in the Snyk container.

Useful? React with 👍 / 👎.


steps:
- uses: actions/checkout@v4
- name: Run Snyk to check configuration files for security issues
# Snyk can be used to break the build when it detects security issues.
# In this case we want to upload the issues to GitHub Code Scanning
continue-on-error: true
uses: snyk/actions/iac@14818c4695ecc4045f33c9cee9e795a788711ca4
- name: Checkout repository
uses: actions/checkout@v4

- name: Run Snyk IaC scan and create SARIF
env:
# In order to use the Snyk Action you will need to have a Snyk API token.
# More details in https://github.com/snyk/actions#getting-your-snyk-token
# or you can signup for free at https://snyk.io/login
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
# Add the path to the configuration file that you would like to test.
# For example `deployment.yaml` for a Kubernetes deployment manifest
# or `main.tf` for a Terraform configuration file
file: your-file-to-test.yaml
run: |
snyk auth "$SNYK_TOKEN"
Copy link
Copy Markdown

@chatgpt-codex-connector chatgpt-codex-connector Bot May 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Keep forked PR scans from failing at auth

Because this workflow still runs on pull_request, forked PRs do not receive SNYK_TOKEN, so this newly unguarded snyk auth "$SNYK_TOKEN" exits before the || true scan/upload path can run. That regresses the previous continue-on-error behavior and makes external PR checks fail rather than just omitting Snyk results; guard this step or skip it when the secret is unavailable.

Useful? React with 👍 / 👎.

snyk iac test --sarif-file-output=snyk.sarif || true
ls -la

- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v3
if: always() && hashFiles('snyk.sarif') != ''
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: snyk.sarif
Loading