From 57b5b3bd6fa83e6845bba1ba37a9ab6e05f5c03a Mon Sep 17 00:00:00 2001
From: spatialgeobyte <158478685+spatialgeobyte@users.noreply.github.com>
Date: Thu, 23 May 2024 21:17:49 +0200
Subject: [PATCH] Add scanning option

---
 .github/dependabot.yml              |   2 +-
 .github/workflows/build-latest.yaml | 143 ++++++++++++++++++----------
 .github/workflows/deploy-image.yaml |   9 +-
 3 files changed, 96 insertions(+), 58 deletions(-)

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index adee0ed..120c689 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -3,4 +3,4 @@ updates:
   - package-ecosystem: "github-actions"
     directory: "/"
     schedule:
-      interval: "monthly"
\ No newline at end of file
+      interval: "weekly"
\ No newline at end of file
diff --git a/.github/workflows/build-latest.yaml b/.github/workflows/build-latest.yaml
index f1a7227..850d941 100644
--- a/.github/workflows/build-latest.yaml
+++ b/.github/workflows/build-latest.yaml
@@ -4,12 +4,24 @@ on:
   pull_request:
     branches:
       - develop
+    paths:
+      - 'Dockerfile'
+      - 'scripts/**'
+      - 'base_build/**'
+      - '.github/workflows/**'
   push:
     branches:
       - develop
+    paths:
+      - 'Dockerfile'
+      - 'scripts/**'
+      - 'build_data/**'
+      - '.github/workflows/**'
 jobs:
-  run-scenario-tests:
+  build-docker-image:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
+    if: github.actor != 'dependabot[bot]'
     strategy:
       matrix:
         postgresMajorVersion:
@@ -22,14 +34,6 @@ jobs:
           - imageDistro: debian
             imageDistroVersion: bookworm
             imageDistroVariant: slim
-        scenario:
-          - datadir_init
-          - streaming_replication
-          - collations
-          - extensions
-          - logical_replication
-          - init_scripts
-          - multiple_databases
     steps:
       - uses: actions/checkout@v4
       - name: Set up QEMU
@@ -55,12 +59,42 @@ jobs:
             POSTGIS_MAJOR_VERSION=${{ matrix.postgisMajorVersion }}
             POSTGIS_MINOR_VERSION=${{ matrix.postgisMinorRelease }}
           cache-from: |
-           type=gha,scope=test
-           type=gha,scope=prod
-           type=gha,scope=base
+            type=gha,scope=test
+            type=gha,scope=prod
+            type=gha,scope=base
           cache-to: type=gha,scope=test
           target: postgis-test
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: kartoza-postgis
+          path: /tmp/postgis.tar
 
+  run-scenario-tests:
+    runs-on: ubuntu-latest
+    needs: [build-docker-image]
+    timeout-minutes: 20
+    if: github.actor != 'dependabot[bot]'
+    strategy:
+      matrix:
+        scenario:
+          - datadir_init
+          - streaming_replication
+          - collations
+          - extensions
+          - logical_replication
+          - init_scripts
+          - multiple_databases
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: kartoza-postgis
+          path: /tmp
+      - name: Load image
+        run: |
+          docker load --input /tmp/postgis.tar
       - name: Run scenario test ${{ matrix.scenario }}
         working-directory: scenario_tests/${{ matrix.scenario }}
         env:
@@ -68,29 +102,48 @@ jobs:
           PRINT_TEST_LOGS: 1
         run: |
           bash ./test.sh
-
-  push-internal-pr-images:
-    if: github.event.pull_request.base.repo.url == github.event.pull_request.head.repo.url
+  scan_image:
     runs-on: ubuntu-latest
-    needs: [ run-scenario-tests ]
-    strategy:
-      matrix:
-        postgresMajorVersion:
-          - 16
-        postgisMajorVersion:
-          - 3
-        postgisMinorRelease:
-          - 4
-        imageVersion:
-          - imageDistro: debian
-            imageDistroVersion: bookworm
-            imageDistroVariant: slim
+    timeout-minutes: 20
+    if: github.actor != 'dependabot[bot]'
+    needs: [build-docker-image, run-scenario-tests]
     steps:
       - uses: actions/checkout@v4
-      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v3
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v3
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: kartoza-postgis
+          path: /tmp
+      - name: Load image
+        run: |
+          docker load --input /tmp/postgis.tar
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          format: 'sarif'
+          ignore-unfixed: true
+          image-ref: kartoza/postgis:manual-build
+          output: 'trivy-results.sarif'
+          severity: 'CRITICAL,HIGH'
+          vuln-type: 'os,library'
+
+  push-internal-pr-images:
+    if: github.event.pull_request.base.repo.url == github.event.pull_request.head.repo.url && github.actor != 'dependabot[bot]'
+    runs-on: ubuntu-latest
+    needs: [ build-docker-image, run-scenario-tests ]
+    steps:
+      - uses: actions/checkout@v4
+      - name: Download artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: kartoza-postgis
+          path: /tmp
+      - name: Load image
+        run: |
+          docker load --input /tmp/postgis.tar
+      - name: Tag postgis image
+        run: |
+          docker tag kartoza/postgis:manual-build ${{ steps.docker_meta.outputs.tags }}
       - name: Login to DockerHub
         uses: docker/login-action@v3
         with:
@@ -106,27 +159,13 @@ jobs:
             type=ref,event=branch
             type=ref,event=pr
 
-      - name: Build image for testing
-        id: docker_build_testing_image
+      - name: Push image for testing
+        id: docker_push_testing_image
         uses: docker/build-push-action@v5
         with:
           context: .
-          file: Dockerfile
+          tags: ${{ steps.docker_meta.outputs.tags }}-${{ matrix.postgresMajorVersion }}-${{ matrix.postgisMajorVersion }}.${{ matrix.postgisMinorRelease }}
+          cache-from: type=gha,scope=test
           push: true
-          tags: |
-            ${{ steps.docker_meta.outputs.tags }}-${{ matrix.postgresMajorVersion }}-${{ matrix.postgisMajorVersion }}.${{ matrix.postgisMinorRelease }}
-          build-args: |
-            DISTRO=${{ matrix.imageVersion.imageDistro }}
-            IMAGE_VERSION=${{ matrix.imageVersion.imageDistroVersion }}
-            IMAGE_VARIANT=${{ matrix.imageVersion.imageDistroVariant }}
-            LANGS=en_US.UTF-8,id_ID.UTF-8
-            GENERATE_ALL_LOCALE=0
-            POSTGRES_MAJOR_VERSION=${{ matrix.postgresMajorVersion }}
-            POSTGIS_MAJOR_VERSION=${{ matrix.postgisMajorVersion }}
-            POSTGIS_MINOR_VERSION=${{ matrix.postgisMinorRelease }}
-          cache-from: |
-           type=gha,scope=test
-           type=gha,scope=prod
-           type=gha,scope=base
-          cache-to: type=gha,scope=test
-          target: postgis-test
+          load: true
+          
diff --git a/.github/workflows/deploy-image.yaml b/.github/workflows/deploy-image.yaml
index 14c03ce..19e851e 100644
--- a/.github/workflows/deploy-image.yaml
+++ b/.github/workflows/deploy-image.yaml
@@ -11,6 +11,8 @@ on:
 jobs:
   deploy-image:
     runs-on: ubuntu-latest
+    timeout-minutes: 20
+    if: github.actor != 'dependabot[bot]'
     env:
       latest-ref: refs/heads/develop
     strategy:
@@ -37,14 +39,11 @@ jobs:
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_PASSWORD }}
-      
+
       - name: Get Current Date
         id: current_date
         shell: python
-        run: |
-          import datetime
-          now = datetime.datetime.utcnow()
-          print(f'::set-output name=formatted::{now:%Y.%m.%d}')
+        run: echo "formatted=$(date -u +%Y.%m.%d)" >> $GITHUB_OUTPUT
 
       - name: Build base image
         id: docker_build_base