-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d5724a6
commit d3c2851
Showing
4 changed files
with
141 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| version: 2 | ||
| updates: | ||
| - package-ecosystem: "github-actions" | ||
| directory: "/" | ||
| schedule: | ||
| interval: "daily" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,109 @@ | ||
| name: Build | ||
|
|
||
| on: | ||
| workflow_dispatch: | ||
| push: | ||
| branches: | ||
| - main | ||
| # Ignore Markdown files | ||
| paths-ignore: | ||
| - '**.md' | ||
| schedule: | ||
| # Build the image daily | ||
| - cron: '15 0 * * *' | ||
|
|
||
| env: | ||
| REGISTRY: ghcr.io | ||
| IMAGE_NAME: polarix-containers/kanidm-server | ||
| TAG: latest | ||
|
|
||
| jobs: | ||
| build: | ||
| name: Build & push new image | ||
| permissions: | ||
| contents: read | ||
| packages: write | ||
| timeout-minutes: 20 | ||
| runs-on: ubuntu-24.04 | ||
|
|
||
| steps: | ||
| - name: Checkout code | ||
| uses: actions/checkout@v4 | ||
|
|
||
| # Add support for more platforms with QEMU | ||
| - name: Set up QEMU | ||
| uses: docker/setup-qemu-action@v3 | ||
|
|
||
| - name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 | ||
|
|
||
| - name: Login to registry | ||
| if: github.event_name != 'pull_request' | ||
| uses: docker/login-action@v3 | ||
| with: | ||
| registry: ${{ env.REGISTRY }} | ||
| username: ${{ github.repository_owner }} | ||
| password: ${{ secrets.GITHUB_TOKEN }} | ||
|
|
||
| - name: Set Docker metadata | ||
| id: meta | ||
| uses: docker/metadata-action@v5 | ||
| with: | ||
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | ||
| tags: | | ||
| ${{ env.TAG }} | ||
| - name: Build and push Docker image | ||
| id: build-and-push | ||
| uses: docker/build-push-action@v6 | ||
| with: | ||
| context: . | ||
| platforms: linux/amd64,linux/arm64 | ||
| push: ${{ github.event_name != 'pull_request' }} | ||
| tags: ${{ steps.meta.outputs.tags }} | ||
| labels: ${{ steps.meta.outputs.labels }} | ||
|
|
||
| trivy: | ||
| name: Scan current image with Trivy | ||
| needs: build | ||
| permissions: | ||
| security-events: write | ||
| timeout-minutes: 10 | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Run Trivy vulnerability scanner | ||
| uses: aquasecurity/trivy-action@master | ||
| with: | ||
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} | ||
| format: template | ||
| template: '@/contrib/sarif.tpl' | ||
| output: trivy-results.sarif | ||
| severity: UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL | ||
| vuln-type: os,library | ||
|
|
||
| - name: Upload Trivy scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: trivy-results.sarif | ||
| category: trivy | ||
|
|
||
| grype: | ||
| name: Scan current image with Grype | ||
| needs: build | ||
| permissions: | ||
| security-events: write | ||
| timeout-minutes: 10 | ||
| runs-on: ubuntu-24.04 | ||
| steps: | ||
| - name: Run Grype vulnerability scanner | ||
| uses: anchore/scan-action@v5 | ||
| id: grype | ||
| with: | ||
| image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.TAG }} | ||
| fail-build: false | ||
|
|
||
| - name: Upload Grype scan results to GitHub Security tab | ||
| uses: github/codeql-action/upload-sarif@v3 | ||
| with: | ||
| sarif_file: ${{ steps.grype.outputs.sarif }} | ||
| category: grype |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| ARG UID=3005 | ||
|
|
||
| FROM kanidm/server | ||
|
|
||
| ARG UID | ||
| ARG GID | ||
|
|
||
| LABEL maintainer="Thien Tran [email protected]" | ||
|
|
||
| RUN zypper dup -y | ||
|
|
||
| RUN useradd -u ${UID} --system kanidm | ||
| USER kanidm |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,13 @@ | ||
| # kanidm | ||
|
|
||
|  | ||
|
|
||
| ### Features & usage | ||
| - Built on the [official image](https://github.com/kanidm/kanidm) to be used as a drop-in replacement. | ||
| - Does **not** come with hardened_malloc like other Polarix containers. | ||
| - Unprivileged image: you should check your volumes' permissions (eg `/data`), default UID/GID is 3005. | ||
|
|
||
| ### Licensing | ||
| - The code in this repository is licensed under the Apache license. 😇 | ||
| - The image is built on docker.io/owncloud/ocis, which is under the Apache license. Copyright to the base image belongs to ownCloud Inc. | ||
| - Any image built by Polarix Containers is provided under the combination of license terms resulting from the use of individual packages. |