Add Agent Threat Model Builder - interactive STRIDE-based threat mode… #41
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker | |
| on: | |
| push: | |
| branches: [master] | |
| tags: ['v*'] | |
| pull_request: | |
| branches: [master] | |
| workflow_dispatch: | |
| concurrency: | |
| group: docker-${{ github.ref }} | |
| cancel-in-progress: true | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| jobs: | |
| docker: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v6 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v4 | |
| - name: Log in to GHCR | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v4 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata | |
| id: meta | |
| uses: docker/metadata-action@v6 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=semver,pattern={{major}}.{{minor}} | |
| type=semver,pattern={{major}} | |
| type=edge,branch=master | |
| type=sha,prefix=sha- | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Build and push | |
| uses: docker/build-push-action@v7 | |
| with: | |
| context: . | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| platforms: linux/amd64,linux/arm64 | |
| - name: Scan image for vulnerabilities | |
| if: github.event_name != 'pull_request' | |
| uses: aquasecurity/trivy-action@0.35.0 | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:edge | |
| format: sarif | |
| output: trivy-results.sarif | |
| severity: CRITICAL,HIGH | |
| exit-code: '0' | |
| - name: Upload Trivy scan results | |
| if: github.event_name != 'pull_request' | |
| uses: github/codeql-action/upload-sarif@v4 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| continue-on-error: true | |
| - name: Generate SBOM | |
| if: github.event_name != 'pull_request' | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:edge | |
| format: spdx-json | |
| output-file: sbom.spdx.json | |
| - name: Upload SBOM | |
| if: github.event_name != 'pull_request' | |
| uses: actions/upload-artifact@v7 | |
| with: | |
| name: sbom | |
| path: sbom.spdx.json | |
| - name: Verify image | |
| if: github.event_name != 'pull_request' | |
| run: | | |
| # Pull and verify the image starts correctly | |
| IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-$(echo ${{ github.sha }} | cut -c1-7)" | |
| docker pull "$IMAGE" | |
| CONTAINER_ID=$(docker run -d -p 8080:8080 "$IMAGE") | |
| sleep 3 | |
| # Health check | |
| if curl -sf http://localhost:8080/healthz > /dev/null; then | |
| echo "✅ Health check passed" | |
| else | |
| echo "❌ Health check failed" | |
| docker logs "$CONTAINER_ID" | |
| docker stop "$CONTAINER_ID" | |
| exit 1 | |
| fi | |
| # Verify index.html is served | |
| if curl -sf http://localhost:8080/ | grep -q "AgentBox"; then | |
| echo "✅ Index page verified" | |
| else | |
| echo "❌ Index page verification failed" | |
| docker stop "$CONTAINER_ID" | |
| exit 1 | |
| fi | |
| docker stop "$CONTAINER_ID" |