diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml index d0bceb19..0d2fd817 100644 --- a/.github/workflows/docker-publish.yml +++ b/.github/workflows/docker-publish.yml @@ -23,8 +23,46 @@ permissions: packages: write jobs: - build_apks: - name: Build APKs + build_test: + name: Build and Test + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v2 + - name: Set tag var + id: vars + run: echo ::set-output name=docker_tag::$(echo ${GITHUB_REF} | cut -d'/' -f3)-${GITHUB_SHA} + + - name: Download artifact + uses: dawidd6/action-download-artifact@v2 + with: + # Optional, GitHub token, a Personal Access Token with `public_repo` scope if needed + # Required, if artifact is from a different repo + github_token: ${{secrets.GITHUB_TOKEN}} + # Required, workflow file name or ID + workflow: build-apk.yml + # Optional, will use the branch + branch: master + # Optional, uploaded artifact name, + # will download all artifacts if not specified + # and extract them in respective subdirectories + # https://github.com/actions/download-artifact#download-all-artifacts + name: apk-builds + # Optional, directory where to extract artifact. Defaults to the artifact name (see `name` input) + path: ${{ github.workspace }}/apk-build/ + # Optional, defaults to current repo + repo: Secure-Compliance-Solutions-LLC/GVM-APK-build + + - name: Build the Docker image + run: docker build . --file Dockerfile --build-arg OPT_PDF=1 --tag myapp:${{ steps.vars.outputs.docker_tag }} + + - name: Scan with Phonito Security + uses: phonito/phonito-scanner-action@master + with: + image: myapp:${{ steps.vars.outputs.docker_tag }} + phonito-token: ${{ secrets.PHONITO_TOKEN }} + + build_release: + name: Build and Release runs-on: ubuntu-latest outputs: @@ -139,6 +177,7 @@ jobs: images: ${{ steps.releasePreare.outputs.images }} flavor: | latest=${{ steps.releasePreareLatestTag.outputs.latest}} + onlatest=${{ steps.releasePreareLatestTag.outputs.latest}} prefix= suffix=-full tags: | @@ -172,6 +211,7 @@ jobs: images: ${{ steps.releasePreare.outputs.images }} flavor: | latest=${{ steps.releasePreareLatestTag.outputs.latest}} + onlatest=${{ steps.releasePreareLatestTag.outputs.latest}} prefix= suffix=-data tags: | @@ -203,6 +243,7 @@ jobs: images: ${{ steps.releasePreare.outputs.images }} flavor: | latest=${{ steps.releasePreareLatestTag.outputs.latest}} + onlatest=${{ steps.releasePreareLatestTag.outputs.latest}} prefix= suffix=-data-full tags: | diff --git a/scripts/start.sh b/scripts/start.sh index 6e3a3a0c..0b685371 100755 --- a/scripts/start.sh +++ b/scripts/start.sh @@ -32,6 +32,13 @@ mkdir -p /var/lib/gvm/private mkdir -p /var/lib/gvm/scap-data chown gvm:gvm -R /var/lib/gvm +# fix for greenbone-nvt-sync +mkdir -p /run/ospd/ +chown gvm:gvm /run/ospd +su -c "touch /run/ospd/feed-update.lock" gvm +mkdir -p /var/lib/openvas/plugins/ +chown -R gvm:gvm /var/lib/openvas/plugins/ + ## This need on HyperVisor for GVM #echo 'never' >/sys/kernel/mm/transparent_hugepage/enabled #echo 'never' >/sys/kernel/mm/transparent_hugepage/defrag diff --git a/scripts/sync-all.sh b/scripts/sync-all.sh index 824fefc4..67f1f797 100755 --- a/scripts/sync-all.sh +++ b/scripts/sync-all.sh @@ -31,7 +31,8 @@ if [ ! -f "/var/lib/gvm/.firstsync" ]; then fi echo "Updating NVTs..." -su -c "rsync --compress-level=9 --links --times --omit-dir-times --recursive --partial --quiet rsync://feed.community.greenbone.net:/nvt-feed /var/lib/openvas/plugins" gvm +#su -c "rsync --compress-level=9 --links --times --omit-dir-times --recursive --partial --quiet rsync://feed.community.greenbone.net:/nvt-feed /var/lib/openvas/plugins" gvm +su -c "greenbone-nvt-sync" gvm sleep 5 echo "Updating GVMd data..."