feat: Run Device Agent in container as unpriviledged user #5

Workflow file for this run

.github/workflows/docker-build.yaml at 711c16e

	name: Docker build

	on:
	pull_request:
	paths:
	- 'docker/**'
	- '.github/workflows/docker-build.yaml'

	jobs:
	docker-build:
	runs-on: ubuntu-latest
	timeout-minutes: 15
	permissions:
	contents: read
	security-events: write
	strategy:
	matrix:
	node: [18, 20]
	steps:
	- name: Checkout
	uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2

	- name: Set up Docker
	uses: docker/setup-docker-action@v4
	with:
	daemon-config: \|
	{
	"debug": true,
	"features": {
	"containerd-snapshotter": true
	}
	}

	- name: Set up QEMU
	uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0

	# - name: Set up Docker Buildx
	# uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0

	- name: Build Docker image
	uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	with:
	context: .
	file: docker/Dockerfile
	platforms: linux/amd64, linux/arm64, linux/arm/v7
	tags: flowfuse-device-agent-pr:${{ matrix.node }}-scan
	push: false
	load: true
	build-args: \|
	NODE_VERSION=${{ matrix.node }}

	# - name: Build Docker image for SAST scan
	# uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
	# with:
	# context: .
	# file: docker/Dockerfile
	# platforms: linux/amd64
	# load: true
	# tags: flowfuse-device-agent-pr:${{ matrix.node }}-scan
	# push: false
	# build-args: \|
	# NODE_VERSION=${{ matrix.node }}

	- name: Cache vulnerability database
	uses: actions/cache@9255dc7a253b0ccc959486e2bca901246202afeb # v5.0.1
	with:
	path: ~/.cache/trivy
	key: ${{ runner.os }}-trivy-db-${{ github.run_id }}
	restore-keys: \|
	${{ runner.os }}-trivy-db-

	- name: Perform SAST scan
	uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
	with:
	image-ref: flowfuse-device-agent-pr:${{ matrix.node }}-scan
	trivy-config: .github/trivy.yaml
	output: 'sast-results.sarif'

	- name: Upload scan results
	uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v4.32.0
	with:
	sarif_file: sast-results.sarif

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: Run Device Agent in container as unpriviledged user #5

Workflow file

feat: Run Device Agent in container as unpriviledged user #5

Uh oh!

Workflow file for this run