Code-Index-MCP

name: Container Registry Management on: push: branches: [ main ] tags: - 'v*' pull_request: branches: [ main ] schedule: # Weekly vulnerability scan - cron: '0 2 * * 1' workflow_dispatch: env: REGISTRY: ghcr.io IMAGE_NAME: ${{ github.repository }} jobs: build-and-push: name: Build and Push Container Images runs-on: ubuntu-latest permissions: contents: read packages: write security-events: write strategy: matrix: platform: - linux/amd64 - linux/arm64 steps: - name: Checkout code uses: actions/checkout@v4 with: fetch-depth: 0 - name: Set up QEMU uses: docker/setup-qemu-action@v3 with: platforms: all - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 with: driver-opts: | network=host - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | # Branch events type=ref,event=branch # PR events type=ref,event=pr # Tag events type=ref,event=tag # Latest tag for main branch type=raw,value=latest,enable={{is_default_branch}} # Semantic versions type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=semver,pattern={{major}} # SHA type=sha,prefix={{branch}}-,format=short # Date type=schedule,pattern={{date 'YYYYMMDD'}} labels: | org.opencontainers.image.title=MCP Server org.opencontainers.image.description=Code Index MCP Server org.opencontainers.image.vendor=Your Organization maintainer=your-email@example.com - name: Build container image uses: docker/build-push-action@v5 with: context: . file: ./docker/dockerfiles/Dockerfile.production platforms: ${{ matrix.platform }} push: false tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} cache-from: type=gha,scope=${{ matrix.platform }} cache-to: type=gha,mode=max,scope=${{ matrix.platform }} outputs: type=docker,dest=/tmp/image-${{ matrix.platform }}.tar build-args: | BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} VCS_REF=${{ github.sha }} VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} - name: Upload artifact uses: actions/upload-artifact@v4 with: name: image-${{ strategy.job-index }} path: /tmp/image-${{ matrix.platform }}.tar retention-days: 1 security-scan: name: Security Scanning needs: build-and-push runs-on: ubuntu-latest permissions: security-events: write strategy: matrix: platform: - linux/amd64 - linux/arm64 steps: - name: Download artifact uses: actions/download-artifact@v4 with: name: image-${{ strategy.job-index }} path: /tmp - name: Load Docker image run: | docker load --input /tmp/image-${{ matrix.platform }}.tar docker image ls -a - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: input: /tmp/image-${{ matrix.platform }}.tar format: 'sarif' output: 'trivy-results-${{ matrix.platform }}.sarif' severity: 'CRITICAL,HIGH,MEDIUM' vuln-type: 'os,library' - name: Upload Trivy scan results uses: github/codeql-action/upload-sarif@v2 with: sarif_file: 'trivy-results-${{ matrix.platform }}.sarif' category: 'trivy-${{ matrix.platform }}' - name: Run Grype vulnerability scanner uses: anchore/scan-action@v3 with: path: /tmp/image-${{ matrix.platform }}.tar fail-build: false output-format: sarif - name: Generate SBOM with Syft uses: anchore/sbom-action@v0 with: path: /tmp/image-${{ matrix.platform }}.tar format: spdx-json output-file: sbom-${{ matrix.platform }}.spdx.json - name: Upload SBOM uses: actions/upload-artifact@v4 with: name: sbom-${{ strategy.job-index }} path: sbom-${{ matrix.platform }}.spdx.json push-manifests: name: Push Multi-Platform Manifests needs: security-scan runs-on: ubuntu-latest if: github.event_name != 'pull_request' permissions: packages: write steps: - name: Set up Docker Buildx uses: docker/setup-buildx-action@v3 - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Download artifacts uses: actions/download-artifact@v4 with: path: /tmp/artifacts - name: Load Docker images run: | for platform in linux/amd64 linux/arm64; do platform_safe=$(echo $platform | tr '/' '-') docker load --input /tmp/artifacts/image-${platform}/image-${platform}.tar done docker image ls -a - name: Extract metadata id: meta uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} tags: | type=ref,event=branch type=ref,event=tag type=raw,value=latest,enable={{is_default_branch}} type=semver,pattern={{version}} type=semver,pattern={{major}}.{{minor}} type=sha,prefix={{branch}}-,format=short - name: Create and push manifest run: | TAGS="${{ steps.meta.outputs.tags }}" # For each tag, create a manifest echo "$TAGS" | while IFS= read -r tag; do if [ ! -z "$tag" ]; then echo "Creating manifest for $tag" # Create manifest list docker manifest create $tag \ $(docker images --format "{{.Repository}}:{{.Tag}}" | grep -E "linux-(amd64|arm64)") # Annotate architectures for arch in amd64 arm64; do image=$(docker images --format "{{.Repository}}:{{.Tag}}" | grep "linux-$arch" | head -1) if [ ! -z "$image" ]; then docker manifest annotate $tag $image --arch $arch fi done # Push manifest docker manifest push $tag fi done cleanup-old-images: name: Cleanup Old Images runs-on: ubuntu-latest if: github.event_name == 'schedule' permissions: packages: write steps: - name: Delete old container images uses: actions/delete-package-versions@v4 with: package-name: 'code-index-mcp' package-type: 'container' min-versions-to-keep: 10 delete-only-pre-release-versions: false token: ${{ secrets.GITHUB_TOKEN }} - name: Delete untagged images uses: actions/github-script@v6 with: script: | const response = await github.rest.packages.listPackageVersionsForPackageOwnedByOrg({ package_type: 'container', package_name: 'code-index-mcp', org: context.repo.owner, state: 'active' }); for (const version of response.data.versions) { if (version.metadata.container.tags.length === 0) { console.log(`Deleting untagged version ${version.id}`); await github.rest.packages.deletePackageVersionForOrg({ package_type: 'container', package_name: 'code-index-mcp', org: context.repo.owner, package_version_id: version.id }); } } sign-images: name: Sign Container Images needs: push-manifests runs-on: ubuntu-latest if: startsWith(github.ref, 'refs/tags/v') permissions: packages: write id-token: write steps: - name: Install Cosign uses: sigstore/cosign-installer@v3 - name: Log in to Container Registry uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Sign container images env: COSIGN_EXPERIMENTAL: 1 run: | # Get image digest IMAGE_DIGEST=$(crane digest ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}) # Sign the image cosign sign --yes \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} # Verify signature cosign verify \ --certificate-identity-regexp "https://github.com/${{ github.repository }}/*" \ --certificate-oidc-issuer "https://token.actions.githubusercontent.com" \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST} - name: Attach SBOM to image run: | # Download SBOMs for platform in linux-amd64 linux-arm64; do curl -L -o sbom-${platform}.spdx.json \ ${{ github.server_url }}/${{ github.repository }}/actions/artifacts/sbom-${platform}/sbom-${platform}.spdx.json done # Attach SBOM IMAGE_DIGEST=$(crane digest ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.ref_name }}) cosign attach sbom --sbom sbom-linux-amd64.spdx.json \ ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${IMAGE_DIGEST}