From 4696c81c126822f8d9d76139cf0d57941c7bec4d Mon Sep 17 00:00:00 2001 From: Yuichi Kimura Date: Wed, 4 Feb 2026 15:25:49 +0900 Subject: [PATCH 1/4] Separate workflows for improved security isolation Split the monolithic workflow into two separate files: - build-and-push.yaml: Handles Docker builds and pushes (requires secrets) - security-scan.yaml: Runs Trivy scans on PRs (no secrets required) This separation ensures that pull requests never trigger workflows with access to Docker Hub credentials, reducing the attack surface for this public repository. Also updated CLAUDE.md to reflect the new workflow architecture. Co-Authored-By: Claude Sonnet 4.5 --- .../{build.yaml => build-and-push.yaml} | 32 +----------------- .github/workflows/security-scan.yaml | 33 +++++++++++++++++++ CLAUDE.md | 33 +++++++++++-------- 3 files changed, 54 insertions(+), 44 deletions(-) rename .github/workflows/{build.yaml => build-and-push.yaml} (87%) create mode 100644 .github/workflows/security-scan.yaml diff --git a/.github/workflows/build.yaml b/.github/workflows/build-and-push.yaml similarity index 87% rename from .github/workflows/build.yaml rename to .github/workflows/build-and-push.yaml index 7093442..a8e1267 100644 --- a/.github/workflows/build.yaml +++ b/.github/workflows/build-and-push.yaml @@ -1,4 +1,4 @@ -name: Build and Push Docker Image +name: Build and Push on: push: @@ -7,10 +7,6 @@ on: - main tags: - '*.*.*.*-*' # Format: 1.27.1.2-0 - pull_request: - branches: - - master - - main workflow_dispatch: env: @@ -19,7 +15,6 @@ env: jobs: build: name: Build ${{ matrix.platform }} - if: github.event_name != 'pull_request' runs-on: ${{ matrix.runner }} permissions: contents: read @@ -169,28 +164,3 @@ jobs: image: ${{ env.DOCKER_IMAGE }}:${{ steps.meta.outputs.version }} only-severities: critical,high exit-code: false - - security-scan: - runs-on: ubuntu-latest - if: github.event_name == 'pull_request' - permissions: - contents: read - security-events: write - - steps: - - name: Checkout code - uses: actions/checkout@v6 - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - scan-type: 'config' - scan-ref: '.' - format: 'sarif' - output: 'trivy-results.sarif' - - - name: Upload Trivy results to GitHub Security - uses: github/codeql-action/upload-sarif@v4 - if: always() - with: - sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml new file mode 100644 index 0000000..2aeca3c --- /dev/null +++ b/.github/workflows/security-scan.yaml @@ -0,0 +1,33 @@ +name: Security Scan + +on: + pull_request: + branches: + - master + - main + +jobs: + security-scan: + name: Trivy Security Scan + runs-on: ubuntu-latest + permissions: + contents: read + security-events: write + + steps: + - name: Checkout code + uses: actions/checkout@v6 + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + scan-type: 'config' + scan-ref: '.' + format: 'sarif' + output: 'trivy-results.sarif' + + - name: Upload Trivy results to GitHub Security + uses: github/codeql-action/upload-sarif@v4 + if: always() + with: + sarif_file: 'trivy-results.sarif' diff --git a/CLAUDE.md b/CLAUDE.md index 16aecd6..0e3307a 100644 --- a/CLAUDE.md +++ b/CLAUDE.md @@ -75,14 +75,15 @@ LuaJIT is configured with `LUAJIT_NUMMODE=2` (number mode) and Lua 5.2 compatibi ## CI/CD Pipeline -### GitHub Actions Workflow +### GitHub Actions Workflows -The repository uses `.github/workflows/docker-build.yml` for automated builds with a multi-stage digest-based approach: +The repository uses two separate workflows for improved security and clarity: + +#### 1. Build and Push (`.github/workflows/build-and-push.yaml`) **Triggers**: - Push to `master`/`main` branch → Build & push to Docker Hub - Tags matching `*.*.*.*-*` (e.g., `1.27.1.2-0`) → Build & push with version tags -- Pull requests → Security scan only (no build) - Manual dispatch → Build & push **Generated Docker Tags**: @@ -91,19 +92,28 @@ The repository uses `.github/workflows/docker-build.yml` for automated builds wi - `1.27` - Two-part version **Required Secrets**: -- `DOCKER_HUB_USERNAME` - Docker Hub username -- `DOCKER_HUB_TOKEN` - Docker Hub access token with Read & Write permissions +- `DOCKERHUB_USERNAME` (variable) - Docker Hub username +- `DOCKERHUB_PUSH_TOKEN` (secret) - Docker Hub access token with Read & Write permissions + +#### 2. Security Scan (`.github/workflows/security-scan.yaml`) + +**Triggers**: +- Pull requests to `master`/`main` branch + +**Purpose**: +- Runs Trivy configuration scanner on Dockerfile and workflow files +- Uploads results to GitHub Security tab +- **No Docker Hub access or secrets required** - provides fast security feedback in isolation ### Build Architecture -The workflow uses a three-stage process for efficient multi-platform builds: +The build-and-push workflow uses a three-stage process for efficient multi-platform builds: 1. **build** (matrix job): - Runs on native runners: `ubuntu-latest` (amd64), `ubuntu-latest-arm` (arm64) - Each platform builds independently in parallel - Uses digest-based push (`push-by-digest=true`) for reliable multi-arch images - Platform-specific cache scopes for optimal cache utilization - - Skipped for pull requests 2. **merge**: - Downloads all platform digests @@ -111,19 +121,16 @@ The workflow uses a three-stage process for efficient multi-platform builds: - Pushes unified multi-platform image with appropriate tags - Runs Docker Scout CVE scan on final image -3. **security-scan** (PR only): - - Runs Trivy configuration scanner - - Uploads results to GitHub Security tab - - Provides fast feedback without building images - ### Security Features +- **Workflow Separation**: Build and security-scan workflows are completely isolated + - PRs never trigger workflows that access Docker Hub secrets + - Reduces attack surface for public repository - **SBOM Generation**: Enabled (`sbom: true`) for all builds to track dependencies - **Provenance**: Disabled (`provenance: false`) for maximum compatibility with cloud services (ECR, ACR, GCR) - **Vulnerability Scanning**: - Docker Scout (post-merge): Scans final multi-platform image for critical/high CVEs - Trivy (PRs only): Scans Dockerfile and configuration, uploads to GitHub Security -- **Pull Request Isolation**: PRs run security scans only, no Docker builds or Docker Hub access ### Build Optimization From b2b4bf784ac6a9d29ac5dc62305efab4730b9c9f Mon Sep 17 00:00:00 2001 From: Yuichi Kimura Date: Wed, 4 Feb 2026 15:27:50 +0900 Subject: [PATCH 2/4] change secret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit public 用に切り出したSecret に切り替え --- .github/workflows/build-and-push.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml index a8e1267..8e11e34 100644 --- a/.github/workflows/build-and-push.yaml +++ b/.github/workflows/build-and-push.yaml @@ -41,7 +41,7 @@ jobs: uses: docker/login-action@v3 with: username: ${{ vars.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PUSH_TOKEN }} + password: ${{ secrets.DOCKERHUB_TOKEN_PUBLIC }} - name: Build and push by digest id: build @@ -91,7 +91,7 @@ jobs: uses: docker/login-action@v3 with: username: ${{ vars.DOCKERHUB_USERNAME }} - password: ${{ secrets.DOCKERHUB_PUSH_TOKEN }} + password: ${{ secrets.DOCKERHUB_TOKEN_PUBLIC }} - name: Extract version from tag id: version From 977007d6a12eacd001dfe925aba950faf433227c Mon Sep 17 00:00:00 2001 From: Yuichi Kimura Date: Wed, 4 Feb 2026 15:42:53 +0900 Subject: [PATCH 3/4] add AVD-DS-0013 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 各種buildをしているだけなので無視 --- .trivyignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.trivyignore b/.trivyignore index d074a91..14e9d8a 100644 --- a/.trivyignore +++ b/.trivyignore @@ -2,3 +2,5 @@ AVD-DS-0002 # no health check AVD-DS-0026 +# change directory +AVD-DS-0013 From 1705c02bc25b3c468f7477001c48a4f13dc9832a Mon Sep 17 00:00:00 2001 From: Yuichi Kimura Date: Wed, 4 Feb 2026 15:51:27 +0900 Subject: [PATCH 4/4] Add concurrency control to workflows - security-scan: Cancel outdated PR scans on new pushes - build-and-push: Cancel outdated branch builds, protect tag builds - Reduces CI costs and improves feedback speed Co-Authored-By: Claude Sonnet 4.5 --- .github/workflows/build-and-push.yaml | 4 ++++ .github/workflows/security-scan.yaml | 4 ++++ 2 files changed, 8 insertions(+) diff --git a/.github/workflows/build-and-push.yaml b/.github/workflows/build-and-push.yaml index 8e11e34..c65958f 100644 --- a/.github/workflows/build-and-push.yaml +++ b/.github/workflows/build-and-push.yaml @@ -9,6 +9,10 @@ on: - '*.*.*.*-*' # Format: 1.27.1.2-0 workflow_dispatch: +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: ${{ !startsWith(github.ref, 'refs/tags/') }} + env: DOCKER_IMAGE: intimatemerger/openresty diff --git a/.github/workflows/security-scan.yaml b/.github/workflows/security-scan.yaml index 2aeca3c..649d15a 100644 --- a/.github/workflows/security-scan.yaml +++ b/.github/workflows/security-scan.yaml @@ -6,6 +6,10 @@ on: - master - main +concurrency: + group: ${{ github.workflow }}-${{ github.head_ref || github.ref }} + cancel-in-progress: true + jobs: security-scan: name: Trivy Security Scan