Skip to content

fix(wdl): guard ConcatProteinFastas against silent localization failures #98

fix(wdl): guard ConcatProteinFastas against silent localization failures

fix(wdl): guard ConcatProteinFastas against silent localization failures #98

Workflow file for this run

name: Docker Build, Push, Scan
# Build, push, and Trivy-scan any docker/<image>/ that changed in this push/PR.
# - Default branch push: optional auto-bump VERSION -> commit [skip ci] -> build -> push -> scan
# - Any other branch: build only (PR: build + scan only, no push)
# - Schedule / dispatch: rescan :latest of every image for new CVEs
#
# See scripts/ci-detect-changed-images.sh and scripts/ci-bump-image-versions.sh
# for the change-detection and version-bump logic.
on:
push:
# Tag pushes are intentionally NOT a trigger. The CD workflow (cd.yml)
# pushes release tags after this workflow completes; reacting to those
# tags would cause a redundant rebuild of every image.
branches:
- '**'
pull_request:
branches:
- main
schedule:
- cron: '0 6 * * 1' # Weekly Monday rescan for new CVEs
workflow_dispatch:
concurrency:
group: docker-${{ github.ref }}
cancel-in-progress: false
env:
GHCR_REGISTRY: ghcr.io
# GCR project (without registry host); change via repo variable GCR_PROJECT.
GCR_PROJECT: ${{ vars.GCR_PROJECT || 'broadinstitute' }}
GCR_REGISTRY: us.gcr.io
# GAR (Artifact Registry) target. Both repo variables MUST be set for the
# GAR push to activate (also requires secrets.GCP_SA_KEY — shared with GCR
# auth). GAR_LOCATION is the region (e.g. us-central1); GAR_REPO is the
# bare repo name (e.g. hvp-longread-containers); the GCP project comes
# from GCR_PROJECT above. Resulting image ref:
# <GAR_LOCATION>-docker.pkg.dev/<GCR_PROJECT>/<GAR_REPO>/<image>:<tag>.
GAR_LOCATION: ${{ vars.GAR_LOCATION }}
GAR_REPO: ${{ vars.GAR_REPO }}
# Opt every JS-based action into Node.js 24 ahead of the June 2nd, 2026
# default flip. Silences the Node 20 deprecation warnings on actions
# (checkout, login-action, metadata-action, etc.) that haven't bumped yet.
# Remove this once Node 24 is the runner default.
FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
# Image size (uncompressed, as reported by `docker image inspect .Size`)
# above which Trivy drops the secret scanner and uses an extended timeout.
# Big scientific images full of model weights and reference databases trip
# the secret scanner's per-file size guard; the secret scanner is meant for
# source repos with API keys anyway. Smaller images get the full default
# scan (vuln + secret). Override via repo variable TRIVY_LARGE_IMAGE_BYTES.
TRIVY_LARGE_IMAGE_BYTES: ${{ vars.TRIVY_LARGE_IMAGE_BYTES || '2147483648' }}
jobs:
# ---------------------------------------------------------------------------
# 1) Detect which docker/<image>/ dirs changed in this event.
# ---------------------------------------------------------------------------
detect-changes:
if: ${{ !contains(github.event.head_commit.message, '[skip ci]') }}
runs-on: ubuntu-latest
outputs:
images: ${{ steps.detect.outputs.images }}
any: ${{ steps.detect.outputs.any }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Detect changed image directories
id: detect
env:
GITHUB_EVENT_NAME: ${{ github.event_name }}
BASE_REF: ${{ github.base_ref }}
BEFORE_SHA: ${{ github.event.before }}
run: bash scripts/ci-detect-changed-images.sh
# ---------------------------------------------------------------------------
# 2) On default-branch push with image changes, auto-bump VERSION and push
# a [skip ci] commit so the build job uses the new version.
# ---------------------------------------------------------------------------
bump-versions:
needs: detect-changes
if: >-
needs.detect-changes.outputs.any == 'true'
&& github.event_name == 'push'
&& github.ref == format('refs/heads/{0}', github.event.repository.default_branch)
&& !contains(github.event.head_commit.message, '[skip ci]')
runs-on: ubuntu-latest
permissions:
contents: write
outputs:
committed: ${{ steps.bump.outputs.committed }}
versions: ${{ steps.bump.outputs.versions }}
bumped: ${{ steps.bump.outputs.bumped }}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
token: ${{ secrets.GITHUB_TOKEN }}
- name: Bump VERSION for changed images
id: bump
env:
BEFORE_SHA: ${{ github.event.before }}
run: bash scripts/ci-bump-image-versions.sh '${{ needs.detect-changes.outputs.images }}'
- name: Commit and push bump
if: steps.bump.outputs.committed == 'true'
run: |
git config user.name 'github-actions[bot]'
git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
git add docker/*/Makefile
git commit -m "chore(docker): bump versions for ${{ steps.bump.outputs.bumped }} [skip ci]"
git push
# ---------------------------------------------------------------------------
# 3a) Build each image per-arch on a native runner and push an intermediate
# per-arch tag to GHCR. amd64 runs on ubuntu-latest; arm64 runs on
# ubuntu-24.04-arm (native arm runner — no QEMU emulation, ~5-10x faster
# than cross-building arm64 under QEMU on an amd64 runner).
# Skipped on PRs (PR path uses pr-build-scan below — single arch, no push).
# ---------------------------------------------------------------------------
build-per-arch:
needs: [detect-changes, bump-versions]
if: >-
always()
&& needs.detect-changes.outputs.any == 'true'
&& needs.bump-versions.result != 'failure'
&& github.event_name != 'schedule'
&& github.event_name != 'workflow_dispatch'
&& github.event_name != 'pull_request'
runs-on: ${{ matrix.arch.runner }}
permissions:
contents: read
packages: write
actions: read
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.detect-changes.outputs.images) }}
arch:
- { name: amd64, runner: ubuntu-latest, platform: linux/amd64 }
- { name: arm64, runner: ubuntu-24.04-arm, platform: linux/arm64 }
steps:
- name: Checkout (pick up auto-bump if any)
uses: actions/checkout@v4
with:
ref: ${{ needs.bump-versions.outputs.committed == 'true' && github.ref || github.sha }}
# Runners ship with ~14 GB free on /. Multi-env conda + DeepVirFinder
# model weights overflow that. Drop preinstalled toolchains we don't
# use — frees ~25 GB. (Same paths apply on both amd64 and arm64 runner
# images; missing paths are a no-op thanks to `|| true`.)
- name: Free disk space on runner
run: |
sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc \
/usr/local/share/boost /opt/hostedtoolcache/CodeQL \
/usr/local/lib/heroku /usr/local/share/powershell \
/usr/local/share/chromium /usr/local/share/swift || true
sudo docker image prune -af || true
df -h /
- name: Stage LICENSE into image build context
run: cp LICENSE docker/${{ matrix.image }}/LICENSE
- name: Read VERSION from Makefile
id: ver
run: |
v=$(awk -F'=' '/^[[:space:]]*VERSION[[:space:]]*=/ {gsub(/[[:space:]]/,"",$2); print $2; exit}' \
docker/${{ matrix.image }}/Makefile)
if [ -z "$v" ]; then
echo "::error::No VERSION in docker/${{ matrix.image }}/Makefile"
exit 1
fi
echo "version=$v" >> "$GITHUB_OUTPUT"
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ${{ env.GHCR_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Compute intermediate ref
id: refs
run: |
owner_repo_lc="$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
echo "intermediate=${{ env.GHCR_REGISTRY }}/${owner_repo_lc}/${{ matrix.image }}:${{ steps.ver.outputs.version }}-${{ matrix.arch.name }}" >> "$GITHUB_OUTPUT"
- name: Build and push intermediate per-arch tag
uses: docker/build-push-action@v6
with:
context: docker/${{ matrix.image }}
platforms: ${{ matrix.arch.platform }}
tags: ${{ steps.refs.outputs.intermediate }}
# Cache scoped per image AND arch so amd64 and arm64 don't clobber
# each other in the GHA cache backend.
cache-from: type=gha,scope=${{ matrix.image }}-${{ matrix.arch.name }}
cache-to: type=gha,mode=max,scope=${{ matrix.image }}-${{ matrix.arch.name }}
# Force Docker v2.2 mediatypes on the per-arch manifests so the merge
# step in 3b produces a Docker manifest list (not an OCI index).
provenance: false
sbom: false
outputs: type=image,oci-mediatypes=false,push=true
# ---------------------------------------------------------------------------
# 3b) Merge per-arch intermediates into multi-arch final tags via
# `docker buildx imagetools create`, push to GHCR (and GCR mirror if
# configured), then Trivy-scan the merged image.
# ---------------------------------------------------------------------------
merge-and-scan:
needs: [detect-changes, bump-versions, build-per-arch]
if: >-
always()
&& needs.build-per-arch.result == 'success'
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
actions: read
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.detect-changes.outputs.images) }}
steps:
- name: Checkout (for Trivy configs)
uses: actions/checkout@v4
with:
ref: ${{ needs.bump-versions.outputs.committed == 'true' && github.ref || github.sha }}
- name: Read VERSION from Makefile
id: ver
run: |
v=$(awk -F'=' '/^[[:space:]]*VERSION[[:space:]]*=/ {gsub(/[[:space:]]/,"",$2); print $2; exit}' \
docker/${{ matrix.image }}/Makefile)
if [ -z "$v" ]; then
echo "::error::No VERSION in docker/${{ matrix.image }}/Makefile"
exit 1
fi
echo "version=$v" >> "$GITHUB_OUTPUT"
- name: Detect GCR mirror availability
id: gcr
env:
GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
run: |
if [ -n "${GCP_SA_KEY:-}" ]; then
echo "have=true" >> "$GITHUB_OUTPUT"
else
echo "have=false" >> "$GITHUB_OUTPUT"
fi
- name: Detect GAR mirror availability
id: gar
env:
GCP_SA_KEY: ${{ secrets.GCP_SA_KEY }}
GAR_LOCATION: ${{ env.GAR_LOCATION }}
GAR_REPO: ${{ env.GAR_REPO }}
run: |
if [ -n "${GCP_SA_KEY:-}" ] && [ -n "${GAR_LOCATION:-}" ] && [ -n "${GAR_REPO:-}" ]; then
echo "have=true" >> "$GITHUB_OUTPUT"
else
echo "have=false" >> "$GITHUB_OUTPUT"
fi
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ${{ env.GHCR_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Authenticate to GCP
if: steps.gcr.outputs.have == 'true'
uses: google-github-actions/auth@v2
with:
credentials_json: ${{ secrets.GCP_SA_KEY }}
- name: Log in to GCR
if: steps.gcr.outputs.have == 'true'
uses: docker/login-action@v3
with:
registry: ${{ env.GCR_REGISTRY }}
username: _json_key
password: ${{ secrets.GCP_SA_KEY }}
- name: Log in to GAR
if: steps.gar.outputs.have == 'true'
uses: docker/login-action@v3
with:
registry: ${{ env.GAR_LOCATION }}-docker.pkg.dev
username: _json_key
password: ${{ secrets.GCP_SA_KEY }}
- name: Compute image refs
id: refs
run: |
owner_repo_lc="$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
echo "ghcr_image=${{ env.GHCR_REGISTRY }}/${owner_repo_lc}/${{ matrix.image }}" >> "$GITHUB_OUTPUT"
echo "gcr_image=${{ env.GCR_REGISTRY }}/${{ env.GCR_PROJECT }}/${{ matrix.image }}" >> "$GITHUB_OUTPUT"
echo "gar_image=${{ env.GAR_LOCATION }}-docker.pkg.dev/${{ env.GCR_PROJECT }}/${{ env.GAR_REPO }}/${{ matrix.image }}" >> "$GITHUB_OUTPUT"
- name: Metadata (GHCR tags)
id: meta_ghcr
uses: docker/metadata-action@v5
with:
images: ${{ steps.refs.outputs.ghcr_image }}
# Tag rules (same as the legacy single-job build-scan):
# - Immutable VERSION tag from the Makefile
# - Default branch push: bare branch name (e.g. `main`)
# - Non-default branch push: `branch-<name>` prefix
# - Default branch only: also `latest`
# (PR rule omitted — PR runs go through pr-build-scan which never
# reaches this job.)
tags: |
type=raw,value=${{ steps.ver.outputs.version }}
type=ref,event=branch,enable=${{ github.ref_name == github.event.repository.default_branch }}
type=ref,event=branch,prefix=branch-,enable=${{ github.ref_name != github.event.repository.default_branch }}
type=raw,value=latest,enable={{is_default_branch}}
- name: Metadata (GCR tags)
id: meta_gcr
if: steps.gcr.outputs.have == 'true'
uses: docker/metadata-action@v5
with:
images: ${{ steps.refs.outputs.gcr_image }}
tags: |
type=raw,value=${{ steps.ver.outputs.version }}
type=ref,event=branch,enable=${{ github.ref_name == github.event.repository.default_branch }}
type=ref,event=branch,prefix=branch-,enable=${{ github.ref_name != github.event.repository.default_branch }}
type=raw,value=latest,enable={{is_default_branch}}
- name: Metadata (GAR tags)
id: meta_gar
if: steps.gar.outputs.have == 'true'
uses: docker/metadata-action@v5
with:
images: ${{ steps.refs.outputs.gar_image }}
tags: |
type=raw,value=${{ steps.ver.outputs.version }}
type=ref,event=branch,enable=${{ github.ref_name == github.event.repository.default_branch }}
type=ref,event=branch,prefix=branch-,enable=${{ github.ref_name != github.event.repository.default_branch }}
type=raw,value=latest,enable={{is_default_branch}}
- name: Merge per-arch intermediates into multi-arch manifest list
env:
GHCR_TAGS: ${{ steps.meta_ghcr.outputs.tags }}
GCR_TAGS: ${{ steps.meta_gcr.outputs.tags }}
GAR_TAGS: ${{ steps.meta_gar.outputs.tags }}
GHCR_IMAGE: ${{ steps.refs.outputs.ghcr_image }}
VERSION: ${{ steps.ver.outputs.version }}
run: |
set -euo pipefail
tag_args=()
while IFS= read -r t; do
[ -n "$t" ] && tag_args+=("-t" "$t")
done <<< "$GHCR_TAGS"
if [ -n "${GCR_TAGS:-}" ]; then
while IFS= read -r t; do
[ -n "$t" ] && tag_args+=("-t" "$t")
done <<< "$GCR_TAGS"
fi
if [ -n "${GAR_TAGS:-}" ]; then
while IFS= read -r t; do
[ -n "$t" ] && tag_args+=("-t" "$t")
done <<< "$GAR_TAGS"
fi
# `imagetools create` preserves the source mediatype: since both
# per-arch sources were pushed with oci-mediatypes=false (Docker v2),
# the resulting manifest list is also Docker v2.2 — as required by
# downstream consumers that reject OCI mediatypes.
docker buildx imagetools create \
"${tag_args[@]}" \
"${GHCR_IMAGE}:${VERSION}-amd64" \
"${GHCR_IMAGE}:${VERSION}-arm64"
- name: Pull merged image for Trivy scan
run: docker pull ${{ steps.refs.outputs.ghcr_image }}:${{ steps.ver.outputs.version }}
- name: Pick Trivy scan profile by image size
id: trivy_cfg
env:
IMAGE_REF: ${{ steps.refs.outputs.ghcr_image }}:${{ steps.ver.outputs.version }}
run: bash scripts/ci-trivy-profile.sh
- name: Trivy scan (table; fails build on HIGH/CRITICAL)
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.refs.outputs.ghcr_image }}:${{ steps.ver.outputs.version }}
format: table
severity: CRITICAL,HIGH
scanners: ${{ steps.trivy_cfg.outputs.scanners }}
timeout: ${{ steps.trivy_cfg.outputs.timeout }}
exit-code: '1'
ignore-unfixed: true
ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego
trivyignores: docker/${{ matrix.image }}/.trivyignore
- name: Trivy scan (SARIF for Security tab)
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.refs.outputs.ghcr_image }}:${{ steps.ver.outputs.version }}
format: sarif
output: trivy-${{ matrix.image }}.sarif
severity: CRITICAL,HIGH
scanners: ${{ steps.trivy_cfg.outputs.scanners }}
timeout: ${{ steps.trivy_cfg.outputs.timeout }}
limit-severities-for-sarif: true
ignore-unfixed: true
ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego
trivyignores: docker/${{ matrix.image }}/.trivyignore
- name: Upload Trivy SARIF
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-${{ matrix.image }}.sarif
category: trivy-${{ matrix.image }}
# ---------------------------------------------------------------------------
# 3c) PR builds: amd64-only, no push, Trivy-scan locally loaded image.
# arm64 is intentionally skipped on PRs (multi-arch publish only happens
# on push to main). Keeps PR feedback fast.
# ---------------------------------------------------------------------------
pr-build-scan:
needs: detect-changes
if: >-
needs.detect-changes.outputs.any == 'true'
&& github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
actions: read
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.detect-changes.outputs.images) }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Free disk space on runner
run: |
sudo rm -rf /usr/share/dotnet /usr/local/lib/android /opt/ghc \
/usr/local/share/boost /opt/hostedtoolcache/CodeQL \
/usr/local/lib/heroku /usr/local/share/powershell \
/usr/local/share/chromium /usr/local/share/swift || true
sudo docker image prune -af || true
df -h /
- name: Stage LICENSE into image build context
run: cp LICENSE docker/${{ matrix.image }}/LICENSE
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build single-arch local image for PR scan
uses: docker/build-push-action@v6
with:
context: docker/${{ matrix.image }}
platforms: linux/amd64
push: false
load: true
tags: ${{ matrix.image }}:scan
# Share cache with the amd64 leg of the on-push build for free
# warm-cache hits when the PR merges.
cache-from: type=gha,scope=${{ matrix.image }}-amd64
- name: Pick Trivy scan profile by image size
id: trivy_cfg
env:
IMAGE_REF: ${{ matrix.image }}:scan
run: bash scripts/ci-trivy-profile.sh
- name: Trivy scan (table; fails build on HIGH/CRITICAL)
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ matrix.image }}:scan
format: table
severity: CRITICAL,HIGH
scanners: ${{ steps.trivy_cfg.outputs.scanners }}
timeout: ${{ steps.trivy_cfg.outputs.timeout }}
exit-code: '1'
ignore-unfixed: true
ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego
trivyignores: docker/${{ matrix.image }}/.trivyignore
- name: Trivy scan (SARIF for Security tab)
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ matrix.image }}:scan
format: sarif
output: trivy-${{ matrix.image }}.sarif
severity: CRITICAL,HIGH
scanners: ${{ steps.trivy_cfg.outputs.scanners }}
timeout: ${{ steps.trivy_cfg.outputs.timeout }}
limit-severities-for-sarif: true
ignore-unfixed: true
ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego
trivyignores: docker/${{ matrix.image }}/.trivyignore
- name: Upload Trivy SARIF
if: always() && github.event.pull_request.head.repo.full_name == github.repository
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-${{ matrix.image }}.sarif
category: trivy-${{ matrix.image }}
# ---------------------------------------------------------------------------
# 4) Scheduled / manual rescan of :latest for every image.
# ---------------------------------------------------------------------------
rescan-latest:
needs: detect-changes
if: >-
needs.detect-changes.outputs.any == 'true'
&& (github.event_name == 'schedule' || github.event_name == 'workflow_dispatch')
runs-on: ubuntu-latest
permissions:
contents: read
packages: read
security-events: write
actions: read
strategy:
fail-fast: false
matrix:
image: ${{ fromJSON(needs.detect-changes.outputs.images) }}
steps:
- name: Checkout (for trivy configs)
uses: actions/checkout@v4
- name: Log in to GHCR
uses: docker/login-action@v3
with:
registry: ${{ env.GHCR_REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Compute image ref
id: refs
run: |
owner_repo_lc="$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')"
echo "ref=${{ env.GHCR_REGISTRY }}/${owner_repo_lc}/${{ matrix.image }}:latest" >> "$GITHUB_OUTPUT"
- name: Pull latest
run: docker pull ${{ steps.refs.outputs.ref }}
- name: Pick Trivy scan profile by image size
id: trivy_cfg
env:
IMAGE_REF: ${{ steps.refs.outputs.ref }}
run: bash scripts/ci-trivy-profile.sh
- name: Trivy scan (table)
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.refs.outputs.ref }}
format: table
severity: CRITICAL,HIGH
scanners: ${{ steps.trivy_cfg.outputs.scanners }}
timeout: ${{ steps.trivy_cfg.outputs.timeout }}
exit-code: '1'
ignore-unfixed: true
ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego
trivyignores: docker/${{ matrix.image }}/.trivyignore
- name: Trivy scan (SARIF)
if: always()
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.refs.outputs.ref }}
format: sarif
output: trivy-${{ matrix.image }}.sarif
severity: CRITICAL,HIGH
scanners: ${{ steps.trivy_cfg.outputs.scanners }}
timeout: ${{ steps.trivy_cfg.outputs.timeout }}
limit-severities-for-sarif: true
ignore-unfixed: true
ignore-policy: docker/${{ matrix.image }}/.trivy-ignore-policy.rego
trivyignores: docker/${{ matrix.image }}/.trivyignore
- name: Upload Trivy SARIF
if: always()
uses: github/codeql-action/upload-sarif@v4
with:
sarif_file: trivy-${{ matrix.image }}.sarif
category: trivy-${{ matrix.image }}