-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathaction.yml
178 lines (169 loc) · 6.11 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
name: Build and push multi-architecture Docker image
description: >
Builds and pushes a multi-architecture Docker image using QEMU and buildx.
inputs:
checkout-path:
description: The path at which code is checked out
required: true
default: ${{ github.workspace }}
cache-key:
description: Cache key for the image, used to preserve Docker layer cache.
required: true
build-args:
description: List of build-time variables
required: false
context:
description: Directory to use for the build context
required: false
file:
description: Path to the Dockerfile
required: false
labels:
description: List of metadata for an image
required: false
platforms:
description: List of target platforms for build
required: false
pull:
description: Always attempt to pull a newer version of the image
required: false
default: 'false'
push:
description: Whether or not to push the resulting image
required: false
default: 'false'
tags:
description: List of tags
required: false
runs:
using: composite
steps:
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
with:
platforms: all
# Ideas from:
# https://github.com/actions/starter-workflows/blob/main/ci/docker-publish.yml
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: ${{ inputs.push == 'true' }}
uses: sigstore/cosign-installer@v3
# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push image
id: build-and-push
uses: docker/build-push-action@v6
with:
build-args: ${{ inputs.build-args }}
context: ${{ inputs.context }}
file: ${{ inputs.file }}
labels: ${{ inputs.labels }}
platforms: ${{ inputs.platforms }}
pull: ${{ inputs.pull }}
push: ${{ inputs.push }}
tags: ${{ inputs.tags }}
cache-from: type=gha,scope=${{ inputs.cache-key }}
cache-to: type=gha,mode=max,scope=${{ inputs.cache-key }}
- name: Split branch name
env:
TAGS: ${{ inputs.tags }}
id: split
shell: bash
run: |
tags=()
for i in $TAGS; do tags+=($i); done
IMAGE_REF="${tags[-1]}"
IMAGE_NAME="${IMAGE_REF%:*}"
echo "image-ref=$IMAGE_REF" >> $GITHUB_OUTPUT
echo "image-name=$IMAGE_NAME" >> $GITHUB_OUTPUT
- name: Run Trivy vulnerability scanner for SARIF
uses: aquasecurity/[email protected]
with:
image-ref: ${{ steps.split.outputs.image-ref }}
format: sarif
output: trivy-results.sarif
env:
TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2
- name: Determine commit SHA of checkout
id: rev-parse
shell: bash
env:
CHECKOUT_PATH: ${{ inputs.checkout-path }}
run: |
sha="$(git -C $CHECKOUT_PATH rev-parse HEAD)"
if [ $? -ne 0 ]; then
echo "unable to determine SHA of checkout" >&2
exit 1
fi
echo "sha=$sha" >> $GITHUB_OUTPUT
# In order to make pull_request_target associate SARIF files with the correct PR,
# we must specify ref and sha
#
# The given SHA is always the SHA we discovered from the checkout. The ref is determined
# using the following logic:
#
# * If the event _is not_ pull_request_target, use github.ref
# * If the event _is_ pull_request_target
# * If the event has a merge commit SHA _AND_ the checkout out is the merge commit,
# use a PR merge ref
# * If the event is from a fork, DO NOT upload the SARIF
# * Use the PR head ref
#
- name: Upload Trivy scan results to GitHub Security tab - pull_request_target
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
category: ${{ steps.split.outputs.image-name }}
ref: >-
${{
github.event_name == 'pull_request_target' &&
(github.event.pull_request.merge_commit_sha == steps.rev-parse.outputs.sha &&
format('refs/pull/{0}/merge', github.event.pull_request.number) ||
format('refs/heads/{0}', github.event.pull_request.head.ref)
) ||
github.ref
}}
sha: ${{ steps.rev-parse.outputs.sha }}
if: >-
${{
github.event_name != 'pull_request_target' ||
github.event.pull_request.merge_commit_sha == steps.rev-parse.outputs.sha ||
github.event.pull_request.head.repo.id == github.repository_id
}}
- name: Fail if scan has CRITICAL vulnerabilities
uses: aquasecurity/[email protected]
with:
image-ref: ${{ steps.split.outputs.image-ref }}
format: table
exit-code: '1'
severity: 'CRITICAL'
ignore-unfixed: true
env:
TRIVY_DB_REPOSITORY: ghcr.io/azimuth-cloud/trivy-db:2
# Required until https://github.com/aquasecurity/trivy-action/issues/438 is fixed
# Explicitly override any envvars set in the previous call
TRIVY_FORMAT: table
TRIVY_OUTPUT: ""
# Sign the resulting Docker image digest except on PRs.
# This will only write to the public Rekor transparency log when the Docker
# repository is public to avoid leaking data. If you would like to publish
# transparency data even for private images, pass --force to cosign below.
# https://github.com/sigstore/cosign
- name: Sign the images with GitHub OIDC Token
if: ${{ inputs.push == 'true' }}
# This step uses the identity token to provision an ephemeral certificate
# against the sigstore community Fulcio instance.
shell: bash
run: |
images=""
for tag in ${TAGS}; do
images+="${tag}@${DIGEST} "
done
cosign sign --yes ${images}
env:
TAGS: ${{ inputs.tags }}
DIGEST: ${{ steps.build-and-push.outputs.digest }}