-
Notifications
You must be signed in to change notification settings - Fork 1.7k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge remote-tracking branch 'upstream/master'
- Loading branch information
Showing
95 changed files
with
1,423 additions
and
522 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,47 @@ | ||
name: OpenSSF Scorecard | ||
|
||
on: | ||
branch_protection_rule: | ||
push: | ||
branches: [ main ] | ||
schedule: | ||
- cron: '30 0 * * 5' | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
analyze: | ||
name: Analyze | ||
runs-on: ubuntu-latest | ||
|
||
permissions: | ||
actions: read | ||
contents: read | ||
id-token: write | ||
security-events: write | ||
|
||
steps: | ||
- name: Checkout repository | ||
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
with: | ||
persist-credentials: false | ||
|
||
- name: Run analysis | ||
uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af # v2.1.3 | ||
with: | ||
results_file: results.sarif | ||
results_format: sarif | ||
publish_results: true | ||
|
||
- name: Upload results as artifact | ||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
with: | ||
name: OpenSSF Scorecard results | ||
path: results.sarif | ||
retention-days: 5 | ||
|
||
- name: Upload results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6 | ||
with: | ||
sarif_file: results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,97 +1,187 @@ | ||
name: Artifacts | ||
|
||
on: | ||
push: | ||
branches: | ||
- master | ||
tags: | ||
- v[0-9]+.[0-9]+.[0-9]+ | ||
pull_request: | ||
workflow_call: | ||
inputs: | ||
publish: | ||
description: Publish artifacts to the artifact store | ||
default: false | ||
required: false | ||
type: boolean | ||
secrets: | ||
DOCKER_USERNAME: | ||
required: true | ||
DOCKER_PASSWORD: | ||
required: true | ||
outputs: | ||
container-image-name: | ||
description: Container image name | ||
value: ${{ jobs.container-image.outputs.name }} | ||
container-image-digest: | ||
description: Container image digest | ||
value: ${{ jobs.container-image.outputs.digest }} | ||
container-image-ref: | ||
description: Container image ref | ||
value: ${{ jobs.container-image.outputs.ref }} | ||
|
||
permissions: | ||
contents: read | ||
|
||
jobs: | ||
container-images: | ||
name: Container images | ||
container-image: | ||
name: Container image | ||
runs-on: ubuntu-latest | ||
|
||
strategy: | ||
matrix: | ||
variant: | ||
- alpine | ||
- distroless | ||
|
||
permissions: | ||
contents: read | ||
packages: write | ||
id-token: write | ||
security-events: write | ||
|
||
outputs: | ||
name: ${{ steps.image-name.outputs.value }} | ||
digest: ${{ steps.build.outputs.digest }} | ||
ref: ${{ steps.image-ref.outputs.value }} | ||
|
||
steps: | ||
- name: Checkout | ||
uses: actions/checkout@v3 | ||
- name: Checkout repository | ||
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 | ||
|
||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 | ||
|
||
- name: Gather metadata | ||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 | ||
|
||
- name: Set up Syft | ||
uses: anchore/sbom-action/download-syft@4d571ad1038a9cc29d676154ef265ab8f9027042 # v0.14.2 | ||
|
||
- name: Set image name | ||
id: image-name | ||
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Gather build metadata | ||
id: meta | ||
uses: docker/metadata-action@v4 | ||
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0 | ||
with: | ||
images: | | ||
ghcr.io/dexidp/dex | ||
${{ steps.image-name.outputs.value }} | ||
dexidp/dex | ||
flavor: | | ||
latest = false | ||
tags: | | ||
type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }} | ||
type=ref,event=pr,enable=${{ matrix.variant == 'alpine' }} | ||
type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }} | ||
type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }} | ||
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && matrix.variant == 'alpine' }} | ||
type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }} | ||
type=ref,event=branch,suffix=-${{ matrix.variant }} | ||
type=ref,event=pr,suffix=-${{ matrix.variant }} | ||
type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }} | ||
type=semver,pattern={{raw}},suffix=-${{ matrix.variant }} | ||
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }},suffix=-${{ matrix.variant }} | ||
type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }} | ||
labels: | | ||
org.opencontainers.image.documentation=https://dexidp.io/docs/ | ||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v2 | ||
# Multiple exporters are not supported yet | ||
# See https://github.com/moby/buildkit/pull/2760 | ||
- name: Determine build output | ||
uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 | ||
id: build-output | ||
with: | ||
platforms: all | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v2 | ||
cond: ${{ inputs.publish }} | ||
if_true: type=image,push=true | ||
if_false: type=oci,dest=image.tar | ||
|
||
- name: Login to GitHub Container Registry | ||
uses: docker/login-action@v2 | ||
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.repository_owner }} | ||
username: ${{ github.actor }} | ||
password: ${{ github.token }} | ||
if: github.event_name == 'push' | ||
if: inputs.publish | ||
|
||
- name: Login to Docker Hub | ||
uses: docker/login-action@v2 | ||
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 | ||
with: | ||
username: ${{ secrets.DOCKER_USERNAME }} | ||
password: ${{ secrets.DOCKER_PASSWORD }} | ||
if: github.event_name == 'push' | ||
if: inputs.publish | ||
|
||
- name: Build and push | ||
uses: docker/build-push-action@v4 | ||
- name: Build and push image | ||
id: build | ||
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 | ||
with: | ||
context: . | ||
platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le | ||
# cache-from: type=gha | ||
# cache-to: type=gha,mode=max | ||
push: ${{ github.event_name == 'push' }} | ||
tags: ${{ steps.meta.outputs.tags }} | ||
build-args: | | ||
BASE_IMAGE=${{ matrix.variant }} | ||
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} | ||
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | ||
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
# cache-from: type=gha | ||
# cache-to: type=gha,mode=max | ||
outputs: ${{ steps.build-output.outputs.value }} | ||
# push: ${{ inputs.publish }} | ||
|
||
- name: Set image ref | ||
id: image-ref | ||
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" | ||
|
||
- name: Fetch image | ||
run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar | ||
if: inputs.publish | ||
|
||
# Uncomment the following lines for debugging: | ||
# - name: Upload image as artifact | ||
# uses: actions/upload-artifact@v3 | ||
# with: | ||
# name: "[${{ github.job }}] OCI tarball" | ||
# path: image.tar | ||
|
||
- name: Extract OCI tarball | ||
run: | | ||
mkdir -p image | ||
tar -xf image.tar -C image | ||
# - name: List tags | ||
# run: skopeo --insecure-policy list-tags oci:image | ||
# | ||
# # See https://github.com/anchore/syft/issues/1545 | ||
# - name: Extract image from multi-arch image | ||
# run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar | ||
# | ||
# - name: Generate SBOM | ||
# run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar | ||
# | ||
# - name: Upload SBOM as artifact | ||
# uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
# with: | ||
# name: "[${{ github.job }}] SBOM" | ||
# path: sbom-spdx.json | ||
# retention-days: 5 | ||
|
||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/[email protected] | ||
uses: aquasecurity/trivy-action@b43daad0c3c96202fc5800b511dfae8e6ecce864 # 0.11.0 | ||
with: | ||
input: image | ||
format: sarif | ||
output: trivy-results.sarif | ||
|
||
- name: Upload Trivy scan results as artifact | ||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 | ||
with: | ||
image-ref: "ghcr.io/dexidp/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}" | ||
format: "sarif" | ||
output: "trivy-results.sarif" | ||
if: github.event_name == 'push' | ||
name: "[${{ github.job }}] Trivy scan results" | ||
path: trivy-results.sarif | ||
retention-days: 5 | ||
|
||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v2 | ||
uses: github/codeql-action/upload-sarif@83f0fe6c4988d98a455712a27f0255212bba9bd4 # v2.3.6 | ||
with: | ||
sarif_file: "trivy-results.sarif" | ||
if: github.event_name == 'push' | ||
sarif_file: trivy-results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.