add organization to pr-compare #311

Workflow file for this run

	---
	# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json

	name: ci

	on:
	push:
	paths:
	- '**/Dockerfile'
	- '**/.github/workflows/ci.yml'
	- '**/docker-bake.hcl'
	pull_request:
	branches: [main]
	workflow_dispatch:

	permissions:
	contents: read

	env:
	CONTAINER_REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' \|\| 'ghcr.io' }}
	CONTAINER_REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME \|\| github.repository_owner }}
	CONTAINER_PUSH: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
	GITHUB_SHA: ${{ github.event.pull_request.head.sha \|\| github.event.after \|\| github.sha }}
	BUILDKIT_PROGRESS: plain

	jobs:
	test:
	runs-on: ubuntu-latest
	steps:
	- name: Checkout code
	uses: actions/[email protected]

	- name: Setup Docker Buildx
	# kics-scan ignore-line
	uses: docker/[email protected]

	# get docker binary path to use it with env -i
	- name: Get the docker binary path
	id: docker-binary-path
	run: echo "docker-bin=$(which docker)" \| tee "${GITHUB_OUTPUT}"

	- name: Print the bake file with a empty env
	id: bake-file-no-env
	run: env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print

	- name: Verify the tags end on -local
	run: \|
	while IFS='' read -r container_tag; do
	printf "Container tag: %s\n" "${container_tag}"
	[[ "${container_tag}" == *"-local" ]] \|\| exit 1
	done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print \| jq -r '.target[].tags[0]')

	- name: Print the bake file with the runner env
	run: docker buildx bake --print

	- name: Verify the tags are valid
	run: \|
	while IFS='' read -r container_tag; do
	printf "Container tag: %s\n" "${container_tag}"
	[[ "${container_tag}" == *"-${REF_NAME//\//-}" ]] \|\| exit 1
	done < <(docker buildx bake --print \| jq -r '.target[].tags[0]')
	env:
	REF_NAME: ${{ github.head_ref \|\| github.ref_name }}

	generate-jobs:
	needs: [test]
	runs-on: ubuntu-latest
	outputs:
	targets: ${{ steps.targets.outputs.matrix }}
	platforms: ${{ steps.platforms.outputs.matrix }}
	steps:
	- name: Checkout code
	uses: actions/[email protected]

	- name: Generate targets matrix
	id: targets
	run: \|
	printf "matrix={\"targets\": %s}\n" "$(docker buildx bake --print \| jq -r '"\(.target \| keys)"')" \| tee "${GITHUB_OUTPUT}"

	- name: Generate platforms matrix
	id: platforms
	run: \|
	printf "matrix={\"targets\": %s, \"platforms\": %s}\n" "$(docker buildx bake --print \| jq -r '"\(.target \| keys)"')" "$(docker buildx bake linux-platforms --print \| jq -cr '.target."linux-platforms".platforms')" \| tee "${GITHUB_OUTPUT}"

	build:
	needs: [generate-jobs]
	runs-on: ubuntu-latest
	permissions:
	contents: read
	packages: write
	pull-requests: write
	security-events: write
	strategy:
	fail-fast: ${{ github.event_name != 'pull_request' }}
	matrix: ${{ github.event_name != 'pull_request' && fromJson(needs.generate-jobs.outputs.targets) \|\| fromJson(needs.generate-jobs.outputs.platforms) }}
	steps:
	- name: Checkout code
	uses: actions/[email protected]

	- name: Setup QEMU
	# kics-scan ignore-line
	uses: docker/[email protected]

	- name: Setup Docker Buildx
	# kics-scan ignore-line
	uses: docker/[email protected]
	with:
	driver: docker-container

	# Login against a container registry
	# https://github.com/docker/login-action
	# kics-scan ignore-line
	- uses: docker/[email protected]
	name: Login to ${{ env.CONTAINER_REGISTRY }}
	with:
	registry: ${{ env.CONTAINER_REGISTRY }}
	username: ${{ env.CONTAINER_REGISTRY_USER }}
	password: ${{ env.CONTAINER_REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN \|\| secrets.GITHUB_TOKEN }}
	logout: true

	# Free up space on the runner since the image is huge
	# kics-scan ignore-line
	- uses: ./.github/actions/free-space
	name: Free up disk space
	with:
	deleteDotnet: 'false'
	deleteAndroid: 'true'

	- name: Get meta data
	id: meta
	run: \|
	{
	printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print \| jq -r '.target[].tags[0]')";
	printf "to_tag=%s\n" "$(REF_NAME="$([[ -z "${GITHUB_BASE_REF}" ]] && git config --get init.defaultBranch \|\| echo "${GITHUB_BASE_REF}")" docker buildx bake ${{ matrix.targets }} --print \| jq -r '.target[].tags[0]')";
	} \| tee "${GITHUB_OUTPUT}"

	- name: Create directory for docker output
	if: github.event_name == 'pull_request'
	run: 'mkdir -p "${DIRNAME}"'
	env:
	DIRNAME: ${{ format('{0}/{1}', github.workspace, matrix.platforms) }}

	# Bake the image
	# kics-scan ignore-line
	- uses: docker/[email protected]
	name: Build and Push
	id: bake
	with:
	files: docker-bake.hcl
	targets: ${{ matrix.targets }}
	pull: true
	provenance: ${{ github.event_name != 'pull_request' }}
	set: \|
	${{ github.event_name == 'pull_request' && '*.cache-to=' \|\| '' }}
	${{ github.event_name == 'pull_request' && format('*.output=type=docker,dest={0}/{1}/{2}.tar', github.workspace, matrix.platforms, matrix.targets) \|\| '' }}
	${{ github.event_name == 'pull_request' && format('*.platform={0}', matrix.platforms) \|\| '' }}
	push: ${{ env.CONTAINER_PUSH }}

	# Docker-Scout - Create SBOM
	# kics-scan ignore-line
	- uses: docker/[email protected]
	name: Create SBOM
	id: docker-scout-sbom
	continue-on-error: true
	if: env.CONTAINER_PUSH == 'true' && vars.DOCKERHUB_USERNAME != ''
	with:
	command: sbom
	image: ${{ format('registry://{0}', steps.meta.outputs.tag) }}
	only-severities: critical,high
	only-fixed: true

	# vulnerability scan the image for main branch
	# kics-scan ignore-line
	- uses: docker/[email protected]
	name: Analyze for critical and high CVEs
	id: docker-scout-cves
	continue-on-error: true
	if: env.CONTAINER_PUSH == 'true' && github.ref_name == 'main'
	with:
	command: cves
	only-severities: critical,high
	image: ${{ steps.meta.outputs.tag }}
	sarif-file: sarif.output.json
	summary: false
	# upload the results as a SARIF file to gh security tab
	# kics-scan ignore-line
	- uses: github/codeql-action/[email protected]
	name: Upload SARIF result
	id: upload-sarif
	if: steps.docker-scout-cves.outcome == 'success'
	with:
	sarif_file: sarif.output.json

	# vulnerability scanning to verify PRs
	# kics-scan ignore-line
	- uses: docker/[email protected]
	name: Docker Scout compare
	id: pr-compare
	if: github.event_name == 'pull_request' && vars.DOCKERHUB_USERNAME != ''
	with:
	command: compare
	platform: ${{ matrix.platforms }}
	image: ${{ format('archive://{0}/{1}/{2}.tar', github.workspace, matrix.platforms, matrix.targets) }}
	to: ${{ format('registry://{0}', steps.meta.outputs.to_tag) }}
	ignore-unchanged: true
	only-fixed: true
	only-severities: critical, high
	write-comment: ${{ github.actor != 'nektos/act' }}
	summary: ${{ github.actor != 'nektos/act' }}
	github-token: ${{ secrets.GITHUB_TOKEN }}
	organization: ${{ vars.DOCKERHUB_USERNAME}}

	approve-pr:
	name: Approve PR
	runs-on: ubuntu-latest
	needs: [build]
	if: contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' && needs.build.result == 'success'
	permissions:
	contents: read
	pull-requests: write
	actions: write
	steps:
	# approve the PR (there is still a code-owner review necessary)
	- name: Approve PR
	run: gh pr review --approve "$PR_URL"
	env:
	PR_URL: ${{github.event.pull_request.html_url}}
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

add organization to pr-compare #311

Workflow file

add organization to pr-compare #311

Jobs

Run details

Workflow file for this run