replace action version tags with their sha #318
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
name: ci | |
on: | |
push: | |
paths: | |
- '**/Dockerfile' | |
- '**/.github/workflows/ci.yml' | |
- '**/docker-bake.hcl' | |
pull_request: | |
branches: [main] | |
workflow_dispatch: | |
permissions: | |
contents: read | |
env: | |
CONTAINER_REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' || 'ghcr.io' }} | |
CONTAINER_REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME || github.repository_owner }} | |
CONTAINER_PUSH: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }} | |
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }} | |
BUILDKIT_PROGRESS: plain | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
- name: Setup Docker Buildx | |
# kics-scan ignore-line | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 | |
# get docker binary path to use it with env -i | |
- name: Get the docker binary path | |
id: docker-binary-path | |
run: echo "docker-bin=$(which docker)" | tee "${GITHUB_OUTPUT}" | |
- name: Print the bake file with a empty env | |
id: bake-file-no-env | |
run: env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | |
- name: Verify the tags end on -local | |
run: | | |
while IFS='' read -r container_tag; do | |
printf "Container tag: %s\n" "${container_tag}" | |
[[ "${container_tag}" == *"-local" ]] || exit 1 | |
done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | jq -r '.target[].tags[0]') | |
- name: Print the bake file with the runner env | |
run: docker buildx bake --print | |
- name: Verify the tags are valid | |
run: | | |
while IFS='' read -r container_tag; do | |
printf "Container tag: %s\n" "${container_tag}" | |
[[ "${container_tag}" == *"-${REF_NAME//\//-}" ]] || exit 1 | |
done < <(docker buildx bake --print | jq -r '.target[].tags[0]') | |
env: | |
REF_NAME: ${{ github.head_ref || github.ref_name }} | |
generate-jobs: | |
needs: [test] | |
runs-on: ubuntu-latest | |
outputs: | |
targets: ${{ steps.targets.outputs.matrix }} | |
platforms: ${{ steps.platforms.outputs.matrix }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
- name: Generate targets matrix | |
id: targets | |
run: | | |
printf "matrix={\"targets\": %s}\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" | tee "${GITHUB_OUTPUT}" | |
- name: Generate platforms matrix | |
id: platforms | |
run: | | |
printf "matrix={\"targets\": %s, \"platforms\": %s}\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" "$(docker buildx bake linux-platforms --print | jq -cr '.target."linux-platforms".platforms')" | tee "${GITHUB_OUTPUT}" | |
build: | |
needs: [generate-jobs] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
pull-requests: write | |
security-events: write | |
strategy: | |
fail-fast: ${{ github.event_name != 'pull_request' }} | |
matrix: ${{ github.event_name != 'pull_request' && fromJson(needs.generate-jobs.outputs.targets) || fromJson(needs.generate-jobs.outputs.platforms) }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@8ade135a41bc03ea155e62e844d188df1ea18608 | |
- name: Setup QEMU | |
# kics-scan ignore-line | |
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 | |
- name: Setup Docker Buildx | |
# kics-scan ignore-line | |
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 | |
with: | |
driver: docker-container | |
# Login against a container registry | |
# https://github.com/docker/login-action | |
# kics-scan ignore-line | |
- uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
name: Login to ${{ env.CONTAINER_REGISTRY }} | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ env.CONTAINER_REGISTRY_USER }} | |
password: ${{ env.CONTAINER_REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
logout: true | |
# Free up space on the runner since the image is huge | |
# kics-scan ignore-line | |
- uses: ./.github/actions/free-space | |
name: Free up disk space | |
with: | |
deleteDotnet: 'false' | |
deleteAndroid: 'true' | |
- name: Get meta data | |
id: meta | |
run: | | |
{ | |
printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')"; | |
printf "to_tag=%s\n" "$(REF_NAME="$([[ -z "${GITHUB_BASE_REF}" ]] && git config --get init.defaultBranch || echo "${GITHUB_BASE_REF}")" docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')"; | |
} | tee "${GITHUB_OUTPUT}" | |
- name: Create directory for docker output | |
if: github.event_name == 'pull_request' | |
run: 'mkdir -p "${DIRNAME}"' | |
env: | |
DIRNAME: ${{ format('{0}/{1}', github.workspace, matrix.platforms) }} | |
# Bake the image | |
# kics-scan ignore-line | |
- uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112 | |
name: Build and Push | |
id: bake | |
with: | |
files: docker-bake.hcl | |
targets: ${{ matrix.targets }} | |
pull: true | |
provenance: ${{ github.event_name != 'pull_request' }} | |
set: | | |
${{ github.event_name == 'pull_request' && '*.cache-to=' || '' }} | |
${{ github.event_name == 'pull_request' && format('*.output=type=docker,dest={0}/{1}/{2}.tar', github.workspace, matrix.platforms, matrix.targets) || '' }} | |
${{ github.event_name == 'pull_request' && format('*.platform={0}', matrix.platforms) || '' }} | |
push: ${{ env.CONTAINER_PUSH }} | |
# Docker-Scout - Create SBOM | |
# kics-scan ignore-line | |
- uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 | |
name: Create SBOM | |
id: docker-scout-sbom | |
continue-on-error: true | |
if: env.CONTAINER_PUSH == 'true' && vars.DOCKERHUB_USERNAME != '' | |
with: | |
command: sbom | |
image: ${{ format('registry://{0}', steps.meta.outputs.tag) }} | |
only-severities: critical,high | |
only-fixed: true | |
# vulnerability scan the image for main branch | |
# kics-scan ignore-line | |
- uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 | |
name: Analyze for critical and high CVEs | |
id: docker-scout-cves | |
continue-on-error: true | |
if: env.CONTAINER_PUSH == 'true' && github.ref_name == 'main' | |
with: | |
command: cves | |
only-severities: critical,high | |
image: ${{ steps.meta.outputs.tag }} | |
sarif-file: sarif.output.json | |
summary: false | |
# upload the results as a SARIF file to gh security tab | |
# kics-scan ignore-line | |
- uses: github/codeql-action/upload-sarif@9885f86fab4879632b7e44514f19148225dfbdcd | |
name: Upload SARIF result | |
id: upload-sarif | |
if: steps.docker-scout-cves.outcome == 'success' | |
with: | |
sarif_file: sarif.output.json | |
# vulnerability scanning to verify PRs | |
# kics-scan ignore-line | |
- uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0 | |
name: Docker Scout compare | |
id: pr-compare | |
if: github.event_name == 'pull_request' && vars.DOCKERHUB_USERNAME != '' | |
with: | |
command: compare | |
platform: ${{ matrix.platforms }} | |
image: ${{ format('archive://{0}/{1}/{2}.tar', github.workspace, matrix.platforms, matrix.targets) }} | |
to: ${{ format('registry://{0}', steps.meta.outputs.to_tag) }} | |
ignore-unchanged: true | |
only-fixed: true | |
only-severities: critical, high | |
write-comment: ${{ github.actor != 'nektos/act' }} | |
summary: ${{ github.actor != 'nektos/act' }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
organization: ${{ vars.DOCKERHUB_USERNAME}} | |
approve-pr: | |
name: Approve PR | |
runs-on: ubuntu-latest | |
needs: [build] | |
if: contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' && needs.build.result == 'success' | |
permissions: | |
contents: read | |
pull-requests: write | |
actions: write | |
steps: | |
# approve the PR (there is still a code-owner review necessary) | |
- name: Approve PR | |
run: gh pr review --approve "$PR_URL" | |
env: | |
PR_URL: ${{github.event.pull_request.html_url}} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |