Skip to content

Bump github/codeql-action #339

Bump github/codeql-action

Bump github/codeql-action #339

Workflow file for this run

---
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
name: ci
on:
push:
paths:
- '**/Dockerfile'
- '**/.github/workflows/ci.yml'
- '**/docker-bake.hcl'
pull_request:
branches: [main]
workflow_dispatch:
permissions:
contents: read
env:
CONTAINER_REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' || 'ghcr.io' }}
CONTAINER_REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME || github.repository_owner }}
CONTAINER_PUSH: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }}
BUILDKIT_PROGRESS: plain
jobs:
test:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Setup Docker Buildx
# kics-scan ignore-line
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
# get docker binary path to use it with env -i
- name: Get the docker binary path
id: docker-binary-path
run: echo "docker-bin=$(which docker)" | tee "${GITHUB_OUTPUT}"
- name: Print the bake file with a empty env
id: bake-file-no-env
run: env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print
- name: Verify the tags end on -local
run: |
while IFS='' read -r container_tag; do
printf "Container tag: %s\n" "${container_tag}"
[[ "${container_tag}" == *"-local" ]] || exit 1
done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | jq -r '.target[].tags[0]')
- name: Print the bake file with the runner env
run: docker buildx bake --print
- name: Verify the tags are valid
run: |
while IFS='' read -r container_tag; do
printf "Container tag: %s\n" "${container_tag}"
[[ "${container_tag}" == *"-${REF_NAME//\//-}" ]] || exit 1
done < <(docker buildx bake --print | jq -r '.target[].tags[0]')
env:
REF_NAME: ${{ github.head_ref || github.ref_name }}
generate-jobs:
needs: [test]
runs-on: ubuntu-latest
outputs:
targets: ${{ steps.targets.outputs.matrix }}
platforms: ${{ steps.platforms.outputs.matrix }}
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Generate targets matrix
id: targets
run: |
printf "matrix={\"targets\": %s}\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" | tee "${GITHUB_OUTPUT}"
- name: Generate platforms matrix
id: platforms
run: |
printf "matrix={\"targets\": %s, \"platforms\": %s}\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" "$(docker buildx bake linux-platforms --print | jq -cr '.target."linux-platforms".platforms')" | tee "${GITHUB_OUTPUT}"
build:
needs: [generate-jobs]
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
pull-requests: write
security-events: write
strategy:
fail-fast: ${{ github.event_name != 'pull_request' }}
matrix: ${{ github.event_name != 'pull_request' && fromJson(needs.generate-jobs.outputs.targets) || fromJson(needs.generate-jobs.outputs.platforms) }}
steps:
- name: Checkout code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
- name: Setup QEMU
# kics-scan ignore-line
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3
- name: Setup Docker Buildx
# kics-scan ignore-line
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226
with:
driver: docker-container
# Login against a container registry
# https://github.com/docker/login-action
# kics-scan ignore-line
- uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d
name: Login to ${{ env.CONTAINER_REGISTRY }}
with:
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ env.CONTAINER_REGISTRY_USER }}
password: ${{ env.CONTAINER_REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }}
logout: true
# Free up space on the runner since the image is huge
# kics-scan ignore-line
- uses: ./.github/actions/free-space
name: Free up disk space
with:
deleteDotnet: 'false'
deleteAndroid: 'true'
- name: Get meta data
id: meta
run: |
{
printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')";
printf "to_tag=%s\n" "$(REF_NAME="$([[ -z "${GITHUB_BASE_REF}" ]] && git config --get init.defaultBranch || echo "${GITHUB_BASE_REF}")" docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')";
} | tee "${GITHUB_OUTPUT}"
- name: Create directory for docker output
if: github.event_name == 'pull_request'
run: 'mkdir -p "${DIRNAME}"'
env:
DIRNAME: ${{ format('{0}/{1}', github.workspace, matrix.platforms) }}
# Bake the image
# kics-scan ignore-line
- uses: docker/bake-action@511fde2517761e303af548ec9e0ea74a8a100112
name: Build and Push
id: bake
with:
files: docker-bake.hcl
targets: ${{ matrix.targets }}
pull: true
provenance: ${{ github.event_name != 'pull_request' }}
set: |
${{ github.event_name == 'pull_request' && '*.cache-to=' || '' }}
${{ github.event_name == 'pull_request' && format('*.output=type=docker,dest={0}/{1}/{2}.tar', github.workspace, matrix.platforms, matrix.targets) || '' }}
${{ github.event_name == 'pull_request' && format('*.platform={0}', matrix.platforms) || '' }}
push: ${{ env.CONTAINER_PUSH }}
# Docker-Scout - Create SBOM
# kics-scan ignore-line
- uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0
name: Create SBOM
id: docker-scout-sbom
continue-on-error: true
if: env.CONTAINER_PUSH == 'true' && vars.DOCKERHUB_USERNAME != ''
with:
command: sbom
image: ${{ format('registry://{0}', steps.meta.outputs.tag) }}
only-severities: critical,high
only-fixed: true
# vulnerability scan the image for main branch
# kics-scan ignore-line
- uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0
name: Analyze for critical and high CVEs
id: docker-scout-cves
continue-on-error: true
if: env.CONTAINER_PUSH == 'true' && github.ref_name == 'main'
with:
command: cves
only-severities: critical,high
image: ${{ steps.meta.outputs.tag }}
sarif-file: sarif.output.json
summary: false
# upload the results as a SARIF file to gh security tab
# kics-scan ignore-line
- uses: github/codeql-action/upload-sarif@63470275e73bbef3ffab4f0bfff5b52e0772baf5
name: Upload SARIF result
id: upload-sarif
if: steps.docker-scout-cves.outcome == 'success'
with:
sarif_file: sarif.output.json
# vulnerability scanning to verify PRs
# kics-scan ignore-line
- uses: docker/scout-action@914f29b95fa18690ce41fdee98cf892d78f8c5c0
name: Docker Scout compare
id: pr-compare
if: github.event_name == 'pull_request' && vars.DOCKERHUB_USERNAME != ''
with:
command: compare
platform: ${{ matrix.platforms }}
image: ${{ format('archive://{0}/{1}/{2}.tar', github.workspace, matrix.platforms, matrix.targets) }}
to: ${{ format('registry://{0}', steps.meta.outputs.to_tag) }}
ignore-unchanged: true
only-fixed: true
only-severities: critical, high
write-comment: ${{ github.actor != 'nektos/act' }}
summary: ${{ github.actor != 'nektos/act' }}
github-token: ${{ secrets.GITHUB_TOKEN }}
organization: ${{ vars.DOCKERHUB_USERNAME}}
approve-pr:
name: Approve PR
runs-on: ubuntu-latest
needs: [build]
if: contains(fromJson('["mauwii","dependabot[bot]"]'), github.triggering_actor) && github.event_name == 'pull_request' && needs.build.result == 'success'
permissions:
contents: read
pull-requests: write
actions: write
steps:
# approve the PR (there is still a code-owner review necessary)
- name: Approve PR
run: gh pr review --approve "$PR_URL"
env:
PR_URL: ${{github.event.pull_request.html_url}}
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}