Bump docker/scout-action from 1.5.0 to 1.5.1 #434
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json | |
name: ci | |
on: | |
push: | |
branches: | |
- main | |
# - '!dependabot/**' # only run PR Jobs for dependabot branches | |
paths: | |
- '**/Dockerfile' | |
- '**/docker-bake.hcl' | |
pull_request: | |
branches: [main] | |
workflow_dispatch: | |
permissions: | |
contents: read | |
env: | |
CONTAINER_REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' || 'ghcr.io' }} | |
CONTAINER_REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME || github.repository_owner }} | |
CONTAINER_PUSH: ${{ github.ref == 'refs/heads/main' && github.actor != 'nektos/act' }} | |
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }} | |
BUILDKIT_PROGRESS: plain | |
jobs: | |
test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Setup Docker Buildx | |
uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c | |
# get docker binary path to use it with env -i | |
- name: Get the docker binary path | |
id: docker-binary-path | |
run: echo "docker-bin=$(which docker)" | tee "${GITHUB_OUTPUT}" | |
- name: Print the bake file with a empty env | |
id: bake-file-no-env | |
run: env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | |
- name: Verify the tags end on -local | |
run: | | |
while IFS='' read -r container_tag; do | |
printf "Container tag: %s\n" "${container_tag}" | |
[[ "${container_tag}" == *"-local" ]] || exit 1 | |
done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | jq -r '.target[].tags[0]') | |
- name: Print the bake file with the runner env | |
run: docker buildx bake --print | |
- name: Verify the tags are valid | |
run: | | |
while IFS='' read -r container_tag; do | |
printf "Container tag: %s\n" "${container_tag}" | |
[[ "${container_tag}" == *"-${REF_NAME//\//-}" ]] || exit 1 | |
done < <(docker buildx bake --print | jq -r '.target[].tags[0]') | |
env: | |
REF_NAME: ${{ github.head_ref || github.ref_name }} | |
generate-jobs: | |
needs: [test] | |
runs-on: ubuntu-latest | |
outputs: | |
targets: ${{ steps.targets.outputs.matrix }} | |
platforms: ${{ steps.platforms.outputs.matrix }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Generate targets matrix | |
id: targets | |
run: | | |
printf "matrix={\"targets\": %s}\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" | tee "${GITHUB_OUTPUT}" | |
- name: Generate platforms matrix | |
id: platforms | |
run: | | |
printf "matrix={\"targets\": %s, \"platforms\": %s}\n" "$(docker buildx bake --print | jq -r '"\(.target | keys)"')" "$(docker buildx bake linux-platforms --print | jq -cr '.target."linux-platforms".platforms')" | tee "${GITHUB_OUTPUT}" | |
build: | |
needs: [generate-jobs] | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
packages: write | |
pull-requests: write | |
security-events: write | |
strategy: | |
fail-fast: ${{ github.event_name != 'pull_request' }} | |
matrix: ${{ github.event_name != 'pull_request' && fromJson(needs.generate-jobs.outputs.targets) || fromJson(needs.generate-jobs.outputs.platforms) }} | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 | |
- name: Setup QEMU | |
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 | |
- name: Setup Docker Buildx | |
uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c | |
with: | |
driver: docker-container | |
# Login against a container registry | |
# https://github.com/docker/login-action | |
- name: Login to ${{ env.CONTAINER_REGISTRY }} | |
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
with: | |
registry: ${{ env.CONTAINER_REGISTRY }} | |
username: ${{ env.CONTAINER_REGISTRY_USER }} | |
password: ${{ env.CONTAINER_REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }} | |
logout: true | |
# Free up space on the runner since the image is huge | |
# kics-scan ignore-line | |
- uses: ./.github/actions/free-space | |
name: Free up disk space | |
with: | |
deleteDotnet: 'true' | |
deleteAndroid: 'true' | |
- name: Get meta data | |
id: meta | |
run: | | |
{ | |
printf "tag=%s\n" "$(docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')"; | |
printf "to_tag=%s\n" "$(REF_NAME="$([[ -z "${GITHUB_BASE_REF}" ]] && git config --get init.defaultBranch || echo "${GITHUB_BASE_REF}")" docker buildx bake ${{ matrix.targets }} --print | jq -r '.target[].tags[0]')"; | |
} | tee "${GITHUB_OUTPUT}" | |
# Used when the image is not pushed to a registry | |
- name: Create directory for docker output | |
if: env.CONTAINER_PUSH | |
run: 'mkdir -p "${DIRNAME}"' | |
env: | |
DIRNAME: ${{ format('{0}/{1}', github.workspace, matrix.platforms) }} | |
# Bake the image | |
- name: Build and Push | |
uses: docker/bake-action@849707117b03d39aba7924c50a10376a69e88d7d | |
id: bake | |
with: | |
files: docker-bake.hcl | |
targets: ${{ matrix.targets }} | |
pull: true | |
provenance: ${{ github.event_name != 'pull_request' }} | |
set: | | |
${{ github.event_name == 'pull_request' && '*.cache-to=' || '' }} | |
${{ github.event_name == 'pull_request' && format('*.output=type=docker,dest={0}/{1}/{2}.tar', github.workspace, matrix.platforms, matrix.targets) || '' }} | |
${{ github.event_name == 'pull_request' && format('*.platform={0}', matrix.platforms) || '' }} | |
push: ${{ env.CONTAINER_PUSH }} | |
# Docker-Scout - Create SBOM | |
- name: Create SBOM | |
uses: docker/scout-action@b3dd3d6c420903eb3ff2812ac1b1d146ffb93a41 | |
id: docker-scout-sbom | |
continue-on-error: true | |
if: env.CONTAINER_PUSH == 'true' && vars.DOCKERHUB_USERNAME != '' | |
with: | |
command: sbom | |
image: ${{ format('registry://{0}', steps.meta.outputs.tag) }} | |
only-severities: critical,high | |
only-fixed: true | |
# vulnerability scan the image for main branch and upload the results as a SARIF file | |
- name: Analyze for critical and high CVEs | |
uses: docker/scout-action@b3dd3d6c420903eb3ff2812ac1b1d146ffb93a41 | |
id: docker-scout-cves | |
continue-on-error: true | |
if: env.CONTAINER_PUSH == 'true' | |
with: | |
command: cves | |
only-severities: critical,high | |
image: ${{ steps.meta.outputs.tag }} | |
sarif-file: sarif.output.json | |
summary: false | |
- name: Upload SARIF result | |
uses: github/codeql-action/upload-sarif@4b6aa0b07da05d6e43d0e5f9c8596a6532ce1c85 | |
id: upload-sarif | |
if: steps.docker-scout-cves.outcome == 'success' | |
with: | |
sarif_file: sarif.output.json | |
# vulnerability scanning to verify PRs | |
- name: Docker Scout compare | |
uses: docker/scout-action@b3dd3d6c420903eb3ff2812ac1b1d146ffb93a41 | |
id: pr-compare | |
if: github.event_name == 'pull_request' && vars.DOCKERHUB_USERNAME != '' | |
with: | |
command: compare | |
platform: ${{ matrix.platforms }} | |
image: ${{ format('archive://{0}/{1}/{2}.tar', github.workspace, matrix.platforms, matrix.targets) }} | |
to: ${{ format('registry://{0}', steps.meta.outputs.to_tag) }} | |
ignore-unchanged: true | |
only-fixed: true | |
only-severities: critical, high | |
write-comment: false | |
summary: ${{ github.actor != 'nektos/act' }} | |
github-token: ${{ secrets.GITHUB_TOKEN }} | |
organization: ${{ vars.DOCKERHUB_USERNAME}} | |
approve-pr: | |
needs: [build] | |
runs-on: ubuntu-latest | |
if: ${{ success() && contains(fromJson(format('["{0}","dependabot[bot]"]', github.repository_owner)), github.triggering_actor) && github.event_name == 'pull_request' }} | |
permissions: | |
contents: read | |
pull-requests: write | |
actions: write | |
steps: | |
# approve the PR (there is still a code-owner review necessary) | |
- name: Approve PR | |
run: gh pr review --approve "$PR_URL" | |
env: | |
PR_URL: ${{github.event.pull_request.html_url}} | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} |