Skip to content

Commit

Permalink
update ci and bake-file
Browse files Browse the repository at this point in the history
- bake-file:
  - stay on LTS .net channel with jammy (STS has issues with qemu)
  - .net sdk version 6.0.415
- ci:
  - prepend CONTAINER_ to REGISTRY env vars
  - enable pulling referenced images
  - scan for CVEs only on main
  • Loading branch information
mauwii committed Oct 12, 2023
1 parent b3315d7 commit 473c187
Show file tree
Hide file tree
Showing 2 changed files with 15 additions and 14 deletions.
21 changes: 11 additions & 10 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,8 @@ permissions:
contents: read

env:
REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' || 'ghcr.io' }}
REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME || github.repository_owner }}
CONTAINER_REGISTRY: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && 'docker.io' || 'ghcr.io' }}
CONTAINER_REGISTRY_USER: ${{ (vars.DOCKERHUB_USERNAME != '' && secrets.DOCKERHUB_TOKEN != '') && vars.DOCKERHUB_USERNAME || github.repository_owner }}
GITHUB_SHA: ${{ github.event.pull_request.head.sha || github.event.after || github.sha }}
BUILDKIT_PROGRESS: plain

Expand Down Expand Up @@ -47,7 +47,7 @@ jobs:
while IFS='' read -r container_tag; do
printf "Container tag: %s\n" "${container_tag}"
[[ "${container_tag}" == *"-local" ]] || exit 1
done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | jq -r '.target[].tags[0]')
done < <(env -i ${{ steps.docker-binary-path.outputs.docker-bin }} buildx bake --print | jq -r '.target[].tags[0]')
- name: Print the bake file with the runner env
run: docker buildx bake --print
Expand Down Expand Up @@ -85,7 +85,7 @@ jobs:
pull-requests: write
security-events: write
strategy:
fail-fast: ${{ github.event_name != 'pull_request' }}
fail-fast: ${{ fromJson(github.event_name != 'pull_request') }}
matrix:
targets: ${{ fromJson(needs.generate-jobs.outputs.targets) }}
steps:
Expand All @@ -106,11 +106,11 @@ jobs:
# https://github.com/docker/login-action
# kics-scan ignore-line
- uses: docker/[email protected]
name: Login to ${{ env.REGISTRY }}
name: Login to ${{ env.CONTAINER_REGISTRY }}
with:
registry: ${{ env.REGISTRY }}
username: ${{ env.REGISTRY_USER }}
password: ${{ env.REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }}
registry: ${{ env.CONTAINER_REGISTRY }}
username: ${{ env.CONTAINER_REGISTRY_USER }}
password: ${{ env.CONTAINER_REGISTRY == 'docker.io' && secrets.DOCKERHUB_TOKEN || secrets.GITHUB_TOKEN }}
logout: true

# Free up space on the runner since the image is huge
Expand Down Expand Up @@ -138,6 +138,7 @@ jobs:
with:
files: docker-bake.hcl
targets: ${{ matrix.targets }}
pull: true
sbom: ${{ github.event_name != 'pull_request' }}
provenance: ${{ github.event_name != 'pull_request' }}
set: |
Expand All @@ -146,13 +147,13 @@ jobs:
push: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
load: ${{ github.event_name == 'pull_request' }}

# vulnerability scan the image
# vulnerability scan the image for main branch
# kics-scan ignore-line
- uses: docker/[email protected]
name: Analyze for critical and high CVEs
id: docker-scout-cves
continue-on-error: true
if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' }}
if: ${{ github.event_name != 'pull_request' && github.actor != 'nektos/act' && github.ref_name == 'main' }}
with:
command: cves
image: ${{ steps.meta.outputs.tag }}
Expand Down
8 changes: 4 additions & 4 deletions docker-bake.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -84,17 +84,17 @@ target "ubuntu" {
{
version = "22.04"
codename = "jammy"
DOTNET_CHANNEL = "STS"
DOTNET_CHANNEL = "LTS"
DOTNET_DEPS = "[\"libicu70\",\"libssl3\",\"libunwind8\",\"libgcc-s1\",\"liblttng-ust1\"]"
DOTNET_SDK_VERSION = "7.0.402"
POWERSHELL_VERSION = "7.3.8"
DOTNET_SDK_VERSION = "6.0.415"
POWERSHELL_VERSION = "7.2.13"
},
{
version = "20.04"
codename = "focal"
DOTNET_CHANNEL = "LTS"
DOTNET_DEPS = "[\"libicu66\",\"libssl1.1\"]"
DOTNET_SDK_VERSION = "6.0.414"
DOTNET_SDK_VERSION = "6.0.415"
POWERSHELL_VERSION = "7.2.13"
}
]
Expand Down

0 comments on commit 473c187

Please sign in to comment.