Skip to content

Commit

Permalink
chore(deps): update dependency ubuntu to v24 (#87)
Browse files Browse the repository at this point in the history
* chore(deps): update dependency ubuntu to v24

* update

---------

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: chgl <[email protected]>
  • Loading branch information
renovate[bot] and chgl authored Oct 3, 2024
1 parent 1a9180b commit 0c1519a
Show file tree
Hide file tree
Showing 5 changed files with 41 additions and 16 deletions.
3 changes: 2 additions & 1 deletion .github/workflows/ci.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -79,7 +79,7 @@ jobs:
github-token: ${{ secrets.GITHUB_TOKEN }}

test:
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
needs:
- build
steps:
Expand All @@ -88,6 +88,7 @@ jobs:
- name: Set up containerd image store
shell: bash
run: |
[ -f /etc/docker/daemon.json ] || echo "{}" | sudo tee /etc/docker/daemon.json
jq '. | .+{"features": {"containerd-snapshotter": true}}' /etc/docker/daemon.json > /tmp/docker-daemon-with-containerd.json
sudo mv /tmp/docker-daemon-with-containerd.json /etc/docker/daemon.json
cat /etc/docker/daemon.json
Expand Down
36 changes: 30 additions & 6 deletions .github/workflows/standard-build.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -92,7 +92,7 @@ on:
jobs:
build:
name: build image
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
Expand Down Expand Up @@ -124,6 +124,7 @@ jobs:
- name: Set up containerd image store
shell: bash
run: |
[ -f /etc/docker/daemon.json ] || echo "{}" | sudo tee /etc/docker/daemon.json
jq '. | .+{"features": {"containerd-snapshotter": true}}' /etc/docker/daemon.json > /tmp/docker-daemon-with-containerd.json
sudo mv /tmp/docker-daemon-with-containerd.json /etc/docker/daemon.json
cat /etc/docker/daemon.json
Expand Down Expand Up @@ -230,14 +231,34 @@ jobs:
- name: install trivy
run: |
wget https://github.com/aquasecurity/trivy/releases/download/v0.53.0/trivy_0.53.0_Linux-64bit.deb
sudo dpkg -i trivy_0.53.0_Linux-64bit.deb
wget https://github.com/aquasecurity/trivy/releases/download/v0.56.0/trivy_0.56.0_Linux-64bit.deb
sudo dpkg -i trivy_0.56.0_Linux-64bit.deb
- name: Check trivy db sha
id: trivy-db-sha
env:
GH_TOKEN: ${{ github.token }}
run: |
endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
headers='Accept: application/vnd.github+json'
jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
echo "Trivy DB sha256:${sha}"
echo "sha=${sha}" >> "${GITHUB_OUTPUT}"
- uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: "${{ github.workspace }}/.cache/trivy"
key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db-sha.outputs.sha }}

- name: Create Trivy vulnerability attestation
if: ${{ inputs.enable-trivy-scan }}
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
trivy image \
--exit-code=0 \
--cache-dir="${{ github.workspace }}/.cache/trivy" \
--format=cosign-vuln \
--output=trivy-vuln-attestation.json \
--ignore-unfixed="${{ inputs.trivy-ignore-unfixed }}" \
Expand All @@ -258,9 +279,12 @@ jobs:
- name: Run Trivy vulnerability scanner for PR comment
if: ${{ github.event_name == 'pull_request' && inputs.enable-trivy-scan }}
env:
GITHUB_TOKEN: ${{ github.token }}
run: |
trivy image \
--exit-code=0 \
--cache-dir="${{ github.workspace }}/.cache/trivy" \
--format=template \
--output=trivy-pr-report.md \
--template="@trivy-pr-report.md.tpl" \
Expand Down Expand Up @@ -304,7 +328,7 @@ jobs:

sign-image:
name: sign image
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
if: ${{ github.event_name != 'pull_request' }}
needs:
- build
Expand Down Expand Up @@ -337,7 +361,7 @@ jobs:
attest-trivy-vulnerability-report:
name: attest trivy vulnerability report
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
if: ${{ github.event_name != 'pull_request' && inputs.enable-trivy-scan }}
needs:
- build
Expand Down Expand Up @@ -376,7 +400,7 @@ jobs:
upload-attestion-to-release:
name: upload slsa attestations to release assets
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
if: ${{ startsWith(github.ref, 'refs/tags/') }}
needs:
- image-provenance
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/standard-lint.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ on:
jobs:
megalinter:
name: MegaLinter
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
if: ${{ github.event_name == 'pull_request' }}
permissions:
issues: write
Expand Down Expand Up @@ -91,7 +91,7 @@ jobs:
dependency-review:
name: dependency review
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
# can only run on PRs or the error is:
# "Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` config options, or by running a `pull_request`/`pull_request_target` workflow."
if: ${{ github.event_name == 'pull_request' }}
Expand All @@ -105,7 +105,7 @@ jobs:

gradle-wrapper-validation:
name: validate gradle wrapper
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
if: ${{ inputs.enable-validate-gradle-wrapper }}
permissions:
contents: read
Expand All @@ -117,7 +117,7 @@ jobs:

base-image-signature-verification:
name: verify Dockerfile base image signature
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
if: ${{ inputs.enable-verify-base-image-signature }}
permissions:
contents: read
Expand All @@ -138,7 +138,7 @@ jobs:
codeql-analyze:
name: CodeQL analyze
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
if: ${{ inputs.enable-codeql }}
permissions:
actions: read
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/standard-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ on:
jobs:
release:
name: release
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
# run only on pushes. The semantic release default config allows releases
# to only be created from the default branch ('master'). The ci.yaml
# is configured to only run on pushes to master as well.
Expand Down Expand Up @@ -47,7 +47,7 @@ jobs:
uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # v4.1.1
with:
extra_plugins: |
conventional-changelog-conventionalcommits@5.0.0
conventional-changelog-conventionalcommits@8.0.0
[email protected]
@semantic-release/[email protected]
env:
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/standard-schedule.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ on:
jobs:
check-links:
name: check links using lychee
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
permissions:
issues: write
steps:
Expand Down Expand Up @@ -63,7 +63,7 @@ jobs:

trivy-scan:
name: scan images with trivy
runs-on: ubuntu-22.04
runs-on: ubuntu-24.04
strategy:
matrix:
image: ${{ fromJSON(inputs.images) }}
Expand Down

0 comments on commit 0c1519a

Please sign in to comment.