diff --git a/.github/workflows/reusable_dockerfile_pipeline.yml b/.github/workflows/reusable_dockerfile_pipeline.yml index 8296148..8555f91 100644 --- a/.github/workflows/reusable_dockerfile_pipeline.yml +++ b/.github/workflows/reusable_dockerfile_pipeline.yml @@ -142,48 +142,48 @@ jobs: echo "Failing step due to build_for_pr == build_for_merge" exit 1 - docker-security: - needs: ["prepare-env", "logic-check"] - runs-on: "ubuntu-latest" - steps: - - name: Checkout - uses: "actions/checkout@v4" + # docker-security: + # needs: ["prepare-env", "logic-check"] + # runs-on: "ubuntu-latest" + # steps: + # - name: Checkout + # uses: "actions/checkout@v4" - - name: Build - uses: docker/build-push-action@v5 - env: - OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} - OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }} - with: - context: ${{ inputs.dockerContext}} - push: false - platforms: linux/amd64 - # we're building the container before the scan, use the short sha tag - # for referring to it later - tags: ${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }} - file: ${{ inputs.dockerfile }} + # - name: Build + # uses: docker/build-push-action@v5 + # env: + # OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} + # OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }} + # with: + # context: ${{ inputs.dockerContext}} + # push: false + # platforms: linux/amd64 + # # we're building the container before the scan, use the short sha tag + # # for referring to it later + # tags: ${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }} + # file: ${{ inputs.dockerfile }} - - name: Run Trivy vulnerability scanner - # source: https://github.com/aquasecurity/trivy-action - # https://github.com/marketplace/actions/aqua-security-trivy - uses: aquasecurity/trivy-action@master - env: - OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} - OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }} - with: - # here we use the local tag that we've built before - image-ref: "${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }}" - format: "table" - #exit-code: '1' # uncomment to stop the CI if the scanner fails - ignore-unfixed: true - vuln-type: "os,library" - severity: "CRITICAL,HIGH" + # - name: Run Trivy vulnerability scanner + # # source: https://github.com/aquasecurity/trivy-action + # # https://github.com/marketplace/actions/aqua-security-trivy + # uses: aquasecurity/trivy-action@master + # env: + # OUTPUT_SHORT_SHA: ${{ needs.prepare-env.outputs.output_short_sha }} + # OUTPUT_IMAGE_NAME: ${{ needs.prepare-env.outputs.output_image_name }} + # with: + # # here we use the local tag that we've built before + # image-ref: "${{ env.OUTPUT_IMAGE_NAME }}:${{ env.OUTPUT_SHORT_SHA }}" + # format: "table" + # #exit-code: '1' # uncomment to stop the CI if the scanner fails + # ignore-unfixed: true + # vuln-type: "os,library" + # severity: "CRITICAL,HIGH" docker-build: name: docker-build (${{ matrix.registry.name }}; ${{ matrix.registry.registry-url }}/${{ matrix.registry.registry-owner }}/${{ needs.prepare-env.outputs.output_image_name }}) runs-on: "ubuntu-latest" # wait until the jobs are finished. - needs: ["prepare-env", "logic-check", "docker-security"] + needs: ["prepare-env", "logic-check"] # We only want to run this step if one of the build flags is true. We don't # run if both logic flags are false. This is the case for push events on PR # commits. The logic-check job protects us from the case of both build flags