1
0
Fork 0
mirror of https://github.com/external-secrets/external-secrets.git synced 2024-12-14 11:57:59 +00:00
external-secrets/.github/workflows/publish.yml
dependabot[bot] 8a7fb7611c
chore(deps): bump aquasecurity/trivy-action from 0.22.0 to 0.23.0 (#3615)
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.22.0 to 0.23.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](595be6a0f6...7c2007bcb5)

---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-06-24 13:19:21 +02:00

152 lines
4.4 KiB
YAML

name: Reusable workflow to run trivy scan
on:
workflow_call:
inputs:
image-name:
required: true
type: string
image-tag:
required: false
type: string
tag-suffix:
required: true
type: string
dockerfile:
required: true
type: string
ref:
required: false
default: main
type: string
build-args:
required: true
type: string
build-arch:
required: true
type: string
build-platform:
required: true
type: string
secrets:
GHCR_USERNAME:
required: true
GHCR_TOKEN:
required: true
env:
IMAGE_NAME: ${{ inputs.image-name }}
TAG_SUFFIX: ${{ inputs.tag-suffix }}
ARCH: ${{ inputs.build-arch }}
DOCKERFILE: ${{ inputs.dockerfile }}
IS_FORK: ${{ secrets.GHCR_USERNAME == '' && 'true' || 'false' }}
jobs:
build-publish:
name: Build and Publish
runs-on: ubuntu-latest
outputs:
image-tag: ${{ steps.container_info.outputs.image-tag }}
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ inputs.ref }}
- name: Setup QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
with:
platforms: all
- name: Setup Docker Buildx
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
with:
version: 'v0.4.2'
install: true
- name: Setup Go
uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
id: setup-go
with:
go-version-file: "go.mod"
- name: Download Go modules
if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
run: go mod download
- name: Fetch History
shell: bash
run: git fetch --prune --unshallow
- name: Login to Docker
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
if: env.IS_FORK == 'false'
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USERNAME }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Get docker image tag
id: container_info
shell: bash
env:
GITHUB_REF: ${{ github.ref }}
run: |
# rebuild-image
if [ "${{ inputs.image-tag }}" != "" ]; then
TAG="${{ inputs.image-tag }}${{ inputs.tag-suffix }}"
# main / release-x.y
elif [[ "$GITHUB_REF" == "refs/heads/main" || "$GITHUB_REF" =~ refs/heads/release-.* ]]; then
TAG=${GITHUB_REF#refs/heads/}${{ inputs.tag-suffix }}
# Pull Request
else
TAG=$(make docker.tag)
fi
echo "image-tag=${TAG}" >> $GITHUB_OUTPUT
- name: Build & Publish Artifacts
if: env.IS_FORK == 'false'
shell: bash
env:
IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }}
BUILD_ARGS: ${{ inputs.build-args }}
DOCKER_BUILD_ARGS: >-
--push
--platform ${{ inputs.build-platform }}
run: make docker.build
- name: Build & Publish Artifacts fork
if: env.IS_FORK == 'true'
shell: bash
env:
IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }}
BUILD_ARGS: ${{ inputs.build-args }}
DOCKER_BUILD_ARGS: --load
run: make docker.build
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # master
with:
image-ref: ${{ inputs.image-name }}:${{ steps.container_info.outputs.image-tag }}
format: 'table'
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
sign:
runs-on: ubuntu-latest
needs: build-publish
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Sign image
if: env.IS_FORK == 'false'
uses: ./.github/actions/sign
with:
image-name: ${{ inputs.image-name }}
image-tag: ${{ needs.build-publish.outputs.image-tag }}
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}