feat: initial commit of action

ZeitOnline · Sep 4, 2024 · 15aea69 · 15aea69
1 parent 5aea690
commit 15aea69
Show file tree

Hide file tree

Showing 2 changed files with 73 additions and 0 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -0,0 +1,35 @@
+on:
+  push:
+    branches:
+      - main
+
+name: Create Release
+
+jobs:
+  release:
+    name: Create Release
+    runs-on: ubuntu-latest # run on hosted runner, because it's a public repo
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - id: release
+        uses: googleapis/release-please-action@v4
+        with:
+          release-type: simple
+      - uses: actions/checkout@v4
+      - name: tag major and minor versions
+        if: ${{ steps.release.outputs.release_created }}
+        run: |
+          git config user.name github-actions[bot]
+          git config user.email 41898282+github-actions[bot]@users.noreply.github.com
+          git remote add gh-token "https://${{ secrets.GITHUB_TOKEN }}@github.com/googleapis/release-please-action.git"
+          git tag -d v${{ steps.release.outputs.major }} || true
+          git tag -d v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }} || true
+          git push origin :v${{ steps.release.outputs.major }} || true
+          git push origin :v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }} || true
+          git tag -a v${{ steps.release.outputs.major }} -m "Release v${{ steps.release.outputs.major }}"
+          git tag -a v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }} -m "Release v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}"
+          git push origin v${{ steps.release.outputs.major }}
+          git push origin v${{ steps.release.outputs.major }}.${{ steps.release.outputs.minor }}
diff --git a/action.yaml b/action.yaml
@@ -0,0 +1,38 @@
+name: ZON image scanning action
+description: A composite action to scan images with Sysdig
+
+inputs:
+  gha_vault_role:
+    description: The gha_vault_role as output by the baseproject action
+    required: true
+  image_tag:
+    description: The name and tag of the image to be scanned
+    required: true
+  stop_on_failed_policy_eval:
+    description: Whether to fail the action when the policy evaluation fails
+    default: 'true'
+
+runs:
+  using: "composite"
+  steps:
+    # This is covered by the default GHA Vault policy,
+    # no extra setup required
+    - name: Retrieve Sysdig secure token
+      uses: hashicorp/vault-action@d1720f055e0635fd932a1d2a48f87a666a57906c # v3.0.0
+      with:
+        method: jwt
+        url: https://vault.ops.zeit.de
+        path: github-actions
+        role: ${{ inputs.gha_vault_role }}
+        secrets: |
+          zon/v1/sysdig/sysdig-scanner api-key | SYSDIG_SECURE_TOKEN ;
+
+    # The results from this scan will appear in the GHA actions summary
+    # as well as the Sysdig UI under Vulnerabilities/Pipeline
+    - name: Scan image
+      uses: sysdiglabs/scan-action@v5
+      with:
+        image-tag: ${{ inputs.tag }}
+        stop-on-failed-policy-eval: ${{ inputs.stop_on_failed_policy_eval }}
+        sysdig-secure-token: ${{ env.SYSDIG_SECURE_TOKEN }}
+        sysdig-secure-url: https://eu1.app.sysdig.com/secure