chore(deps): update docker/build-push-action action to v5 #656
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build Image | |
on: | |
push: | |
tags: | |
- '*-v*.*.*' | |
pull_request: | |
branches: [ main ] | |
merge_group: | |
branches: [ main ] | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
packages: 'write' | |
security-events: write | |
actions: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 # No shallow clone, we need all history | |
- name: Set tag output | |
id: tag | |
run: | | |
if [ ${{ github.event_name }} == 'pull_request' ]; | |
then | |
echo "running because of PR" | |
CHANGED_DIRS=$(git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.event.pull_request.head.sha }} | xargs -I {} dirname {}) | |
CONTAINER_FOLDERS=$(for CHANGED_DIR in ${CHANGED_DIRS}; do echo ${CHANGED_DIR} | awk -F "/" '{print $1}'; done | sort -u) | |
# there should only every be 1 container folder changed in a PR | |
for CONTAINER_FOLDER in ${CONTAINER_FOLDERS}; do | |
if [[ "${CONTAINER_FOLDER}" != "."* ]]; then | |
APP="${CONTAINER_FOLDER}" | |
VERSION="dev" | |
fi | |
done | |
elif [ ${{ github.event_name }} == 'merge_group' ]; | |
then | |
echo "running because of Merge Group" | |
CHANGED_DIRS=$(git diff --name-only ${{ github.event.before }}..${{ github.event.after }} | xargs -I {} dirname {}) | |
CONTAINER_FOLDERS=$(for CHANGED_DIR in ${CHANGED_DIRS}; do echo ${CHANGED_DIR} | awk -F "/" '{print $1}'; done | sort -u) | |
# there should only every be 1 container folder changed in a PR | |
for CONTAINER_FOLDER in ${CONTAINER_FOLDERS}; do | |
if [[ "${CONTAINER_FOLDER}" != "."* ]]; then | |
APP="${CONTAINER_FOLDER}" | |
VERSION="dev" | |
fi | |
done | |
else | |
TAG=${GITHUB_REF#refs/*/} | |
APP=$(echo $TAG | cut -d'-' -f1) | |
VERSION=$(echo $TAG | cut -d'-' -f2) | |
fi | |
APP_VERSION=$(grep -Eo "FROM[^:]+:[^[:space:]]+" ${APP}/Dockerfile | cut -d ":" -f 2-) | |
APP_IMAGE=$(grep -Eo "FROM[^:]+:[^[:space:]]+" ${APP}/Dockerfile | cut -d ":" -f -1 | cut -d/ -f 2- | cut -d " " -f 2-) | |
echo "app=${APP}" >> $GITHUB_OUTPUT | |
echo "version=${VERSION}" >> $GITHUB_OUTPUT | |
echo "app_version=${APP_VERSION}" >> $GITHUB_OUTPUT | |
echo "app_image=${APP_IMAGE}" >> $GITHUB_OUTPUT | |
- name: Generate tag value | |
id: tag_value | |
run: | | |
if [ ${{ github.event_name }} == 'pull_request' ] || [ ${{ github.event_name }} == 'merge_group' ]; | |
then | |
TAG_VALUE="type=raw,value=${{ steps.tag.outputs.app_version }}-plural-${{ steps.tag.outputs.version }}" | |
else | |
TAG_VALUE="type=match,prefix=${{ steps.tag.outputs.app_version }}-plural,pattern=.*-v(.*),group=1" | |
fi | |
echo "tag_value=${TAG_VALUE}" >> $GITHUB_OUTPUT | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
flavor: | | |
latest=false | |
# list of Docker images to use as base name for tags | |
images: | | |
ghcr.io/pluralsh/containers/${{ steps.tag.outputs.app_image }} | |
dkr.plural.sh/${{ steps.tag.outputs.app }}/${{ steps.tag.outputs.app_image }} | |
# generate Docker tags based on the following events/attributes | |
tags: | | |
${{ steps.tag_value.outputs.tag_value }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Login to GHCR | |
if: ${{ github.event_name != 'pull_request' }} | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Login to plural registry | |
uses: docker/login-action@v2 | |
if: ${{ github.event_name != 'pull_request' }} | |
with: | |
registry: dkr.plural.sh | |
username: [email protected] | |
password: ${{ secrets.PLURAL_ACCESS_TOKEN }} | |
- name: Build ${{ steps.tag.outputs.app }} image for security scanning | |
uses: docker/build-push-action@v5 | |
with: | |
context: ${{ steps.tag.outputs.app }} | |
file: "${{ steps.tag.outputs.app }}/Dockerfile" | |
load: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: linux/amd64 | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'image' | |
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
hide-progress: false | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
scanners: 'vuln' | |
ignore-unfixed: true | |
#severity: 'CRITICAL,HIGH' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
- name: Build ${{ steps.tag.outputs.app }} image | |
uses: docker/build-push-action@v5 | |
with: | |
context: ${{ steps.tag.outputs.app }} | |
file: "${{ steps.tag.outputs.app }}/Dockerfile" | |
push: ${{ github.event_name != 'pull_request' && github.event_name != 'merge_group' }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: linux/amd64,linux/arm64 | |
# cache-from: type=gha | |
# cache-to: type=gha,mode=max | |
trivy-scan: | |
name: Trivy IaC scan | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Run Trivy vulnerability scanner in IaC mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
hide-progress: false | |
scan-ref: '.' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
scanners: 'vuln,secret,config' | |
ignore-unfixed: true | |
#severity: 'CRITICAL,HIGH' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' |