This repository was archived by the owner on Sep 30, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
151 lines (131 loc) · 5.38 KB
/
artifacts.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
name: Artifacts
on:
workflow_call:
inputs:
publish:
description: Publish artifacts to the artifact store
default: false
required: false
type: boolean
outputs:
container-image-name:
description: Container image name
value: ${{ jobs.container-image.outputs.name }}
container-image-digest:
description: Container image digest
value: ${{ jobs.container-image.outputs.digest }}
container-image-tag:
description: Container image tag
value: ${{ jobs.container-image.outputs.tag }}
container-image-ref:
description: Container image ref
value: ${{ jobs.container-image.outputs.ref }}
permissions:
contents: read
id-token: write
# Allows pushing to the GitHub Container Registry
packages: write
jobs:
container-image:
name: Container image
runs-on: depot-ubuntu-latest
strategy:
fail-fast: false
matrix:
target: ["alpine", "distroless", "ubi8"]
permissions:
contents: read
packages: write
id-token: write
security-events: write
outputs:
name: ${{ steps.image-name.outputs.value }}
digest: ${{ steps.build.outputs.digest }}
tag: ${{ steps.meta.outputs.version }}
ref: ${{ steps.image-ref.outputs.value }}
steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
submodules: recursive
- name: Set up Depot CLI
uses: depot/setup-action@v1
- name: Set image name
id: image-name
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
- name: Gather build metadata
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: ${{ steps.image-name.outputs.value }}
flavor: |
latest = false
tags: |
type=ref,event=branch,suffix=-${{ matrix.target }}
type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.target }}
type=semver,pattern={{raw}},suffix=-${{ matrix.target }}
type=raw,value=latest,suffix=-${{ matrix.target }},enable={{is_default_branch}}
type=ref,event=branch,suffix=-${{ matrix.target }}-{{sha}}-{{date 'X'}},enable={{is_default_branch}}
type=ref,event=branch,enable=${{ matrix.target == 'alpine' }}
type=ref,event=pr,prefix=pr-,enable=${{ matrix.target == 'alpine' }}
type=semver,pattern={{raw}},enable=${{ matrix.target == 'alpine' }}
type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.target == 'alpine' }}
type=ref,event=branch,suffix=-{{sha}}-{{date 'X'}},enable=${{ github.ref_name == github.event.repository.default_branch && matrix.target == 'alpine' }}
# Multiple exporters are not supported yet
# See https://github.com/moby/buildkit/pull/2760
- name: Determine build output
uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1
id: build-output
with:
cond: ${{ inputs.publish }}
if_true: type=image,push=true
if_false: type=oci,dest=image.tar
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
if: inputs.publish
- name: Build and push image
id: build
uses: depot/build-push-action@v1
with:
context: upstream
target: ${{ matrix.target }}
build-args: |
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
platforms: linux/amd64,linux/arm64 # The confluent library and UBI8 don't support ARMv7
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max,ignore-error=true
outputs: ${{ steps.build-output.outputs.value }}
# push: ${{ inputs.publish }}
project: 1p7zgk4zmf
- name: Set image ref
id: image-ref
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
- name: Fetch image
run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar
if: inputs.publish
- name: Extract OCI tarball
run: |
mkdir -p image
tar -xf image.tar -C image
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0
with:
input: image
format: sarif
output: trivy-results.sarif
# - name: Upload Trivy scan results as artifact
# uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4.0.0
# with:
# name: "[${{ github.job }}] Trivy scan results"
# path: trivy-results.sarif
# retention-days: 5
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@afb54ba388a7dca6ecae48f608c4ff05ff4cc77a # v3.25.15
with:
sarif_file: trivy-results.sarif