Update actions/setup-go action to v5.2.0 (#272) #220
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Run per commit workflows | |
| on: | |
| push: | |
| branches: | |
| - 'main' | |
| jobs: | |
| AMD64-build-and-publish-to-ghcr: | |
| # Explicitly grant the `secrets.GITHUB_TOKEN` permissions. | |
| permissions: | |
| # Grant the ability to write to GitHub Packages (push Docker images to | |
| # GitHub Container Registry). | |
| packages: write | |
| # Needed to upload the code scanning results to code-scanning dashboard. | |
| security-events: write | |
| # For uploading attestations | |
| attestations: write | |
| # For OICD? https://github.com/actions/deploy-pages/issues/329 | |
| id-token: write | |
| name: Build and publish AMD64 and ARM64 container images 📦 to GitHub Container Registry | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout main | |
| uses: actions/[email protected] | |
| with: | |
| fetch-depth: 1 | |
| fetch-tags: true | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/[email protected] | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| with: | |
| platforms: 'arm64' | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Login to GitHub Container Registry | |
| uses: docker/[email protected] | |
| with: | |
| registry: ghcr.io | |
| # This is the user that triggered the Workflow. In this case, it will | |
| # either be the user whom created the Release or manually triggered | |
| # the workflow_dispatch. | |
| username: ${{ github.actor }} | |
| # `secrets.GITHUB_TOKEN` is a secret that's automatically generated by | |
| # GitHub Actions at the start of a workflow run to identify the job. | |
| # This is used to authenticate against GitHub Container Registry. | |
| # See https://docs.github.com/en/actions/security-guides/automatic-token-authentication#about-the-github_token-secret | |
| # for more detailed information. | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push alpine based image | |
| id: alpine-image | |
| uses: docker/[email protected] | |
| with: | |
| file: Dockerfile-alpine | |
| context: . | |
| push: true # push the image to ghcr | |
| tags: | | |
| ghcr.io/richardoc/kube-audit-rest:${{github.sha}}-alpine | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: true | |
| sbom: true | |
| - name: Attest alpine based image | |
| id: attest-alpine | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-name: ghcr.io/richardoc/kube-audit-rest | |
| subject-digest: ${{ steps.alpine-image.outputs.digest }} | |
| push-to-registry: true | |
| - name: Build and push distroless image | |
| id: distroless-image | |
| uses: docker/[email protected] | |
| with: | |
| file: Dockerfile-distroless | |
| context: . | |
| push: true # push the image to ghcr | |
| tags: | | |
| ghcr.io/richardoc/kube-audit-rest:${{github.sha}}-distroless | |
| labels: ${{ steps.meta.outputs.labels }} | |
| platforms: linux/amd64,linux/arm64 | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: true | |
| sbom: true | |
| - name: Attest distroless based image | |
| id: attest-distroless | |
| uses: actions/attest-build-provenance@v2 | |
| with: | |
| subject-name: ghcr.io/richardoc/kube-audit-rest | |
| subject-digest: ${{ steps.distroless-image.outputs.digest }} | |
| push-to-registry: true | |
| - name: Run Trivy vulnerability scanner for distroless AMD64 container | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: 'ghcr.io/richardoc/kube-audit-rest:${{github.sha}}-distroless' | |
| scan-ref: "ghcr.io/richardoc/kube-audit-rest:${{github.sha}}-distroless" | |
| format: 'sarif' | |
| output: 'distroless-results.sarif' | |
| github-pat: '${{ secrets.GITHUB_TOKEN }}' | |
| - name: Upload Trivy distroless AMD64 scan results to GitHub Security tab | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| sarif_file: 'distroless-results.sarif' | |
| category: 'trivy-distroless-AMD64' | |
| - name: Run Trivy vulnerability scanner for alpine container AMD64 | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: 'ghcr.io/richardoc/kube-audit-rest:${{github.sha}}-alpine' | |
| scan-ref: "ghcr.io/richardoc/kube-audit-rest:${{github.sha}}-alpine" | |
| format: 'sarif' | |
| output: 'alpine-results.sarif' | |
| github-pat: '${{ secrets.GITHUB_TOKEN }}' | |
| - name: Upload Trivy alpine AMD64 scan results to GitHub Security tab | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| sarif_file: 'alpine-results.sarif' | |
| category: 'trivy-alpine-AMD64-per-commit' | |
| static-scan-with-trivy: | |
| # Explicitly grant the `secrets.GITHUB_TOKEN` permissions. | |
| permissions: | |
| # Grant the ability to write to GitHub Packages (push Docker images to | |
| # GitHub Container Registry). | |
| packages: write | |
| # Needed to upload the code scanning results to code-scanning dashboard. | |
| security-events: write | |
| # Needed to upload dependency graph | |
| contents: write | |
| name: Run trivy on the repo | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout main | |
| uses: actions/[email protected] | |
| - name: Run Trivy vulnerability scanner in fs mode | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| scan-ref: '.' | |
| format: 'sarif' | |
| output: 'repo-results.sarif' | |
| github-pat: '${{ secrets.GITHUB_TOKEN }}' | |
| - name: Upload Trivy repo scan results to GitHub Security tab | |
| uses: github/codeql-action/[email protected] | |
| with: | |
| sarif_file: 'repo-results.sarif' | |
| category: 'trivy-repo' | |
| - name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| scan-type: 'fs' | |
| format: 'github' | |
| output: 'dependency-results.sbom.json' | |
| image-ref: '.' | |
| github-pat: ${{ secrets.GITHUB_TOKEN }} |