From eb760986ee66faa5c940b9ab970d215f1fd442e5 Mon Sep 17 00:00:00 2001 From: Ashley Felton Date: Thu, 11 Jan 2024 10:00:44 +0800 Subject: [PATCH] Update build workflow. --- .github/workflows/image-build-scan.yml | 42 ++++++++++++++++++-------- 1 file changed, 29 insertions(+), 13 deletions(-) diff --git a/.github/workflows/image-build-scan.yml b/.github/workflows/image-build-scan.yml index 8c070cb..98fa4fe 100644 --- a/.github/workflows/image-build-scan.yml +++ b/.github/workflows/image-build-scan.yml @@ -3,11 +3,11 @@ name: "Build Docker image and run Trivy vulnerability scan" on: push: # Publish `master` as `latest` image. - branches: [ master ] - # Publish `1.*` tags as releases. - tags: [ '1.*' ] + branches: [master] + # Publish `1.*` and `2.*1 tags as releases. + tags: ['1.*', '2.*'] pull_request: - branches: [ master ] + branches: [master] env: REGISTRY: ghcr.io @@ -22,38 +22,51 @@ jobs: packages: write security-events: write steps: - - name: Set up QEMU - uses: docker/setup-qemu-action@v2 + #---------------------------------------------- + # Checkout repo + #---------------------------------------------- - name: Checkout repository - uses: actions/checkout@v3 + uses: actions/checkout@v4 id: checkout-repo with: fetch-depth: 0 + #---------------------------------------------- + # Set up Docker BuildX environment + #---------------------------------------------- - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v2 + uses: docker/setup-buildx-action@v3 + #---------------------------------------------- + # Log Docker into the GitHub Container Repository + #---------------------------------------------- - name: Log into registry ${{ env.REGISTRY }} if: github.event_name != 'pull_request' - uses: docker/login-action@v2 + uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} + #---------------------------------------------- + # Extract Docker image metadata from GitHub events + #---------------------------------------------- - name: Extract Docker metadata id: meta - uses: docker/metadata-action@v4 + uses: docker/metadata-action@v5 with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} flavor: | latest=true + #---------------------------------------------- + # Build and push Docker image (not on PR) + #---------------------------------------------- - name: Build and push Docker image - uses: docker/build-push-action@v4 + uses: docker/build-push-action@v5 with: context: . push: ${{ github.event_name != 'pull_request' }} tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} scan: - name: Trivy scan + name: Image vulnerability scan runs-on: ubuntu-latest needs: [build] permissions: @@ -61,6 +74,9 @@ jobs: packages: read security-events: write steps: + #---------------------------------------------- + # Run vulnerability scan on built image + #---------------------------------------------- - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@master with: @@ -72,6 +88,6 @@ jobs: template: '@/contrib/sarif.tpl' output: trivy-results.sarif - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v2 + uses: github/codeql-action/upload-sarif@v3 with: sarif_file: trivy-results.sarif