Skip to content
nightly

nightly #609

Sign in to view logs

nightly

nightly #609

Workflow file for this run

.github/workflows/nightly.yaml at eeafe4d
name: nightly
on:
schedule:
# At 03:07
- cron: '7 3 * * *'
env:
# We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run a step
# 'if env.GHCR_USERNAME' != ""', so we copy these to test whether credentials
# are available before trying to run steps that need them. Like PRs from forks!
GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
IMAGE_NAME: ghcr.io/external-secrets/kubernetes-external-secrets
jobs:
build:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Docker meta
id: docker_meta
uses: docker/metadata-action@v4
with:
images: ${{ env.IMAGE_NAME }}
tags: |
type=schedule,pattern=nightly
- name: Login to Docker
uses: docker/login-action@v2
if: env.GHCR_USERNAME != ''
with:
registry: ghcr.io
username: ${{ secrets.GHCR_USERNAME }}
password: ${{ secrets.GHCR_TOKEN }}
- name: Build nightly
uses: docker/build-push-action@v3
with:
context: .
platforms: linux/amd64,linux/arm64,linux/arm/v7
push: ${{ env.GHCR_USERNAME != '' }}
tags: ${{ steps.docker_meta.outputs.tags }}
labels: ${{ steps.docker_meta.outputs.labels }}
scan:
needs: build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ env.IMAGE_NAME }}:nightly
format: 'template'
ignore-unfixed: true
severity: HIGH,CRITICAL
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'