Update dependency open-policy-agent/opa to v0.68.0 #307
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build confbatstest | |
| on: | |
| push: | |
| paths: | |
| - .github/workflows/confbatstest-build.yaml | |
| - confbatstest/** | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| jobs: | |
| build-confbatstest: | |
| permissions: | |
| packages: write | |
| env: | |
| context: confbatstest | |
| image_name: confbatstest | |
| branch_name: ${{ github.head_ref || github.ref_name }} | |
| ref_type: ${{ github.ref_type }} | |
| owner: ${{ github.repository_owner }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
| - name: Get image tags | |
| id: image_tags | |
| uses: redhat-cop/github-actions/get-image-version@1a584131f8a335296e866d1fb0988870ca83aefb # v4.3 | |
| with: | |
| IMAGE_CONTEXT_DIR: ${{ env.context }} | |
| - uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | |
| with: | |
| dockerfile: confbatstest/Dockerfile_build | |
| ignore: DL3041 # https://github.com/hadolint/hadolint/wiki/DL3041 | |
| - name: Build image | |
| id: build_image | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 | |
| with: | |
| context: ${{ env.context }} | |
| dockerfiles: | | |
| ./${{ env.context }}/Dockerfile_build | |
| image: ${{ env.image_name }} | |
| oci: true | |
| tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}" | |
| - name: Push to ghcr.io | |
| if: ${{ env.ref_type == 'tag' || env.owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | |
| id: push_image | |
| with: | |
| image: ${{ steps.build_image.outputs.image }} | |
| registry: ghcr.io/${{ github.repository }} | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| tags: ${{ steps.build_image.outputs.tags }} | |
| outputs: | |
| image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}" | |
| image_digest: "${{ steps.push_image.outputs.digest }}" | |
| image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}" | |
| sign-confbatstest: | |
| needs: [build-confbatstest] | |
| permissions: | |
| id-token: write | |
| packages: write | |
| if: ${{ github.ref_type == 'tag' || github.repository_owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token | |
| env: | |
| image_uri: ${{ needs.build-confbatstest.outputs.image_uri }} | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Setup cosign | |
| uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3 | |
| - name: Cosign login | |
| run: | | |
| echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io | |
| - name: Sign Image | |
| run: | | |
| cosign sign --yes ${image_uri} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
| env: | |
| TRIVY_USERNAME: ${{ github.repository_owner }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| scan-type: image | |
| image-ref: ${{ env.image_uri }} | |
| format: "cosign-vuln" | |
| output: "cosign-vuln.json" | |
| - name: Run Trivy SBOM generator | |
| uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
| env: | |
| TRIVY_USERNAME: ${{ github.repository_owner }} | |
| TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
| with: | |
| scan-type: image | |
| image-ref: ${{ env.image_uri }} | |
| format: "spdx-json" | |
| output: "spdx-json.json" | |
| - name: Attach attestations | |
| run: | | |
| cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri} | |
| cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri} | |
| provenance: | |
| needs: [build-confbatstest,sign-confbatstest] | |
| permissions: | |
| actions: read # for detecting the Github Actions environment. | |
| id-token: write # for creating OIDC tokens for signing. | |
| packages: write # for uploading attestations. | |
| if: ${{ github.ref_type == 'tag' || github.repository_owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0 | |
| with: | |
| image: ${{ needs.build-confbatstest.outputs.image_repo }} | |
| digest: ${{ needs.build-confbatstest.outputs.image_digest }} | |
| registry-username: ${{ github.repository_owner }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} |