Merge pull request #302 from redhat-cop/renovate/pyyaml-6.x #319
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build confbatstest | |
on: | |
push: | |
paths: | |
- .github/workflows/confbatstest-build.yaml | |
- confbatstest/** | |
# Declare default permissions as read only. | |
permissions: read-all | |
jobs: | |
build-confbatstest: | |
permissions: | |
packages: write | |
env: | |
context: confbatstest | |
image_name: confbatstest | |
branch_name: ${{ github.head_ref || github.ref_name }} | |
ref_type: ${{ github.ref_type }} | |
owner: ${{ github.repository_owner }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 | |
- name: Get image tags | |
id: image_tags | |
uses: redhat-cop/github-actions/get-image-version@1a584131f8a335296e866d1fb0988870ca83aefb # v4.3 | |
with: | |
IMAGE_CONTEXT_DIR: ${{ env.context }} | |
- uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | |
with: | |
dockerfile: confbatstest/Dockerfile_build | |
ignore: DL3041 # https://github.com/hadolint/hadolint/wiki/DL3041 | |
- name: Build image | |
id: build_image | |
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 | |
with: | |
context: ${{ env.context }} | |
dockerfiles: | | |
./${{ env.context }}/Dockerfile_build | |
image: ${{ env.image_name }} | |
oci: true | |
tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}" | |
- name: Push to ghcr.io | |
if: ${{ env.ref_type == 'tag' || env.owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token | |
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | |
id: push_image | |
with: | |
image: ${{ steps.build_image.outputs.image }} | |
registry: ghcr.io/${{ github.repository }} | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
tags: ${{ steps.build_image.outputs.tags }} | |
outputs: | |
image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}" | |
image_digest: "${{ steps.push_image.outputs.digest }}" | |
image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}" | |
sign-confbatstest: | |
needs: [build-confbatstest] | |
permissions: | |
id-token: write | |
packages: write | |
if: ${{ github.ref_type == 'tag' || github.repository_owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token | |
env: | |
image_uri: ${{ needs.build-confbatstest.outputs.image_uri }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup cosign | |
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3 | |
- name: Cosign login | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io | |
- name: Sign Image | |
run: | | |
cosign sign --yes ${image_uri} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
env: | |
TRIVY_USERNAME: ${{ github.repository_owner }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
scan-type: image | |
image-ref: ${{ env.image_uri }} | |
format: "cosign-vuln" | |
output: "cosign-vuln.json" | |
- name: Run Trivy SBOM generator | |
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # 0.24.0 | |
env: | |
TRIVY_USERNAME: ${{ github.repository_owner }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
scan-type: image | |
image-ref: ${{ env.image_uri }} | |
format: "spdx-json" | |
output: "spdx-json.json" | |
- name: Attach attestations | |
run: | | |
cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri} | |
cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri} | |
provenance: | |
needs: [build-confbatstest,sign-confbatstest] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: ${{ github.ref_type == 'tag' || github.repository_owner != 'redhat-cop' }} # Stops push running when bots create a PR, which fails due to token | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0 | |
with: | |
image: ${{ needs.build-confbatstest.outputs.image_repo }} | |
digest: ${{ needs.build-confbatstest.outputs.image_digest }} | |
registry-username: ${{ github.repository_owner }} | |
secrets: | |
registry-password: ${{ secrets.GITHUB_TOKEN }} |