This repository has been archived by the owner on Jan 26, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 10
91 lines (74 loc) · 2.39 KB
/
release.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
on:
push:
branches:
- main
paths-ignore:
- README.md
schedule:
- cron: '0 0 * * *'
# Allow manually triggered workflows by maintainers without any parameters to
# trigger a proactive rebuild (e.g. when a new package lands)
workflow_dispatch: {}
name: Create Release
# Don't run multiple releases concurrently.
concurrency: release
jobs:
build:
name: Release OCI image
runs-on: ubuntu-latest
outputs:
image-refs: ${{ steps.emit-refs.outputs.image-refs }}
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
id-token: write
packages: write
contents: read
steps:
- uses: actions/checkout@v3
- id: apko
uses: chainguard-images/actions/apko-snapshot@main
with:
config: apko.yaml
image_refs: apko.images
base-tag: ghcr.io/${{ github.repository }}
- name: Emit Image Refs output
id: emit-refs
run: |
cat apko.images | sed 's/$/\n/g' | grep -v '^$' | jq -R -s -c 'split("\n")[:-1]' | jq .
echo "image-refs=$(cat apko.images | sed 's/$/\n/g' | grep -v '^$' | jq -R -s -c 'split("\n")[:-1]')" >> $GITHUB_OUTPUT
scan:
name: Scan images
needs: build
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
id-token: write
packages: write
contents: read
strategy:
matrix:
ref: ${{ fromJson(needs.build.outputs.image-refs) }}
steps:
- run: |
echo ${{ matrix.ref }}
- uses: chainguard-images/actions/vul-scans@main
id: scans
with:
registry: ghcr.io
image: ${{ matrix.ref }}
RUN_SNYK: "false"
RUN_GRYPE: "false"
DOCKER_LOGIN: 'true'
- name: Image Vulnerability scan output
shell: bash
env:
SNYK_COUNT: ${{ steps.scans.outputs.SNYK_COUNT }}
GRYPE_COUNT: ${{ steps.scans.outputs.GRYPE_COUNT }}
TRIVY_COUNT: ${{ steps.scans.outputs.TRIVY_COUNT }}
run: |
echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
echo "Image ID: ${{ matrix.ref }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY
echo "Snyk Count: $SNYK_COUNT" >> $GITHUB_STEP_SUMMARY
echo "Grype Count: $GRYPE_COUNT" >> $GITHUB_STEP_SUMMARY
echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY