|
|
|
|
@ -22,37 +22,6 @@ jobs:
|
|
|
|
|
- name: Checkout |
|
|
|
|
uses: actions/checkout@v3 |
|
|
|
|
|
|
|
|
|
- name: Calculate container image details |
|
|
|
|
id: details |
|
|
|
|
env: |
|
|
|
|
CONTAINER_IMAGES: "ghcr.io/dexidp/dex dexidp/dex" |
|
|
|
|
run: | |
|
|
|
|
case $GITHUB_REF in |
|
|
|
|
refs/tags/*) VERSION=${GITHUB_REF#refs/tags/};; |
|
|
|
|
refs/heads/*) VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g');; |
|
|
|
|
refs/pull/*) VERSION=pr-${{ github.event.number }};; |
|
|
|
|
*) VERSION=sha-${GITHUB_SHA::8};; |
|
|
|
|
esac |
|
|
|
|
|
|
|
|
|
VERSION_SUFFIX="" |
|
|
|
|
if [[ "${{ matrix.variant }}" != "alpine" ]]; then |
|
|
|
|
VERSION_SUFFIX="-${{ matrix.variant }}" |
|
|
|
|
fi |
|
|
|
|
|
|
|
|
|
TAGS=() |
|
|
|
|
for image in $CONTAINER_IMAGES; do |
|
|
|
|
TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}") |
|
|
|
|
|
|
|
|
|
if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then |
|
|
|
|
TAGS+=("${image}:latest${VERSION_SUFFIX}") |
|
|
|
|
fi |
|
|
|
|
done |
|
|
|
|
|
|
|
|
|
echo ::set-output name=version::${VERSION} |
|
|
|
|
echo ::set-output name=tags::$(IFS=,; echo "${TAGS[*]}") |
|
|
|
|
echo ::set-output name=commit_hash::${GITHUB_SHA::8} |
|
|
|
|
echo ::set-output name=build_date::$(git show -s --format=%cI) |
|
|
|
|
|
|
|
|
|
- name: Gather metadata |
|
|
|
|
id: meta |
|
|
|
|
uses: docker/metadata-action@v3 |
|
|
|
|
@ -105,27 +74,18 @@ jobs:
|
|
|
|
|
cache-from: type=gha |
|
|
|
|
cache-to: type=gha,mode=max |
|
|
|
|
push: ${{ github.event_name == 'push' }} |
|
|
|
|
tags: ${{ steps.details.outputs.tags }} |
|
|
|
|
tags: ${{ steps.meta.outputs.tags }} |
|
|
|
|
build-args: | |
|
|
|
|
BASE_IMAGE=${{ matrix.variant }} |
|
|
|
|
VERSION=${{ steps.details.outputs.version }} |
|
|
|
|
COMMIT_HASH=${{ steps.details.outputs.commit_hash }} |
|
|
|
|
BUILD_DATE=${{ steps.details.outputs.build_date }} |
|
|
|
|
labels: | |
|
|
|
|
org.opencontainers.image.title=${{ github.event.repository.name }} |
|
|
|
|
org.opencontainers.image.description=${{ github.event.repository.description }} |
|
|
|
|
org.opencontainers.image.url=${{ github.event.repository.html_url }} |
|
|
|
|
org.opencontainers.image.source=${{ github.event.repository.clone_url }} |
|
|
|
|
org.opencontainers.image.version=${{ steps.details.outputs.version }} |
|
|
|
|
org.opencontainers.image.created=${{ steps.details.outputs.build_date }} |
|
|
|
|
org.opencontainers.image.revision=${{ github.sha }} |
|
|
|
|
org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }} |
|
|
|
|
org.opencontainers.image.documentation=https://dexidp.io/docs/ |
|
|
|
|
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }} |
|
|
|
|
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} |
|
|
|
|
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} |
|
|
|
|
labels: ${{ steps.meta.outputs.labels }} |
|
|
|
|
|
|
|
|
|
- name: Run Trivy vulnerability scanner |
|
|
|
|
uses: aquasecurity/trivy-action@0.2.5 |
|
|
|
|
with: |
|
|
|
|
image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}" |
|
|
|
|
image-ref: "ghcr.io/dexidp/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}" |
|
|
|
|
format: "sarif" |
|
|
|
|
output: "trivy-results.sarif" |
|
|
|
|
if: github.event_name == 'push' |
|
|
|
|
|
Mark Sagi-Kazar
4 years ago