|
|
|
|
@ -1,79 +1,118 @@
|
|
|
|
|
name: Artifacts |
|
|
|
|
|
|
|
|
|
on: |
|
|
|
|
push: |
|
|
|
|
branches: |
|
|
|
|
- master |
|
|
|
|
tags: |
|
|
|
|
- v[0-9]+.[0-9]+.[0-9]+ |
|
|
|
|
pull_request: |
|
|
|
|
workflow_call: |
|
|
|
|
inputs: |
|
|
|
|
publish: |
|
|
|
|
description: Publish artifacts to the artifact store |
|
|
|
|
default: false |
|
|
|
|
required: false |
|
|
|
|
type: boolean |
|
|
|
|
outputs: |
|
|
|
|
container-image-name: |
|
|
|
|
description: Container image name |
|
|
|
|
value: ${{ jobs.container-image.outputs.name }} |
|
|
|
|
container-image-digest: |
|
|
|
|
description: Container image digest |
|
|
|
|
value: ${{ jobs.container-image.outputs.digest }} |
|
|
|
|
container-image-ref: |
|
|
|
|
description: Container image ref |
|
|
|
|
value: ${{ jobs.container-image.outputs.ref }} |
|
|
|
|
|
|
|
|
|
permissions: |
|
|
|
|
contents: read |
|
|
|
|
|
|
|
|
|
jobs: |
|
|
|
|
container-images: |
|
|
|
|
name: Container images |
|
|
|
|
container-image: |
|
|
|
|
name: Container image |
|
|
|
|
runs-on: ubuntu-latest |
|
|
|
|
|
|
|
|
|
strategy: |
|
|
|
|
matrix: |
|
|
|
|
variant: |
|
|
|
|
- alpine |
|
|
|
|
- distroless |
|
|
|
|
|
|
|
|
|
permissions: |
|
|
|
|
contents: read |
|
|
|
|
packages: write |
|
|
|
|
id-token: write |
|
|
|
|
security-events: write |
|
|
|
|
|
|
|
|
|
outputs: |
|
|
|
|
name: ${{ steps.image-name.outputs.value }} |
|
|
|
|
digest: ${{ steps.build.outputs.digest }} |
|
|
|
|
ref: ${{ steps.image-ref.outputs.value }} |
|
|
|
|
|
|
|
|
|
steps: |
|
|
|
|
- name: Checkout |
|
|
|
|
uses: actions/checkout@v3 |
|
|
|
|
- name: Checkout repository |
|
|
|
|
uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab # v3.5.2 |
|
|
|
|
|
|
|
|
|
- name: Set up QEMU |
|
|
|
|
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 |
|
|
|
|
|
|
|
|
|
- name: Gather metadata |
|
|
|
|
- name: Set up Docker Buildx |
|
|
|
|
uses: docker/setup-buildx-action@4b4e9c3e2d4531116a6f8ba8e71fc6e2cb6e6c8c # v2.5.0 |
|
|
|
|
|
|
|
|
|
- name: Set up Syft |
|
|
|
|
uses: anchore/sbom-action/download-syft@422cb34a0f8b599678c41b21163ea6088edb2624 # v0.14.1 |
|
|
|
|
|
|
|
|
|
- name: Set image name |
|
|
|
|
id: image-name |
|
|
|
|
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT" |
|
|
|
|
|
|
|
|
|
- name: Gather build metadata |
|
|
|
|
id: meta |
|
|
|
|
uses: docker/metadata-action@v4 |
|
|
|
|
uses: docker/metadata-action@c4ee3adeed93b1fa6a762f209fb01608c1a22f1e # v4.4.0 |
|
|
|
|
with: |
|
|
|
|
images: | |
|
|
|
|
ghcr.io/dexidp/dex |
|
|
|
|
${{ steps.image-name.outputs.value }} |
|
|
|
|
dexidp/dex |
|
|
|
|
flavor: | |
|
|
|
|
latest = false |
|
|
|
|
tags: | |
|
|
|
|
type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }} |
|
|
|
|
type=ref,event=pr,enable=${{ matrix.variant == 'alpine' }} |
|
|
|
|
type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }} |
|
|
|
|
type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }} |
|
|
|
|
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) && matrix.variant == 'alpine' }} |
|
|
|
|
type=raw,value=latest,enable=${{ github.ref_name github.event.repository.default_branch && matrix.variant == 'alpine' }} |
|
|
|
|
type=ref,event=branch,suffix=-${{ matrix.variant }} |
|
|
|
|
type=ref,event=pr,suffix=-${{ matrix.variant }} |
|
|
|
|
type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }} |
|
|
|
|
type=semver,pattern={{raw}},suffix=-${{ matrix.variant }} |
|
|
|
|
type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', github.event.repository.default_branch) }},suffix=-${{ matrix.variant }} |
|
|
|
|
type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }} |
|
|
|
|
labels: | |
|
|
|
|
org.opencontainers.image.documentation=https://dexidp.io/docs/ |
|
|
|
|
|
|
|
|
|
- name: Set up QEMU |
|
|
|
|
uses: docker/setup-qemu-action@v2 |
|
|
|
|
# Multiple exporters are not supported yet |
|
|
|
|
# See https://github.com/moby/buildkit/pull/2760 |
|
|
|
|
- name: Determine build output |
|
|
|
|
uses: haya14busa/action-cond@1d6e8a12b20cdb4f1954feef9aa475b9c390cab5 # v1.1.1 |
|
|
|
|
id: build-output |
|
|
|
|
with: |
|
|
|
|
platforms: all |
|
|
|
|
|
|
|
|
|
- name: Set up Docker Buildx |
|
|
|
|
uses: docker/setup-buildx-action@v2 |
|
|
|
|
cond: ${{ inputs.publish }} |
|
|
|
|
if_true: type=image,push=true |
|
|
|
|
if_false: type=oci,dest=image.tar |
|
|
|
|
|
|
|
|
|
- name: Login to GitHub Container Registry |
|
|
|
|
uses: docker/login-action@v2 |
|
|
|
|
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 |
|
|
|
|
with: |
|
|
|
|
registry: ghcr.io |
|
|
|
|
username: ${{ github.repository_owner }} |
|
|
|
|
username: ${{ github.actor }} |
|
|
|
|
password: ${{ github.token }} |
|
|
|
|
if: github.event_name == 'push' |
|
|
|
|
if: inputs.publish |
|
|
|
|
|
|
|
|
|
- name: Login to Docker Hub |
|
|
|
|
uses: docker/login-action@v2 |
|
|
|
|
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 |
|
|
|
|
with: |
|
|
|
|
username: ${{ secrets.DOCKER_USERNAME }} |
|
|
|
|
password: ${{ secrets.DOCKER_PASSWORD }} |
|
|
|
|
if: github.event_name == 'push' |
|
|
|
|
if: inputs.publish |
|
|
|
|
|
|
|
|
|
- name: Build and push |
|
|
|
|
uses: docker/build-push-action@v4 |
|
|
|
|
- name: Build and push image |
|
|
|
|
id: build |
|
|
|
|
uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0 |
|
|
|
|
with: |
|
|
|
|
context: . |
|
|
|
|
platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le |
|
|
|
|
# cache-from: type=gha |
|
|
|
|
# cache-to: type=gha,mode=max |
|
|
|
|
push: ${{ github.event_name == 'push' }} |
|
|
|
|
tags: ${{ steps.meta.outputs.tags }} |
|
|
|
|
build-args: | |
|
|
|
|
BASE_IMAGE=${{ matrix.variant }} |
|
|
|
|
@ -81,17 +120,53 @@ jobs:
|
|
|
|
|
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} |
|
|
|
|
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} |
|
|
|
|
labels: ${{ steps.meta.outputs.labels }} |
|
|
|
|
cache-from: type=gha |
|
|
|
|
cache-to: type=gha,mode=max |
|
|
|
|
outputs: ${{ steps.build-output.outputs.value }} |
|
|
|
|
# push: ${{ inputs.publish }} |
|
|
|
|
|
|
|
|
|
- name: Set image ref |
|
|
|
|
id: image-ref |
|
|
|
|
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT" |
|
|
|
|
|
|
|
|
|
- name: Fetch image |
|
|
|
|
run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar |
|
|
|
|
if: inputs.publish |
|
|
|
|
|
|
|
|
|
- name: Extract OCI tarball |
|
|
|
|
run: | |
|
|
|
|
mkdir -p image |
|
|
|
|
tar -xf image.tar -C image |
|
|
|
|
|
|
|
|
|
# See https://github.com/anchore/syft/issues/1545 |
|
|
|
|
- name: Extract image from multi-arch image |
|
|
|
|
run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image docker-archive:docker.tar |
|
|
|
|
|
|
|
|
|
- name: Generate SBOM |
|
|
|
|
run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar |
|
|
|
|
|
|
|
|
|
- name: Upload SBOM as artifact |
|
|
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 |
|
|
|
|
with: |
|
|
|
|
name: "[${{ github.job }}] SBOM" |
|
|
|
|
path: sbom-spdx.json |
|
|
|
|
retention-days: 5 |
|
|
|
|
|
|
|
|
|
- name: Run Trivy vulnerability scanner |
|
|
|
|
uses: aquasecurity/trivy-action@0.10.0 |
|
|
|
|
uses: aquasecurity/trivy-action@e5f43133f6e8736992c9f3c1b3296e24b37e17f2 # 0.10.0 |
|
|
|
|
with: |
|
|
|
|
input: image |
|
|
|
|
format: sarif |
|
|
|
|
output: trivy-results.sarif |
|
|
|
|
|
|
|
|
|
- name: Upload Trivy scan results as artifact |
|
|
|
|
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2 |
|
|
|
|
with: |
|
|
|
|
image-ref: "ghcr.io/dexidp/dex:${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}" |
|
|
|
|
format: "sarif" |
|
|
|
|
output: "trivy-results.sarif" |
|
|
|
|
if: github.event_name == 'push' |
|
|
|
|
name: "[${{ github.job }}] Trivy scan results" |
|
|
|
|
path: trivy-results.sarif |
|
|
|
|
retention-days: 5 |
|
|
|
|
|
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab |
|
|
|
|
uses: github/codeql-action/upload-sarif@v2 |
|
|
|
|
uses: github/codeql-action/upload-sarif@8662eabe0e9f338a07350b7fd050732745f93848 # v2.3.1 |
|
|
|
|
with: |
|
|
|
|
sarif_file: "trivy-results.sarif" |
|
|
|
|
if: github.event_name == 'push' |
|
|
|
|
sarif_file: trivy-results.sarif |
|
|
|
|
|
Mark Sagi-Kazar
3 years ago