mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3062 Commits
34 Branches
98 Tags
73 MiB
 
 
 
 
 
 
Tree: 4fd3f9b765
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '4fd3f9b765'
${ noResults }
dex/.github/workflows/artifacts.yaml

239 lines
8.9 KiB
Raw Blame History

name: Artifacts
on:
workflow_call:
inputs:
publish:
description: Publish artifacts to the artifact store
default: false
required: false
type: boolean
secrets:
DOCKER_USERNAME:
required: true
DOCKER_PASSWORD:
required: true
outputs:
container-image-name:
description: Container image name
value: ${{ jobs.container-images.outputs.name }}
container-image-digest:
description: Container image digest
value: ${{ jobs.container-images.outputs.digest }}
container-image-ref:
description: Container image ref
value: ${{ jobs.container-images.outputs.ref }}
permissions:
contents: read
jobs:
container-images:
name: Container images
runs-on: ubuntu-latest
strategy:
matrix:
variant:
- alpine
- distroless
permissions:
attestations: write
contents: read
packages: write
id-token: write
security-events: write
outputs:
name: ${{ steps.image-name.outputs.value }}
digest: ${{ steps.build.outputs.digest }}
ref: ${{ steps.image-ref.outputs.value }}
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Set up Syft
uses: anchore/sbom-action/download-syft@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6
- name: Install cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
- name: Set image name
id: image-name
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
- name: Gather build metadata
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
${{ steps.image-name.outputs.value }}
dexidp/dex
flavor: |
latest = false
tags: |
type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }}
type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }}
type=ref,event=branch,suffix=-${{ matrix.variant }}
type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }}
type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }}
labels: |
org.opencontainers.image.documentation=https://dexidp.io/docs/
# Multiple exporters are not supported yet
# See https://github.com/moby/buildkit/pull/2760
- name: Determine build output
uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1
id: build-output
with:
cond: ${{ inputs.publish }}
if_true: type=image,push=true
if_false: type=oci,dest=image.tar
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
if: inputs.publish
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: inputs.publish
- name: Build and push image
id: build
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
with:
context: .
platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
tags: ${{ steps.meta.outputs.tags }}
build-args: |
BASE_IMAGE=${{ matrix.variant }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
labels: ${{ steps.meta.outputs.labels }}
# cache-from: type=gha
# cache-to: type=gha,mode=max
outputs: ${{ steps.build-output.outputs.value }}
# push: ${{ inputs.publish }}
- name: Sign the images with GitHub OIDC Token
run: |
cosign sign --yes ${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}
if: inputs.publish
- name: Set image ref
id: image-ref
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
- name: Fetch image
run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar
if: inputs.publish
# Uncomment the following lines for debugging:
# - name: Upload image as artifact
# uses: actions/upload-artifact@v3
# with:
# name: "[${{ github.job }}] OCI tarball"
# path: image.tar
- name: Extract OCI tarball
run: |
mkdir -p image
tar -xf image.tar -C image
# - name: List tags
# run: skopeo --insecure-policy list-tags oci:image
#
# # See https://github.com/anchore/syft/issues/1545
# - name: Extract image from multi-arch image
# run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar
#
# - name: Generate SBOM
# run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar
#
# - name: Upload SBOM as artifact
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
# with:
# name: "[${{ github.job }}] SBOM"
# path: sbom-spdx.json
# retention-days: 5
# TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80
# - name: Generate build provenance attestation
# uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
# with:
# subject-name: dexidp/dex
# subject-digest: ${{ steps.build.outputs.digest }}
# push-to-registry: true
- name: Generate build provenance attestation
uses: actions/attest-build-provenance@1c608d11d69870c2092266b3f9a6f3abbf17002c # v1.4.3
with:
subject-name: ghcr.io/dexidp/dex
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
if: inputs.publish
## Use cache for the trivy-db to avoid the TOOMANYREQUESTS error https://github.com/aquasecurity/trivy-action/pull/397
## To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get data
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys:
trivy-cache-
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
with:
input: image
format: sarif
output: trivy-results.sarif
scan-type: 'fs'
scan-ref: '.'
cache-dir: "./cache"
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
## Trivy-db uses `0600` permissions.
## But `action/cache` use `runner` user by default
## So we need to change the permissions before caching the database.
- name: change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
- name: Upload Trivy scan results as artifact
uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0
with:
name: "[${{ github.job }}] Trivy scan results"
path: trivy-results.sarif
retention-days: 5
overwrite: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
sarif_file: trivy-results.sarif