mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3459 Commits
34 Branches
98 Tags
73 MiB
 
 
 
 
 
 
Tree: 6ef67976bf
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '6ef67976bf'
${ noResults }
dex/.github/workflows/artifacts.yaml

238 lines
9.0 KiB
Raw Blame History

name: Artifacts
on:
workflow_call:
inputs:
publish:
description: Publish artifacts to the artifact store
default: false
required: false
type: boolean
secrets:
DOCKER_USERNAME:
required: true
DOCKER_PASSWORD:
required: true
outputs:
container-image-name:
description: Container image name
value: ${{ jobs.container-images.outputs.name }}
container-image-digest:
description: Container image digest
value: ${{ jobs.container-images.outputs.digest }}
container-image-ref:
description: Container image ref
value: ${{ jobs.container-images.outputs.ref }}
permissions:
contents: read
jobs:
container-images:
name: Container images
runs-on: ubuntu-latest
strategy:
matrix:
variant:
- alpine
- distroless
permissions:
attestations: write
contents: read
packages: write
id-token: write
security-events: write
outputs:
name: ${{ steps.image-name.outputs.value }}
digest: ${{ steps.build.outputs.digest }}
ref: ${{ steps.image-ref.outputs.value }}
steps:
- name: Checkout repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Set up QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
- name: Set up Syft
uses: anchore/sbom-action/download-syft@da167eac915b4e86f08b264dbdbc867b61be6f0c # v0.20.5
- name: Install cosign
uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
- name: Set image name
id: image-name
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
- name: Gather build metadata
id: meta
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
${{ steps.image-name.outputs.value }}
${{ github.repository == 'dexidp/dex' && 'dexidp/dex' || '' }}
flavor: |
latest = false
tags: |
type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }}
type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }}
type=ref,event=branch,suffix=-${{ matrix.variant }}
type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }}
type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }}
labels: |
org.opencontainers.image.documentation=https://dexidp.io/docs/
# Multiple exporters are not supported yet
# See https://github.com/moby/buildkit/pull/2760
- name: Determine build output
uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1
id: build-output
with:
cond: ${{ inputs.publish }}
if_true: type=image,push=true
if_false: type=oci,dest=image.tar
- name: Login to GitHub Container Registry
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
if: inputs.publish
- name: Login to Docker Hub
uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: inputs.publish
- name: Build and push image
id: build
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
with:
context: .
platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
tags: ${{ steps.meta.outputs.tags }}
build-args: |
BASE_IMAGE=${{ matrix.variant }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
labels: ${{ steps.meta.outputs.labels }}
# cache-from: type=gha
# cache-to: type=gha,mode=max
outputs: ${{ steps.build-output.outputs.value }}
# push: ${{ inputs.publish }}
- name: Sign the images with GitHub OIDC Token
run: |
cosign sign --yes ${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}
if: inputs.publish
- name: Set image ref
id: image-ref
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
- name: Fetch image
run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar
if: inputs.publish
# Uncomment the following lines for debugging:
# - name: Upload image as artifact
# uses: actions/upload-artifact@v3
# with:
# name: "[${{ github.job }}] OCI tarball"
# path: image.tar
- name: Extract OCI tarball
run: |
mkdir -p image
tar -xf image.tar -C image
# - name: List tags
# run: skopeo --insecure-policy list-tags oci:image
#
# # See https://github.com/anchore/syft/issues/1545
# - name: Extract image from multi-arch image
# run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar
#
# - name: Generate SBOM
# run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar
#
# - name: Upload SBOM as artifact
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
# with:
# name: "[${{ github.job }}] SBOM"
# path: sbom-spdx.json
# retention-days: 5
# TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80
# - name: Generate build provenance attestation
# uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
# with:
# subject-name: dexidp/dex
# subject-digest: ${{ steps.build.outputs.digest }}
# push-to-registry: true
- name: Generate build provenance attestation
uses: actions/attest-build-provenance@977bb373ede98d70efdf65b84cb5f73e068dcc2a # v3.0.0
with:
subject-name: ghcr.io/${{ github.repository }}
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
if: inputs.publish
## Use cache for the trivy-db to avoid the TOOMANYREQUESTS error https://github.com/aquasecurity/trivy-action/pull/397
## To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get data
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@0400d5f644dc74513175e3cd8d07132dd4860809 # v4.2.4
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys: trivy-cache-
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # 0.33.1
with:
input: image
format: sarif
output: trivy-results.sarif
scan-type: "fs"
scan-ref: "."
cache-dir: "./cache"
# Disable skipping trivy cache for now
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
## Trivy-db uses `0600` permissions.
## But `action/cache` use `runner` user by default
## So we need to change the permissions before caching the database.
- name: change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
- name: Upload Trivy scan results as artifact
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
with:
name: "[${{ github.job }}] Trivy scan results"
path: trivy-results.sarif
retention-days: 5
overwrite: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@3c3833e0f8c1c83d449a7478aa59c036a9165498 # v3.29.5
with:
sarif_file: trivy-results.sarif