mirror
/
dex
mirror of https://github.com/dexidp/dex.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenID Connect (OIDC) identity and OAuth 2.0 provider with pluggable connectors
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3162 Commits
34 Branches
98 Tags
50 MiB
 
 
 
 
 
 
Tree: fd92cfb883
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'fd92cfb883'
${ noResults }
dex/.github/workflows/artifacts.yaml

238 lines
8.9 KiB
Raw Blame History

name: Artifacts
on:
workflow_call:
inputs:
publish:
description: Publish artifacts to the artifact store
default: false
required: false
type: boolean
secrets:
DOCKER_USERNAME:
required: true
DOCKER_PASSWORD:
required: true
outputs:
container-image-name:
description: Container image name
value: ${{ jobs.container-images.outputs.name }}
container-image-digest:
description: Container image digest
value: ${{ jobs.container-images.outputs.digest }}
container-image-ref:
description: Container image ref
value: ${{ jobs.container-images.outputs.ref }}
permissions:
contents: read
jobs:
container-images:
name: Container images
runs-on: ubuntu-latest
strategy:
matrix:
variant:
- alpine
- distroless
permissions:
attestations: write
contents: read
packages: write
id-token: write
security-events: write
outputs:
name: ${{ steps.image-name.outputs.value }}
digest: ${{ steps.build.outputs.digest }}
ref: ${{ steps.image-ref.outputs.value }}
steps:
- name: Checkout repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Set up QEMU
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0
- name: Set up Syft
uses: anchore/sbom-action/download-syft@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
- name: Install cosign
uses: sigstore/cosign-installer@c56c2d3e59e4281cc41dea2217323ba5694b171e # v3.8.0
- name: Set image name
id: image-name
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
- name: Gather build metadata
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
${{ steps.image-name.outputs.value }}
dexidp/dex
flavor: |
latest = false
tags: |
type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }}
type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }}
type=ref,event=branch,suffix=-${{ matrix.variant }}
type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }}
type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }}
labels: |
org.opencontainers.image.documentation=https://dexidp.io/docs/
# Multiple exporters are not supported yet
# See https://github.com/moby/buildkit/pull/2760
- name: Determine build output
uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1
id: build-output
with:
cond: ${{ inputs.publish }}
if_true: type=image,push=true
if_false: type=oci,dest=image.tar
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
if: inputs.publish
- name: Login to Docker Hub
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: inputs.publish
- name: Build and push image
id: build
uses: docker/build-push-action@ca877d9245402d1537745e0e356eab47c3520991 # v6.13.0
with:
context: .
platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
tags: ${{ steps.meta.outputs.tags }}
build-args: |
BASE_IMAGE=${{ matrix.variant }}
VERSION=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.version'] }}
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
labels: ${{ steps.meta.outputs.labels }}
# cache-from: type=gha
# cache-to: type=gha,mode=max
outputs: ${{ steps.build-output.outputs.value }}
# push: ${{ inputs.publish }}
- name: Sign the images with GitHub OIDC Token
run: |
cosign sign --yes ${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}
if: inputs.publish
- name: Set image ref
id: image-ref
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
- name: Fetch image
run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar
if: inputs.publish
# Uncomment the following lines for debugging:
# - name: Upload image as artifact
# uses: actions/upload-artifact@v3
# with:
# name: "[${{ github.job }}] OCI tarball"
# path: image.tar
- name: Extract OCI tarball
run: |
mkdir -p image
tar -xf image.tar -C image
# - name: List tags
# run: skopeo --insecure-policy list-tags oci:image
#
# # See https://github.com/anchore/syft/issues/1545
# - name: Extract image from multi-arch image
# run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar
#
# - name: Generate SBOM
# run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar
#
# - name: Upload SBOM as artifact
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
# with:
# name: "[${{ github.job }}] SBOM"
# path: sbom-spdx.json
# retention-days: 5
# TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80
# - name: Generate build provenance attestation
# uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
# with:
# subject-name: dexidp/dex
# subject-digest: ${{ steps.build.outputs.digest }}
# push-to-registry: true
- name: Generate build provenance attestation
uses: actions/attest-build-provenance@520d128f165991a6c774bcb264f323e3d70747f4 # v2.2.0
with:
subject-name: ghcr.io/dexidp/dex
subject-digest: ${{ steps.build.outputs.digest }}
push-to-registry: true
if: inputs.publish
## Use cache for the trivy-db to avoid the TOOMANYREQUESTS error https://github.com/aquasecurity/trivy-action/pull/397
## To avoid the trivy-db becoming outdated, we save the cache for one day
- name: Get data
id: date
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
- name: Restore trivy cache
uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57 # v4.2.0
with:
path: cache/db
key: trivy-cache-${{ steps.date.outputs.date }}
restore-keys: trivy-cache-
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
with:
input: image
format: sarif
output: trivy-results.sarif
scan-type: "fs"
scan-ref: "."
cache-dir: "./cache"
# Disable skipping trivy cache for now
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
## Trivy-db uses `0600` permissions.
## But `action/cache` use `runner` user by default
## So we need to change the permissions before caching the database.
- name: change permissions for trivy.db
run: sudo chmod 0644 ./cache/db/trivy.db
- name: Upload Trivy scan results as artifact
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0
with:
name: "[${{ github.job }}] Trivy scan results"
path: trivy-results.sarif
retention-days: 5
overwrite: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@dd746615b3b9d728a6a37ca2045b68ca76d4841a # v3.28.8
with:
sarif_file: trivy-results.sarif