Skip to content

Scan controller image #132

Scan controller image

Scan controller image #132

name: Scan controller image
on:
workflow_dispatch:
# no content, allows manual triggering
schedule:
# 5:30 pm every Sunday (UTC)
# to pick up any important bug fixes etc in base image
- cron: '30 17 * * 0'
push:
# run when changes pushed to go.mod on main branch
branches:
- main
paths:
- ./v2/go.mod
jobs:
scan-image:
runs-on: ubuntu-latest
permissions:
packages: read
# Only run this scheduled job on the main repo, it can't work elsewhere
if: ${{ github.repository == 'Azure/azure-service-operator' }}
steps:
- name: Checkout code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # pinned to 4.1.7
with:
fetch-depth: 0 # required to access tags
submodules: 'true'
- name: Log in to GitHub Docker Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # pinned to v3.3.0
with:
registry: docker.pkg.github.com # ghcr.io not yet enabled for Azure org
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build devcontainer image
# We must issue a manual pull before the build so the image gets copied locally, because
# docker.pkg.github.com is not a valid Docker registry and doesn't work with --cache-from,
# however, `docker pull` will fall back to other methods that do work and get the image loaded.
#
# This message comes from "docker pull":
#
# Run docker pull docker.pkg.github.com/azure/azure-service-operator/aso-devcontainer:latest
# WARNING: ⚠️ Failed to pull manifest by the resolved digest. This registry does not
# appear to conform to the distribution registry specification; falling back to
# pull by tag. This fallback is DEPRECATED, and will be removed in a future
# release. Please contact admins of https://docker.pkg.github.com. ⚠️
#
# See: https://github.com/moby/moby/issues/41687#issuecomment-733826074 and related issues
run: |
docker pull docker.pkg.github.com/azure/azure-service-operator/aso-devcontainer:latest
docker build --cache-from docker.pkg.github.com/azure/azure-service-operator/aso-devcontainer:latest --tag devcontainer:latest .devcontainer
env:
DOCKER_BUILDKIT: 1
- name: Run devcontainer image
id: devcontainer
run: |
container_id=$(docker create -w /workspace -v $GITHUB_WORKSPACE:/workspace -v /var/run/docker.sock:/var/run/docker.sock devcontainer:latest)
docker start "$container_id"
echo "container_id=$container_id" >> $GITHUB_ENV
- name: Scan controller image
run: |
container_id=${{ env.container_id }}
docker exec "$container_id" task controller:scan-image