Skip to content
This repository has been archived by the owner on Oct 29, 2024. It is now read-only.
Build, Scan and Push

Bump the js group across 1 directory with 8 updates #612

Sign in to view logs

Bump the js group across 1 directory with 8 updates

Bump the js group across 1 directory with 8 updates #612

Workflow file for this run

.github/workflows/build-scan-push.yaml at b1f7b68
name: Build, Scan and Push
on:
push:
branches:
- main
pull_request:
release:
types: [published]
jobs:
build-tests:
name: Build and run tests
runs-on: ${{ matrix.os }}
strategy:
fail-fast: false
matrix:
os: [ubuntu-latest]
steps:
- name: Checkout git repo
uses: actions/checkout@v3
- name: Set up Go
if: matrix.os != 'self-hosted'
uses: actions/setup-go@v3
with:
go-version: 1.19
- name: Build
working-directory: vm
run: |
go mod download
go build -trimpath -ldflags="-s -w" -o bin/service
- name: Test
working-directory: vm
run: go test -v ./... --count=1
build-image:
needs: build-tests
name: Build Image
runs-on: ubuntu-latest
permissions:
pull-requests: write # needed to create and update comments in PRs
# actions: read # for github/codeql-action/upload-sarif, only required for workflows in private repositories
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
steps:
- name: Checkout git repo
uses: actions/checkout@v3
- name: Set up Go
uses: actions/setup-go@v3
with:
go-version: 1.19
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to Docker Hub
if: ${{ !github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]'}}
uses: docker/login-action@v3
with:
username: dockerpublicbot
password: ${{ secrets.DOCKERPUBLICBOT_WRITE_PAT }}
- name: Docker Metadata for Final Image Build
id: docker_meta
uses: docker/metadata-action@v5
with:
images: docker/${{ github.event.repository.name }}
flavor: |
latest=false
labels: |
org.opencontainers.image.revision=${{ env.SHA }}
tags: |
type=raw,value=latest,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }}
type=ref,event=pr
type=ref,event=branch
type=ref,event=tag
type=semver,pattern={{version}}
type=edge,branch=$repo.default_branch
- name: Build and export to Docker
uses: docker/build-push-action@v5
with:
push: false
load: true # Export to Docker Engine rather than pushing to a registry so Scout can analyze the local image
tags: ${{ steps.docker_meta.outputs.tags }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64
- name: Docker Scout CVEs
uses: docker/scout-action@v1.7.0
if: ${{ !github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]'}}
with:
command: cves
image: "" # If image is not set the most recently built image will be used (i.e. the one from the previous step)
only-fixed: true # Filter to fixable CVEs only
only-severities: critical,high
ignore-unchanged: true # Filter out unchanged packages
write-comment: true
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
# exit-on: "vulnerabilities" # Fail the build if there are CVEs
- name: Docker Build and Push to Docker Hub
if: ${{ !github.event.pull_request.head.repo.fork && github.event.pull_request.user.login != 'dependabot[bot]'}}
uses: docker/build-push-action@v5
with:
push: true
tags: ${{ steps.docker_meta.outputs.tags }}
sbom: ${{ github.event_name != 'pull_request' }}
provenance: ${{ github.event_name != 'pull_request' }}
labels: |
org.opencontainers.image.revision=${{ github.event.pull_request.head.sha || github.event.after || github.event.release.tag_name }}
org.opencontainers.image.source=https://github.com/${{ github.repository }}
cache-from: type=gha
cache-to: type=gha,mode=max
platforms: linux/amd64,linux/arm64
build-args: |
BUGSNAG_RELEASE_STAGE=production
BUGSNAG_APP_VERSION=${{ github.event.release.tag_name }}
VALID_SECRET_CACHE=1
secrets: |
"BUGSNAG_API_KEY=${{ secrets.BUGSNAG_API_KEY }}"
"REACT_APP_MUI_LICENSE_KEY=${{ secrets.REACT_APP_MUI_LICENSE_KEY }}"
# If PR, put image tags in the PR comments
# from https://github.com/marketplace/actions/create-or-update-comment
- name: Find comment for image tags
uses: peter-evans/find-comment@v1
if: ${{ !github.event.pull_request.head.repo.fork && github.event_name == 'pull_request' && github.event.pull_request.user.login != 'dependabot[bot]'}}
id: fc
with:
issue-number: ${{ github.event.pull_request.number }}
comment-author: "github-actions[bot]"
body-includes: Docker image tag(s) pushed
# If PR, put image tags in the PR comments
- name: Create or update comment for image tags
uses: peter-evans/create-or-update-comment@v1
if: ${{ !github.event.pull_request.head.repo.fork && github.event_name == 'pull_request' && github.event.pull_request.user.login != 'dependabot[bot]'}}
with:
comment-id: ${{ steps.fc.outputs.comment-id }}
issue-number: ${{ github.event.pull_request.number }}
body: |
Docker image tag(s) pushed:
```text
${{ steps.docker_meta.outputs.tags }}
```
To install the extension from this PR:
```text
docker extension install -f ${{ steps.docker_meta.outputs.tags }}
```
Labels added to images:
```text
${{ steps.docker_meta.outputs.labels }}
```
edit-mode: replace
# Compare the image built in the pull request with the one in production
- name: Compare image against latest tag
id: docker-scout
if: ${{ !github.event.pull_request.head.repo.fork && github.event_name == 'pull_request' && github.event.pull_request.user.login != 'dependabot[bot]'}}
uses: docker/scout-action@v1.7.0
with:
command: compare
image: local://${{ steps.docker_meta.outputs.tags }}
to: registry://docker/${{ github.event.repository.name }}:latest
ignore-unchanged: true
only-severities: critical,high
organization: docker
write-comment: true
github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment
exit-on: "vulnerability"
debug: true