Update google/osv-scanner-action action to v1.9.0 #1833
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and test images - Pull Request | |
on: | |
pull_request: | |
paths: | |
- '**' | |
permissions: read-all | |
concurrency: | |
group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }} | |
cancel-in-progress: true | |
env: | |
FORCE_COLOR: 1 | |
EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }} | |
jobs: | |
# Populate the trivy cache once for all later jobs to use | |
trivy-cache: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4 | |
with: | |
fetch-depth: 0 | |
- name: Install earthly | |
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1 | |
with: | |
repository: quay.io/kairos/packages | |
packages: utils/earthly | |
- name: Restore trivy cache | |
uses: yogeshlonkar/trivy-cache-action@v0 | |
with: | |
gh-token: ${{ secrets.GITHUB_TOKEN }} | |
- name: Populate trivy Cache | |
run: | | |
[ ! -d ".trivy" ] && mkdir -p ".trivy" | |
earthly +trivy-download-db --DIR .trivy | |
core-ubuntu-22-lts: | |
uses: ./.github/workflows/reusable-build-flavor.yaml | |
secrets: inherit | |
needs: | |
- trivy-cache | |
permissions: | |
contents: write | |
security-events: write | |
id-token: write | |
actions: read | |
attestations: read | |
checks: read | |
deployments: read | |
discussions: read | |
issues: read | |
packages: read | |
pages: read | |
pull-requests: read | |
repository-projects: read | |
statuses: read | |
with: | |
flavor: ubuntu | |
flavor_release: "22.04" | |
family: ubuntu | |
base_image: ubuntu:22.04 | |
model: generic | |
variant: core | |
arch: amd64 | |
core-ubuntu-24-lts: | |
uses: ./.github/workflows/reusable-build-flavor.yaml | |
secrets: inherit | |
needs: | |
- trivy-cache | |
permissions: | |
contents: write | |
security-events: write | |
id-token: write | |
actions: read | |
attestations: read | |
checks: read | |
deployments: read | |
discussions: read | |
issues: read | |
packages: read | |
pages: read | |
pull-requests: read | |
repository-projects: read | |
statuses: read | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
family: ubuntu | |
base_image: ubuntu:24.04 | |
model: generic | |
variant: core | |
arch: amd64 | |
core-ubuntu-24-10: | |
uses: ./.github/workflows/reusable-build-flavor.yaml | |
secrets: inherit | |
needs: | |
- trivy-cache | |
permissions: | |
contents: write | |
security-events: write | |
id-token: write | |
actions: read | |
attestations: read | |
checks: read | |
deployments: read | |
discussions: read | |
issues: read | |
packages: read | |
pages: read | |
pull-requests: read | |
repository-projects: read | |
statuses: read | |
with: | |
flavor: ubuntu | |
flavor_release: "24.10" | |
family: ubuntu | |
base_image: ubuntu:24.10 | |
model: generic | |
variant: core | |
arch: amd64 | |
core-alpine: | |
uses: ./.github/workflows/reusable-build-flavor.yaml | |
secrets: inherit | |
needs: | |
- trivy-cache | |
permissions: | |
contents: write | |
security-events: write | |
id-token: write | |
actions: read | |
attestations: read | |
checks: read | |
deployments: read | |
discussions: read | |
issues: read | |
packages: read | |
pages: read | |
pull-requests: read | |
repository-projects: read | |
statuses: read | |
with: | |
flavor: alpine | |
flavor_release: "3.19" | |
family: alpine | |
base_image: alpine:3.19 | |
model: generic | |
variant: core | |
arch: amd64 | |
standard: | |
uses: ./.github/workflows/reusable-build-provider.yaml | |
secrets: inherit | |
needs: | |
- trivy-cache | |
permissions: | |
id-token: write # OIDC support | |
contents: write | |
security-events: write | |
actions: read | |
attestations: read | |
checks: read | |
deployments: read | |
discussions: read | |
issues: read | |
packages: read | |
pages: read | |
pull-requests: read | |
repository-projects: read | |
statuses: read | |
with: | |
flavor: opensuse | |
flavor_release: "leap-15.6" | |
family: opensuse | |
base_image: opensuse/leap:15.6 | |
model: generic | |
variant: standard | |
arch: amd64 | |
install: | |
uses: ./.github/workflows/reusable-install-test.yaml | |
secrets: inherit | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
secureboot: false | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
install-target: | |
secrets: inherit | |
uses: ./.github/workflows/reusable-install-test-target.yaml | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
secureboot: false | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
install-secureboot: | |
uses: ./.github/workflows/reusable-install-test.yaml | |
secrets: inherit | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
secureboot: true | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
install-alpine: | |
uses: ./.github/workflows/reusable-install-test.yaml | |
secrets: inherit | |
with: | |
flavor: alpine | |
flavor_release: "3.19" | |
needs: | |
- trivy-cache | |
- core-alpine | |
zfs: | |
uses: ./.github/workflows/reusable-zfs-test.yaml | |
secrets: inherit | |
with: | |
flavor: ubuntu | |
flavor_release: "22.04" | |
needs: | |
- trivy-cache | |
- core-ubuntu-22-lts | |
acceptance: | |
uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml | |
secrets: inherit | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
acceptance-alpine: | |
uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml | |
secrets: inherit | |
with: | |
flavor: alpine | |
flavor_release: "3.19" | |
needs: | |
- trivy-cache | |
- core-alpine | |
bundles: | |
uses: ./.github/workflows/reusable-qemu-bundles-test.yaml | |
secrets: inherit | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
reset: | |
uses: ./.github/workflows/reusable-qemu-reset-test.yaml | |
secrets: inherit | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
reset-alpine: | |
uses: ./.github/workflows/reusable-qemu-reset-test.yaml | |
secrets: inherit | |
with: | |
flavor: alpine | |
flavor_release: "3.19" | |
needs: | |
- trivy-cache | |
- core-alpine | |
netboot: | |
uses: ./.github/workflows/reusable-qemu-netboot-test.yaml | |
secrets: inherit | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
family: ubuntu | |
base_image: ubuntu:24.04 | |
model: generic | |
variant: core | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
netboot-alpine: | |
uses: ./.github/workflows/reusable-qemu-netboot-test.yaml | |
secrets: inherit | |
with: | |
flavor: alpine | |
flavor_release: "3.19" | |
family: alpine | |
base_image: alpine:3.19 | |
model: generic | |
variant: core | |
needs: | |
- trivy-cache | |
- core-alpine | |
upgrade: | |
uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml | |
secrets: inherit | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
upgrade-alpine: | |
uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml | |
secrets: inherit | |
with: | |
flavor: alpine | |
flavor_release: "3.19" | |
needs: | |
- trivy-cache | |
- core-alpine | |
upgrade-latest: | |
uses: ./.github/workflows/reusable-upgrade-latest-test.yaml | |
secrets: inherit | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
family: "ubuntu" | |
# release_matcher: "23.10" # introduced so tests can be green while we wait for the kairos release with the latest flavor release | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
# enable once the first alpine only release is out as it currently cannot find the latest alpine release properly | |
# upgrade-latest-alpine: | |
# uses: ./.github/workflows/reusable-upgrade-latest-test.yaml | |
# with: | |
# flavor: alpine | |
# flavor_release: "3.19" | |
# needs: | |
# - trivy-cache | |
# - core-alpine | |
custom-partitioning: | |
secrets: inherit | |
uses: ./.github/workflows/reusable-custom-partitioning-test.yaml | |
permissions: | |
id-token: write # OIDC support | |
contents: write | |
security-events: write | |
actions: read | |
attestations: read | |
checks: read | |
deployments: read | |
discussions: read | |
issues: read | |
packages: read | |
pages: read | |
pull-requests: read | |
repository-projects: read | |
statuses: read | |
with: | |
flavor: ${{ matrix.flavor }} | |
flavor_release: ${{ matrix.flavorRelease }} | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
strategy: | |
fail-fast: true | |
matrix: | |
flavor: | |
- "ubuntu" | |
flavorRelease: | |
- "24.04" | |
encryption: | |
secrets: inherit | |
uses: ./.github/workflows/reusable-encryption-test.yaml | |
with: | |
flavor: ubuntu | |
flavor_release: "24.04" | |
label: ${{ matrix.label }} | |
needs: | |
- trivy-cache | |
- core-ubuntu-24-lts | |
strategy: | |
fail-fast: true | |
matrix: | |
label: | |
- "local-encryption" | |
- "remote-auto" | |
- "remote-static" | |
- "remote-https-pinned" | |
- "remote-https-bad-cert" | |
encryption-alpine: | |
secrets: inherit | |
uses: ./.github/workflows/reusable-encryption-test.yaml | |
with: | |
flavor: alpine | |
flavor_release: "3.19" | |
label: ${{ matrix.label }} | |
needs: | |
- trivy-cache | |
- core-alpine | |
strategy: | |
fail-fast: true | |
matrix: | |
label: | |
- "local-encryption" | |
- "remote-auto" | |
- "remote-static" | |
- "remote-https-pinned" | |
- "remote-https-bad-cert" |