Skip to content

Update google/osv-scanner-action action to v1.9.0 #1833

Update google/osv-scanner-action action to v1.9.0

Update google/osv-scanner-action action to v1.9.0 #1833

Workflow file for this run

name: Build and test images - Pull Request
on:
pull_request:
paths:
- '**'
permissions: read-all
concurrency:
group: ci-image-${{ github.head_ref || github.ref }}-${{ github.repository }}
cancel-in-progress: true
env:
FORCE_COLOR: 1
EARTHLY_TOKEN: ${{ secrets.EARTHLY_TOKEN }}
jobs:
# Populate the trivy cache once for all later jobs to use
trivy-cache:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
with:
fetch-depth: 0
- name: Install earthly
uses: Luet-lab/luet-install-action@cec77490c3f2416d7d07a47cfab04d448641d7ce # v1.1
with:
repository: quay.io/kairos/packages
packages: utils/earthly
- name: Restore trivy cache
uses: yogeshlonkar/trivy-cache-action@v0
with:
gh-token: ${{ secrets.GITHUB_TOKEN }}
- name: Populate trivy Cache
run: |
[ ! -d ".trivy" ] && mkdir -p ".trivy"
earthly +trivy-download-db --DIR .trivy
core-ubuntu-22-lts:
uses: ./.github/workflows/reusable-build-flavor.yaml
secrets: inherit
needs:
- trivy-cache
permissions:
contents: write
security-events: write
id-token: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
with:
flavor: ubuntu
flavor_release: "22.04"
family: ubuntu
base_image: ubuntu:22.04
model: generic
variant: core
arch: amd64
core-ubuntu-24-lts:
uses: ./.github/workflows/reusable-build-flavor.yaml
secrets: inherit
needs:
- trivy-cache
permissions:
contents: write
security-events: write
id-token: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
with:
flavor: ubuntu
flavor_release: "24.04"
family: ubuntu
base_image: ubuntu:24.04
model: generic
variant: core
arch: amd64
core-ubuntu-24-10:
uses: ./.github/workflows/reusable-build-flavor.yaml
secrets: inherit
needs:
- trivy-cache
permissions:
contents: write
security-events: write
id-token: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
with:
flavor: ubuntu
flavor_release: "24.10"
family: ubuntu
base_image: ubuntu:24.10
model: generic
variant: core
arch: amd64
core-alpine:
uses: ./.github/workflows/reusable-build-flavor.yaml
secrets: inherit
needs:
- trivy-cache
permissions:
contents: write
security-events: write
id-token: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
with:
flavor: alpine
flavor_release: "3.19"
family: alpine
base_image: alpine:3.19
model: generic
variant: core
arch: amd64
standard:
uses: ./.github/workflows/reusable-build-provider.yaml
secrets: inherit
needs:
- trivy-cache
permissions:
id-token: write # OIDC support
contents: write
security-events: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
with:
flavor: opensuse
flavor_release: "leap-15.6"
family: opensuse
base_image: opensuse/leap:15.6
model: generic
variant: standard
arch: amd64
install:
uses: ./.github/workflows/reusable-install-test.yaml
secrets: inherit
with:
flavor: ubuntu
flavor_release: "24.04"
secureboot: false
needs:
- trivy-cache
- core-ubuntu-24-lts
install-target:
secrets: inherit
uses: ./.github/workflows/reusable-install-test-target.yaml
with:
flavor: ubuntu
flavor_release: "24.04"
secureboot: false
needs:
- trivy-cache
- core-ubuntu-24-lts
install-secureboot:
uses: ./.github/workflows/reusable-install-test.yaml
secrets: inherit
with:
flavor: ubuntu
flavor_release: "24.04"
secureboot: true
needs:
- trivy-cache
- core-ubuntu-24-lts
install-alpine:
uses: ./.github/workflows/reusable-install-test.yaml
secrets: inherit
with:
flavor: alpine
flavor_release: "3.19"
needs:
- trivy-cache
- core-alpine
zfs:
uses: ./.github/workflows/reusable-zfs-test.yaml
secrets: inherit
with:
flavor: ubuntu
flavor_release: "22.04"
needs:
- trivy-cache
- core-ubuntu-22-lts
acceptance:
uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml
secrets: inherit
with:
flavor: ubuntu
flavor_release: "24.04"
needs:
- trivy-cache
- core-ubuntu-24-lts
acceptance-alpine:
uses: ./.github/workflows/reusable-qemu-acceptance-test.yaml
secrets: inherit
with:
flavor: alpine
flavor_release: "3.19"
needs:
- trivy-cache
- core-alpine
bundles:
uses: ./.github/workflows/reusable-qemu-bundles-test.yaml
secrets: inherit
with:
flavor: ubuntu
flavor_release: "24.04"
needs:
- trivy-cache
- core-ubuntu-24-lts
reset:
uses: ./.github/workflows/reusable-qemu-reset-test.yaml
secrets: inherit
with:
flavor: ubuntu
flavor_release: "24.04"
needs:
- trivy-cache
- core-ubuntu-24-lts
reset-alpine:
uses: ./.github/workflows/reusable-qemu-reset-test.yaml
secrets: inherit
with:
flavor: alpine
flavor_release: "3.19"
needs:
- trivy-cache
- core-alpine
netboot:
uses: ./.github/workflows/reusable-qemu-netboot-test.yaml
secrets: inherit
with:
flavor: ubuntu
flavor_release: "24.04"
family: ubuntu
base_image: ubuntu:24.04
model: generic
variant: core
needs:
- trivy-cache
- core-ubuntu-24-lts
netboot-alpine:
uses: ./.github/workflows/reusable-qemu-netboot-test.yaml
secrets: inherit
with:
flavor: alpine
flavor_release: "3.19"
family: alpine
base_image: alpine:3.19
model: generic
variant: core
needs:
- trivy-cache
- core-alpine
upgrade:
uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml
secrets: inherit
with:
flavor: ubuntu
flavor_release: "24.04"
needs:
- trivy-cache
- core-ubuntu-24-lts
upgrade-alpine:
uses: ./.github/workflows/reusable-upgrade-with-cli-test.yaml
secrets: inherit
with:
flavor: alpine
flavor_release: "3.19"
needs:
- trivy-cache
- core-alpine
upgrade-latest:
uses: ./.github/workflows/reusable-upgrade-latest-test.yaml
secrets: inherit
with:
flavor: ubuntu
flavor_release: "24.04"
family: "ubuntu"
# release_matcher: "23.10" # introduced so tests can be green while we wait for the kairos release with the latest flavor release
needs:
- trivy-cache
- core-ubuntu-24-lts
# enable once the first alpine only release is out as it currently cannot find the latest alpine release properly
# upgrade-latest-alpine:
# uses: ./.github/workflows/reusable-upgrade-latest-test.yaml
# with:
# flavor: alpine
# flavor_release: "3.19"
# needs:
# - trivy-cache
# - core-alpine
custom-partitioning:
secrets: inherit
uses: ./.github/workflows/reusable-custom-partitioning-test.yaml
permissions:
id-token: write # OIDC support
contents: write
security-events: write
actions: read
attestations: read
checks: read
deployments: read
discussions: read
issues: read
packages: read
pages: read
pull-requests: read
repository-projects: read
statuses: read
with:
flavor: ${{ matrix.flavor }}
flavor_release: ${{ matrix.flavorRelease }}
needs:
- trivy-cache
- core-ubuntu-24-lts
strategy:
fail-fast: true
matrix:
flavor:
- "ubuntu"
flavorRelease:
- "24.04"
encryption:
secrets: inherit
uses: ./.github/workflows/reusable-encryption-test.yaml
with:
flavor: ubuntu
flavor_release: "24.04"
label: ${{ matrix.label }}
needs:
- trivy-cache
- core-ubuntu-24-lts
strategy:
fail-fast: true
matrix:
label:
- "local-encryption"
- "remote-auto"
- "remote-static"
- "remote-https-pinned"
- "remote-https-bad-cert"
encryption-alpine:
secrets: inherit
uses: ./.github/workflows/reusable-encryption-test.yaml
with:
flavor: alpine
flavor_release: "3.19"
label: ${{ matrix.label }}
needs:
- trivy-cache
- core-alpine
strategy:
fail-fast: true
matrix:
label:
- "local-encryption"
- "remote-auto"
- "remote-static"
- "remote-https-pinned"
- "remote-https-bad-cert"