[cherry-pick] Add permissions for gcr login to base image build (#5860)…

… (#5862)
nginxinc · Jun 26, 2024 · b475ea6 · b475ea6
1 parent 67ef4d9
commit b475ea6
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 10 deletions.
diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml
@@ -16,7 +16,6 @@ concurrency:
 
 permissions:
   contents: read
-  id-token: write
 
 jobs:
   checks:
@@ -44,6 +43,7 @@ jobs:
     permissions:
       contents: read
       pull-requests: write # for scout report
+      id-token: write
     strategy:
       fail-fast: false
       matrix:
@@ -113,6 +113,7 @@ jobs:
     needs: checks
     permissions:
       contents: read
+      id-token: write
       pull-requests: write # for scout report
     strategy:
       fail-fast: false
@@ -185,6 +186,7 @@ jobs:
     needs: checks
     permissions:
       contents: read
+      id-token: write
       pull-requests: write # for scout report
     strategy:
       fail-fast: false

diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml
@@ -118,6 +118,16 @@ jobs:
           fi
         if: ${{ inputs.authenticated && ! inputs.full-build }}
 
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        with:
+          platforms: arm,arm64,ppc64le,s390x
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
       - name: Build Base Container
         uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
         with:
@@ -191,7 +201,7 @@ jobs:
         uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
         continue-on-error: true
         with:
-          image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
+          image-ref: ${{ steps.meta.outputs.tags }}
           format: "sarif"
           output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"

diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml
@@ -123,6 +123,16 @@ jobs:
           fi
         if: ${{ inputs.authenticated && ! inputs.full-build }}
 
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+        with:
+          platforms: arm,arm64,ppc64le,s390x
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+        if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
       - name: Build Base Container
         uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2
         with:
@@ -203,19 +213,13 @@ jobs:
       - name: Make directory for security scan results
         run: |
           mkdir -p "${{ inputs.image }}-results/"
-
-      - name: Extract image name for Scans
-        id: scan-tag
-        run: |
-          tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
-          echo "tag=$tag" >> $GITHUB_OUTPUT
         if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
       - name: Run Trivy vulnerability scanner
         uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
         continue-on-error: true
         with:
-          image-ref: ${{ steps.scan-tag.outputs.tag }}
+          image-ref: ${{ steps.meta.outputs.tags }}
           format: "sarif"
           output: "${{ inputs.image }}-results/trivy.sarif"
           ignore-unfixed: "true"
@@ -234,7 +238,7 @@ jobs:
         continue-on-error: true
         with:
           command: cves,recommendations
-          image: ${{ steps.scan-tag.outputs.tag }}
+          image: ${{ steps.meta.outputs.tags }}
           ignore-base: true
           only-fixed: true
           sarif-file: "${{ inputs.image }}-results/scout.sarif"