Bump chainguard/go from 872bcaa
to 8a6dfba
(#49)
#80
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
name: Build/Push Image and Release Charts | |
on: | |
pull_request: | |
paths-ignore: | |
- "chart/**/Chart.yaml" | |
- "chart/**/values.yaml" | |
push: | |
branches: | |
- main | |
paths-ignore: | |
- "chart/**/Chart.yaml" | |
- "chart/**/values.yaml" | |
permissions: read-all | |
jobs: | |
setenv: | |
runs-on: ubuntu-latest | |
outputs: | |
short_sha: ${{ steps.env.outputs.short_sha }} | |
chart_version: ${{ steps.env.outputs.chart_version }} | |
image_version: ${{ steps.env.outputs.image_version }} | |
image_tag: ${{ steps.env.outputs.image_tag }} | |
image_repo_tag: ${{ steps.env.outputs.image_repo_tag }} | |
image_repository: ${{ steps.env.outputs.image_repository }} | |
registry: ${{ steps.env.outputs.registry }} | |
branch: ${{ steps.env.outputs.branch }} | |
compname: ${{ steps.env.outputs.compname }} | |
dhurl: ${{ steps.env.outputs.dhurl }} | |
gh_handle: ${{ steps.env.outputs.gh_handle }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Checkout | |
id: checkout | |
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
with: | |
fetch-depth: 1 | |
- name: Export env | |
id: env | |
env: | |
DHURL: https://console.deployhub.com | |
REGISTRY: quay.io | |
BRANCH: ${{ github.head_ref || github.ref_name }} | |
run: | | |
BRANCH=$(echo "${{ env.BRANCH }}" | cut -d'/' -f1) | |
BASE_VERSION=$(curl -s "https://ortelius.github.io/${{ github.event.repository.name }}/index.yaml" | grep version: | awk '{print $2}' | cut -f1-2 -d. | sort -u -r --version-sort | head -1) | |
SHORT_SHA=$(echo ${{ github.sha }} | cut -c 1-6) | |
{ | |
echo "dhurl=${{ env.DHURL }}" | |
echo "branch=${BRANCH}" | |
echo "chart_version=${BASE_VERSION}.${{ github.run_number }}" | |
echo "compname=${{ github.event.repository.name }}" | |
echo "image_repo_tag=${{ env.REGISTRY }}/${{ github.repository }}:${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}" | |
echo "image_repository=${{ env.REGISTRY }}/${{ github.repository }}" | |
echo "image_tag=${BRANCH}-v${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}" | |
echo "image_version=${BASE_VERSION}.${{ github.run_number }}-g${SHORT_SHA}" | |
echo "registry=${{ env.REGISTRY }}" | |
echo "short_sha=${SHORT_SHA}" | |
echo "gh_handle=$GITHUB_ACTOR" | |
} >> "$GITHUB_OUTPUT" | |
release: | |
runs-on: ubuntu-latest | |
needs: setenv | |
outputs: | |
digest: ${{ steps.build.outputs.digest }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Checkout | |
id: checkout | |
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
- name: Login to Quay | |
if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
id: login | |
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 | |
with: | |
registry: ${{ needs.setenv.outputs.registry }} | |
username: ${{ secrets.QUAY_USERID }} | |
password: ${{ secrets.QUAY_PASSWORD }} | |
- name: Build and Push Docker Image | |
if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
id: build | |
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 | |
with: | |
push: true | |
tags: ${{ needs.setenv.outputs.image_repo_tag }} | |
- name: Build Docker Image | |
if: ${{ !(github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main') }} | |
id: build_only | |
uses: docker/build-push-action@1104d471370f9806843c095c1db02b5a90c5f8b6 # v3.3.1 | |
with: | |
tags: ${{ needs.setenv.outputs.image_repo_tag }} | |
trivy: | |
runs-on: ubuntu-latest | |
needs: [setenv, release] | |
permissions: | |
security-events: write | |
statuses: write | |
if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Checkout | |
id: checkout | |
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # master | |
with: | |
image-ref: ${{ needs.setenv.outputs.image_repo_tag }} | |
format: "sarif" | |
output: "trivy-results.sarif" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@168b99b3c22180941ae7dbdd5f5c9678ede476ba # v2.2.7 | |
if: always() | |
with: | |
sarif_file: "trivy-results.sarif" | |
helm: | |
runs-on: ubuntu-latest | |
needs: [setenv, release] | |
permissions: | |
contents: write | |
if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: Helm Chart Releaser | |
uses: ortelius/ms-cr-action@d98a4163765db41dbc8159f3a31f30f77bbe23bd # v1.2 | |
with: | |
gpg_keyring_base64: ${{ secrets.GPG_KEYRING_BASE64 }} | |
gpg_passphrase: ${{ secrets.GPG_PASSPHRASE }} | |
gpg_key: ${{ secrets.GPG_KEY }} | |
gh_token: ${{ secrets.HELM_INDEXER_TOKEN }} | |
gh_handle: ${{ needs.setenv.outputs.gh_handle }} | |
chart: chart/${{ needs.setenv.outputs.compname }} | |
chart_version: ${{ needs.setenv.outputs.chart_version }} | |
image_repository: ${{ needs.setenv.outputs.image_repository }} | |
image_tag: ${{ needs.setenv.outputs.image_tag }} | |
image_digest: ${{ needs.release.outputs.digest }} | |
- name: Trigger Rebuild of Main Chart | |
uses: benc-uk/workflow-dispatch@798e70c97009500150087d30d9f11c5444830385 # v1.2.2 | |
with: | |
workflow: generate-main-chart.yml | |
repo: ortelius/ortelius-charts | |
token: ${{ secrets.HELM_INDEXER_TOKEN }} | |
sbom: | |
runs-on: ubuntu-latest | |
needs: [setenv, release] | |
if: ${{ github.repository_owner == 'ortelius' && github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@1f99358870fe1c846a3ccba386cc2b2246836776 # v2.2.1 | |
with: | |
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs | |
- name: SBOM | |
uses: ortelius/ms-sbom-action@78faa3aadef42708432a337fa2953a82ddfd2512 # v1.0.0 | |
with: | |
dhpass: ${{ secrets.DHPASS }} | |
dhurl: ${{ needs.setenv.outputs.dhurl }} | |
dhuser: ${{ secrets.DHUSER }} | |
compname: ${{ needs.setenv.outputs.compname }} | |
chart_version: ${{ needs.setenv.outputs.chart_version }} | |
git_branch: ${{ needs.setenv.outputs.branch }} | |
image_digest: ${{ needs.release.outputs.digest }} | |
image_repo_tag: ${{ needs.setenv.outputs.image_repo_tag }} | |
image_repository: ${{ needs.setenv.outputs.image_repository }} | |
image_tag: ${{ needs.setenv.outputs.image_tag }} | |
image_version: ${{ needs.setenv.outputs.image_version }} |