diff --git a/.github/workflows/job-container-dev-release.yaml b/.github/workflows/job-container-dev-release.yaml index 99e5932..03d8fa4 100644 --- a/.github/workflows/job-container-dev-release.yaml +++ b/.github/workflows/job-container-dev-release.yaml @@ -240,7 +240,7 @@ on: description: default is latest type: string required: false - default: "twdps/gha-container-builder:0.1.0" + default: "latest" jobs: @@ -257,7 +257,7 @@ jobs: uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: install dev-release dependencies - uses: ThoughtWorks-DPS/gha-tools-action/install@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/install@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: op-version: ${{ inputs.op-version }} teller-version: ${{ inputs.teller-version }} @@ -275,7 +275,7 @@ jobs: instance: ${{ inputs.before-static-analysis }} - name: hadolint dockerfile - uses: ThoughtWorks-DPS/gha-tools-action/hadolint@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/hadolint@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} path: ${{ inputs.path }} @@ -283,7 +283,7 @@ jobs: hadolint-additional-args: ${{ inputs.hadolint-additional-args }} - name: confirm registry credentials and access - uses: ThoughtWorks-DPS/gha-tools-action/confirm-registry@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/confirm-registry@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: registry: ${{ inputs.registry }} @@ -295,14 +295,14 @@ jobs: - name: set org.opencontainer creation date and version labels if: ${{ inputs.opencontainer-labels == 'true' }} - uses: ThoughtWorks-DPS/gha-tools-action/set-labels@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/set-labels@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} path: ${{ inputs.path }} dockerfile: ${{ inputs.dockerfile }} - name: build gha container image - uses: ThoughtWorks-DPS/gha-tools-action/build@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/build@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -314,7 +314,7 @@ jobs: - name: perform snyk cve scan if: ${{ inputs.snyk-scan == 'true' }} - uses: ThoughtWorks-DPS/gha-tools-action/snyk-scan@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/snyk-scan@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -330,7 +330,7 @@ jobs: - name: perform trivy image scan if: ${{ inputs.trivy-scan == 'true' }} - uses: ThoughtWorks-DPS/gha-tools-action/trivy-scan@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/trivy-scan@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -341,7 +341,7 @@ jobs: - name: perform grype image scan if: ${{ inputs.grype-scan == 'true' }} - uses: ThoughtWorks-DPS/gha-tools-action/grype-scan@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/grype-scan@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -352,7 +352,7 @@ jobs: - name: run bats test against running container if: ${{ inputs.bats-test == 'true' }} - uses: ThoughtWorks-DPS/gha-tools-action/bats-test@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/bats-test@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry }} @@ -369,7 +369,7 @@ jobs: instance: ${{ inputs.after-build }} - name: push image to container registry - uses: ThoughtWorks-DPS/gha-tools-action/push@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/push@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} diff --git a/.github/workflows/publish-container.yaml b/.github/workflows/publish-container.yaml index dc059d6..d1e70fb 100644 --- a/.github/workflows/publish-container.yaml +++ b/.github/workflows/publish-container.yaml @@ -156,11 +156,18 @@ on: type: string default: "false" + builder-image-version: + description: default is latest + type: string + required: false + default: "latest" + jobs: publish-container: name: publish job container to registry runs-on: ubuntu-latest + container: ${{ inputs.builder-image-version }} env: OP_SERVICE_ACCOUNT_TOKEN: ${{ secrets.OP_SERVICE_ACCOUNT_TOKEN }} @@ -170,7 +177,7 @@ jobs: uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4.1.6 - name: install publish dependencies - uses: ThoughtWorks-DPS/gha-tools-action/install@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/install@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: op-version: ${{ inputs.op-version }} teller-version: ${{ inputs.teller-version }} @@ -186,12 +193,12 @@ jobs: instance: ${{ inputs.before-publish }} - name: confirm registry credentials and access - uses: ThoughtWorks-DPS/gha-tools-action/confirm-registry@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/confirm-registry@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: registry: ${{ inputs.registry }} - name: pull image to be published - uses: ThoughtWorks-DPS/gha-tools-action/pull@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/pull@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -199,7 +206,7 @@ jobs: tag: ${{ inputs.pull-tag }} - name: tag image with release version - uses: ThoughtWorks-DPS/gha-tools-action/tag@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/tag@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -209,7 +216,7 @@ jobs: - name: create additional release version tag if: ${{ inputs.release-tag != 'false' }} - uses: ThoughtWorks-DPS/gha-tools-action/tag@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/tag@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -218,7 +225,7 @@ jobs: release-tag: ${{ inputs.release-tag }} - name: push image to container registry - uses: ThoughtWorks-DPS/gha-tools-action/push@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/push@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -227,7 +234,7 @@ jobs: - name: push additional release tag to container registry if: ${{ inputs.release-tag != 'false' }} - uses: ThoughtWorks-DPS/gha-tools-action/push@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/push@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -242,7 +249,7 @@ jobs: - name: sign image using cosign if: ${{ inputs.sign-image == 'true' }} - uses: ThoughtWorks-DPS/gha-tools-action/sign@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/sign@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -254,7 +261,7 @@ jobs: - name: generate sbom if: ${{ inputs.sign-image == 'true' }} - uses: ThoughtWorks-DPS/gha-tools-action/sbom@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/sbom@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: working-directory: ${{ inputs.working-directory }} registry: ${{ inputs.registry}} @@ -262,13 +269,13 @@ jobs: - name: generate release notes if: ${{ inputs.gren == 'true' }} - uses: ThoughtWorks-DPS/common-actions/gren@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/common-actions/gren@4baf5677df945981d15017f0ffed8acaba1c6d8f # v0.2.1 with: gren-additional-args: ${{ inputs.gren-additional-args }} - name: post new release message if: ${{ inputs.release-message != 'false' }} - uses: ThoughtWorks-DPS/common-actions/slack-bot@b7cf3979fa5745551c5a62afa5e8e07f75ffa687 # v0.1.0 + uses: ThoughtWorks-DPS/common-actions/slack-bot@f99d7641298c1d30a991c6bb51a5ce335901c47e # v0.2.0 with: channel: lab-events message: ${{ inputs.release-message }} diff --git a/.github/workflows/release-version.yaml b/.github/workflows/release-version.yaml index 0e3c331..e855b88 100644 --- a/.github/workflows/release-version.yaml +++ b/.github/workflows/release-version.yaml @@ -66,7 +66,7 @@ jobs: - name: post new release message if: ${{ inputs.release-message != 'false' }} - uses: ThoughtWorks-DPS/common-actions/slack-bot@b7cf3979fa5745551c5a62afa5e8e07f75ffa687 # v0.1.0 + uses: ThoughtWorks-DPS/common-actions/slack-bot@main with: channel: lab-events message: ${{ inputs.release-message }} diff --git a/.github/workflows/static-code-analysis.yaml b/.github/workflows/static-code-analysis.yaml index 8df83ae..79b96bc 100644 --- a/.github/workflows/static-code-analysis.yaml +++ b/.github/workflows/static-code-analysis.yaml @@ -109,10 +109,10 @@ jobs: instance: ${{ inputs.before-static-analysis }} - name: gha-tools-action/lint - uses: ThoughtWorks-DPS/gha-tools-action/lint@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/lint@main - name: gha-tools-action/check - uses: ThoughtWorks-DPS/gha-tools-action/check@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/check@main with: working-directory: ${{ inputs.working-directory }} shellcheck-version: ${{ inputs.shellcheck-version }} @@ -126,7 +126,7 @@ jobs: shellcheck-format: ${{ inputs.shellcheck-format }} - name: gha-tools-action/scorecard - uses: ThoughtWorks-DPS/gha-tools-action/scorecard@62fed61ee4a732fb309006ef6c55f348b7db3441 # v0.2.0 + uses: ThoughtWorks-DPS/gha-tools-action/scorecard@main - name: run custom after-static-analysis action if: ${{ inputs.after-static-analysis != 'false' }} diff --git a/README.md b/README.md index 5eb82b6..818260b 100644 --- a/README.md +++ b/README.md @@ -17,7 +17,7 @@ Provides four workflows: ### static-code-analysis workflow -Performs the following actions. +Performs the following static code analysis. 1. yamllint 2. shellcheck 3. ossf/scorecard and upload results to repo security dashboard diff --git a/op.env b/op.env deleted file mode 100644 index fe9a891..0000000 --- a/op.env +++ /dev/null @@ -1,7 +0,0 @@ -export DOCKER_LOGIN=op://empc-lab/svc-dockerhub/username -export DOCKER_PASSWORD=op://empc-lab/svc-dockerhub/password -export COSIGN_PASSWORD=op://empc-lab/svc-cosign/passphrase -export SNYK_TOKEN=op://empc-lab/svc-snyk/api-token -export GREN_GITHUB_TOKEN=op://empc-lab/svc-github/access-token -export SLACK_BOT_TOKEN=op://empc-lab/svc-slack/post-bot-token -export CIRCLE_TOKEN=op://empc-lab/svc-circleci/api-token \ No newline at end of file