Skip to content

Update anchore/scan-action action to v5 (#99) #158

Update anchore/scan-action action to v5 (#99)

Update anchore/scan-action action to v5 (#99) #158

Workflow file for this run

name: CI
on:
push:
branches:
- main
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
pull_request:
branches:
- main
env:
PLATFORMS: "linux/amd64, linux/arm64, linux/s390x, linux/ppc64le"
concurrency:
group: ${{ github.ref_name }}-ci
cancel-in-progress: true
jobs:
build:
name: Build Binaries TCP/UDP
runs-on: ubuntu-24.04
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Setup Golang Environment
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0
with:
go-version: stable
- name: Build binary
uses: goreleaser/goreleaser-action@286f3b13b1b49da4ac219696163fb8c1c93e1200 # v6.0.0
with:
version: v2.3.2 # renovate: datasource=github-tags depName=goreleaser/goreleaser
args: build --clean ${{ !startsWith(github.ref, 'refs/tags/') && '--snapshot' || '' }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Store Artifacts in Cache
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ${{ github.workspace }}/dist
key: test-containers-${{ github.run_id }}-${{ github.run_number }}
build-docker:
name: Build Docker Images TCP/UDP
runs-on: ubuntu-24.04
needs: build
strategy:
matrix:
type: [tcp, udp]
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Fetch Cached Artifacts
uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a # v4.1.2
with:
path: ${{ github.workspace }}/dist
key: test-containers-${{ github.run_id }}-${{ github.run_number }}
- name: Setup QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
with:
platforms: arm64,ppc64le,s390x
if: github.event_name != 'pull_request'
- name: Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
ghcr.io/nginxinc/kic-test-${{ matrix.type }}-server
tags: |
type=edge
type=ref,event=pr
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.description=KIC Test ${{ matrix.type }} Server
- name: Build Docker image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: build-push
with:
file: ${{ matrix.type }}/Dockerfile
context: "."
cache-from: type=gha,scope=${{ matrix.type }}
cache-to: type=gha,scope=${{ matrix.type }},mode=max
target: goreleaser
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ github.event_name != 'pull_request' && env.PLATFORMS || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
- name: Run Grype vulnerability scanner
uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
continue-on-error: true
id: scan
with:
image: ghcr.io/nginxinc/kic-test-${{ matrix.type }}-server:${{ steps.meta.outputs.version }}
only-fixed: true
add-cpes-if-none: true
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
build-grpc:
name: Build Docker Image gRPC
runs-on: ubuntu-24.04
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
with:
platforms: arm64,ppc64le,s390x
if: github.event_name != 'pull_request'
- name: Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
ghcr.io/nginxinc/kic-test-grpc-server
tags: |
type=edge
type=ref,event=pr
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.description=KIC Test gRPC Server
- name: Build Docker image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: build-push
with:
file: grpc/Dockerfile
context: "."
cache-from: type=gha,scope=grpc
cache-to: type=gha,scope=grpc,mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ github.event_name != 'pull_request' && env.PLATFORMS || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
- name: Run Grype vulnerability scanner
uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
continue-on-error: true
id: scan
with:
image: ghcr.io/nginxinc/kic-test-grpc-server:${{ steps.meta.outputs.version }}
only-fixed: true
add-cpes-if-none: true
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
build-dos-server:
name: Build Docker Image DOS Server
runs-on: ubuntu-24.04
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
with:
platforms: arm64,ppc64le,s390x
if: github.event_name != 'pull_request'
- name: Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: Docker meta
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
images: |
ghcr.io/nginxinc/kic-test-dos-server
tags: |
type=edge
type=ref,event=pr
type=semver,pattern={{version}}
labels: |
org.opencontainers.image.description=KIC Test DOS Server
- name: Build Docker image
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
id: build-push
with:
file: nap-dos/Dockerfile
context: "."
cache-from: type=gha,scope=dos-server
cache-to: type=gha,scope=dos-server,mode=max
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: ${{ github.event_name != 'pull_request' && env.PLATFORMS || '' }}
load: ${{ github.event_name == 'pull_request' }}
push: ${{ github.event_name != 'pull_request' }}
pull: true
no-cache: ${{ github.event_name != 'pull_request' }}
- name: Run Grype vulnerability scanner
uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
continue-on-error: true
id: scan
with:
image: ghcr.io/nginxinc/kic-test-dos-server:${{ steps.meta.outputs.version }}
only-fixed: true
add-cpes-if-none: true
- name: upload Anchore scan SARIF report
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
draft-release:
name: Create Release Draft
runs-on: ubuntu-24.04
if: github.event_name != 'pull_request'
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Create/Update Draft
uses: lucacome/draft-release@5d29432a46bff6c122cd4b07a1fb94e1bb158d34 # v1.1.1
with:
minor-label: "enhancement"
major-label: "change"
collapse-after: 20
publish: ${{ github.ref_type == 'tag' }}