Switch to using a composite action instead

There are few issues with a Docker container action. For example, the path to the Azure Container Scan report is an absolute path in the workspace, but when using a Docker container action, the workspace is mounted in a '/github/workspace' folder, making it too complicated to reuse the path. This would require transforming the Container Scan output path so it can be used from within the container.
rm3l · Nov 3, 2021 · e33ab5c · e33ab5c
1 parent 866fb06
commit e33ab5c
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 26 deletions.
diff --git a/Dockerfile b/Dockerfile
diff --git a/action.yml b/action.yml
@@ -19,10 +19,21 @@ inputs:
 outputs:
   sarif-report-path:
     description: 'Path to the SARIF report generated. Relative to the GitHub workspace'
+    value: ${{ steps.scan-to-sarif.outputs.sarif-report-path }}
 runs:
-  using: 'docker'
-  image: 'Dockerfile'
-  args:
-    - ${{ inputs.converter-version }}
-    - ${{ inputs.input-file }}
-    - ${{ inputs.output-file }}
+  using: "composite"
+  steps:
+    - id: container-scan-to-sarif-downloader
+      run: |
+        mkdir -p ~/.local/bin
+        curl -L "https://github.com/rm3l/container-scan-to-sarif/releases/download/${{ inputs.converter-version }}/container-scan-to-sarif_${{ inputs.converter-version }}_Linux_x86_64.tar.gz" \
+          | tar zx -C ~/.local/bin
+        chmod +x ~/.local/bin/container-scan-to-sarif
+      shell: bash
+    - id: scan-to-sarif
+      run: |
+        ~/.local/bin/container-scan-to-sarif \
+          -input "${{ inputs.input-file }}" \
+          -output "${{ inputs.output-file }}"
+        echo "::set-output name=sarif-report-path::${{ inputs.output-file }}"
+      shell: bash
diff --git a/entrypoint.sh b/entrypoint.sh