Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#138) #2
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | ||
on: | ||
workflow_call: | ||
inputs: | ||
node-code-pre-test: | ||
required: false | ||
type: string | ||
image-name: | ||
required: true | ||
type: string | ||
secrets: | ||
SNYK_TOKEN: | ||
required: false | ||
DOCKERHUB_USERNAME: | ||
required: false | ||
DOCKERHUB_PASSWORD: | ||
required: false | ||
outputs: | ||
test-tag: | ||
value: ${{ jobs.build.outputs.test-tag }} | ||
permissions: {} | ||
jobs: | ||
call-workflow: | ||
uses: ./.github/workflows/build-general.yml | ||
secrets: inherit | ||
permissions: | ||
security-events: write | ||
actions: read | ||
contents: read | ||
issues: read | ||
pull-requests: read | ||
with: | ||
node-code-pre-test: DISABLE | ||
hadolint: | ||
name: Lint Dockerfile with Hadolint | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
github.com:443 | ||
- name: Checkout | ||
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b | ||
with: | ||
sparse-checkout: src/Dockerfile | ||
sparse-checkout-cone-mode: false | ||
persist-credentials: false | ||
show-progress: false | ||
- name: Lint | ||
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf | ||
with: | ||
dockerfile: src/Dockerfile | ||
failure-threshold: style | ||
metadata: | ||
name: Get Docker image metadata | ||
runs-on: ubuntu-latest | ||
outputs: | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
annotations: ${{ steps.meta.outputs.annotations }} | ||
sanitized-name: ${{ steps.sanitize.outputs.name }} | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
- name: Sanitize image name for Docker Hub | ||
id: sanitize | ||
run: | | ||
username=${name%/*} | ||
(test $username == $name && echo "name=$name" || echo "name=$(echo $username | tr -d '-')/${name#*/}") >> $GITHUB_OUTPUT | ||
env: | ||
name: ${{ inputs.image-name }} | ||
- name: Extract metadata (tags, labels) for Docker | ||
id: meta | ||
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 | ||
with: | ||
images: | | ||
${{ github.event.repository.private && format('ghcr.io/{0}', inputs.image-name) || steps.sanitize.outputs.name }} | ||
ghcr.io/${{ inputs.image-name }} | ||
tags: | | ||
type=ref,event=branch | ||
type=semver,pattern={{version}} | ||
type=semver,pattern={{major}}.{{minor}},enable=${{ !startsWith(github.ref_name, 'v0.0') }} | ||
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref_name, 'v0') }} | ||
type=sha,prefix={{branch}}-,enable=${{ github.ref_type != 'tag' }} | ||
type=schedule,pattern=weekly | ||
build: | ||
needs: metadata | ||
name: Build Docker image | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
outputs: | ||
test-tag: ${{ steps.set-outputs.outputs.test-tag }} | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
github.com:443 | ||
registry-1.docker.io:443 | ||
auth.docker.io:443 | ||
docker.io:443 | ||
production.cloudflare.docker.com:443 | ||
dl-cdn.alpinelinux.org:443 | ||
- name: Set outputs | ||
id: set-outputs | ||
run: | | ||
echo "test-tag=${{ inputs.image-name }}:test" >> $GITHUB_OUTPUT | ||
- name: Build | ||
uses: warriors-life/.warriors-life-workflows/build-docker-image@dev # TODO: Why GitHub Actions don't support calling local actions from reusable workflows? | ||
with: | ||
tags: ${{ steps.set-outputs.outputs.test-tag }} | ||
labels: ${{ needs.metadata.outputs.labels }} | ||
annotations: ${{ needs.metadata.outputs.annotations }} | ||
- name: Upload Docker image | ||
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 | ||
with: | ||
name: Docker image | ||
path: /tmp/image.tar | ||
snyk-docker: | ||
if: needs.call-workflow.outputs.run-snyk == 'true' | ||
needs: [build, call-workflow] | ||
name: Check Docker image for vulnerabilities with Snyk | ||
permissions: | ||
security-events: write | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
api.snyk.io:443 | ||
- name: Download Docker image | ||
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e | ||
with: | ||
name: Docker image | ||
path: /tmp | ||
- name: Load image | ||
run: docker load --input /tmp/image.tar | ||
- name: Run Snyk | ||
uses: snyk/actions/docker@b98d498629f1c368650224d6d212bf7dfa89e4bf | ||
env: | ||
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | ||
with: | ||
image: ${{ needs.build.outputs.test-tag }} | ||
args: --sarif-file-output=snyk-docker.sarif | ||
continue-on-error: true | ||
- name: Replace security-severity for license-related findings # https://github.com/github/codeql-action/issues/2187 | ||
run: sed -i 's/"security-severity": "(undefined|null)"/"security-severity": "0"/g' snyk-docker.sarif | ||
- name: Upload output | ||
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 | ||
with: | ||
name: Snyk (Docker) | ||
path: snyk-docker.sarif | ||
- name: Upload SARIF to dashboard | ||
if: "!github.event.repository.private" | ||
uses: github/codeql-action/upload-sarif@f31a31c052207cc13b328d6295c5b728bb49568c | ||
with: | ||
category: Snyk (Docker) | ||
sarif_file: snyk-docker.sarif | ||
test-unit: | ||
needs: build | ||
name: Run unit tests | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
github.com:443 | ||
objects.githubusercontent.com:443 | ||
registry.npmjs.org:443 | ||
registry-1.docker.io:443 | ||
auth.docker.io:443 | ||
production.cloudflare.docker.com:443 | ||
- name: Checkout | ||
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b | ||
with: | ||
sparse-checkout: test | ||
persist-credentials: false | ||
show-progress: false | ||
- name: Download Docker image | ||
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e | ||
with: | ||
name: Docker image | ||
path: /tmp | ||
- name: Load image | ||
run: docker load --input /tmp/image.tar | ||
- name: Run unit tests | ||
uses: warriors-life/.warriors-life-workflows/run-unit-tests@dev | ||
with: | ||
node-code-pre-test: ${{ format('export TEST_IMAGE="{0}" && {1}', needs.build.outputs.test-tag, inputs.node-code-pre-test) }} | ||
push: | ||
if: github.event_name != 'pull_request' | ||
needs: [hadolint, metadata, build, snyk-docker, test-unit] | ||
name: Push Docker image to the registry | ||
runs-on: ubuntu-latest | ||
permissions: | ||
packages: write | ||
contents: read | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
github.com:443 | ||
ghcr.io:443 | ||
registry-1.docker.io:443 | ||
auth.docker.io:443 | ||
index.docker.io:443 | ||
docker.io:443 | ||
production.cloudflare.docker.com:443 | ||
hub.docker.com:443 | ||
dl-cdn.alpinelinux.org:443 | ||
- name: Split image name | ||
id: split | ||
run: | | ||
username=${name%/*} | ||
test $username == $name && username='' | ||
echo "username=$username" >> $GITHUB_OUTPUT | ||
env: | ||
name: ${{ inputs.image-name }} | ||
- name: Login to GHCR | ||
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 | ||
with: | ||
registry: ghcr.io | ||
username: ${{ github.actor }} | ||
password: ${{ github.token }} | ||
- name: Login to Docker Hub | ||
if: "!github.event.repository.private" | ||
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME || steps.split.outputs.username }} | ||
password: ${{ secrets.DOCKERHUB_PASSWORD }} | ||
- name: Build and push Docker image | ||
uses: warriors-life/.warriors-life-workflows/build-docker-image@dev | ||
with: | ||
multi-platforms: true | ||
tags: ${{ needs.metadata.outputs.tags }} | ||
labels: ${{ needs.metadata.outputs.labels }} | ||
annotations: ${{ needs.metadata.outputs.annotations }} | ||
push: true | ||
- name: Update Docker Hub description | ||
if: "!github.event.repository.private && (github.ref_type == 'tag')" | ||
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae | ||
with: | ||
username: ${{ secrets.DOCKERHUB_USERNAME || steps.split.outputs.username }} | ||
password: ${{ secrets.DOCKERHUB_PASSWORD }} | ||
repository: ${{ needs.metadata.outputs.sanitized-name }} | ||
short-description: ${{ github.event.repository.description }} | ||
enable-url-completion: true | ||
release: | ||
if: github.ref_type == 'tag' | ||
needs: [metadata, push] | ||
name: Release | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: write | ||
steps: | ||
- name: Harden runner | ||
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4 | ||
with: | ||
disable-sudo: true | ||
egress-policy: block | ||
allowed-endpoints: > | ||
api.github.com:443 | ||
uploads.github.com:443 | ||
github.com:443 | ||
registry-1.docker.io:443 | ||
auth.docker.io:443 | ||
docker.io:443 | ||
production.cloudflare.docker.com:443 | ||
dl-cdn.alpinelinux.org:443 | ||
- name: Checkout | ||
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b | ||
with: | ||
persist-credentials: false | ||
show-progress: false | ||
- name: Rebuild Docker image | ||
uses: warriors-life/.warriors-life-workflows/build-docker-image@dev | ||
with: | ||
checkout: false | ||
multi-platforms: true | ||
tags: ${{ needs.metadata.outputs.tags }} | ||
labels: ${{ needs.metadata.outputs.labels }} | ||
annotations: ${{ needs.metadata.outputs.annotations }} | ||
- name: Extract release notes | ||
id: extract-release-notes | ||
uses: ffurrer2/extract-release-notes@9989ccec43d726ef05aa1cd7b2854fb96b6df6ab | ||
- name: Import GPG key | ||
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4 | ||
with: | ||
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }} | ||
passphrase: ${{ secrets.GPG_PASSPHRASE }} | ||
- name: Get archive name | ||
id: archive-name | ||
run: | | ||
echo "name=$repository-${tag#v}" >> $GITHUB_OUTPUT | ||
env: | ||
tag: ${{ github.ref_name }} | ||
repository: ${{ github.event.repository.name }} | ||
- name: Sign files | ||
run: | | ||
git -c tar.tar.gz.command='gzip -cn' archive --format=tar.gz --prefix="$archivename/" -o "../$archivename.tar.gz" "$tag" | ||
gpg --armor --detach-sign "../$archivename.tar.gz" | ||
gpg --armor --detach-sign /tmp/image.tar | ||
env: | ||
tag: ${{ github.ref_name }} | ||
archivename: ${{ steps.archive-name.outputs.name }} | ||
- name: Release | ||
uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 | ||
with: | ||
files: | | ||
/tmp/image.tar | ||
/tmp/image.tar.asc | ||
../${{ steps.archive-name.outputs.name }}.tar.gz.asc | ||
body: ${{ steps.extract-release-notes.outputs.release_notes }} | ||
fail_on_unmatched_files: true |