Skip to content

Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#138) #2

Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#138)

Bump ossf/scorecard-action from 2.3.1 to 2.3.3 (#138) #2

Workflow file for this run

name: Build
on:
workflow_call:
inputs:
node-code-pre-test:
required: false
type: string
image-name:
required: true
type: string
secrets:
SNYK_TOKEN:
required: false
DOCKERHUB_USERNAME:
required: false
DOCKERHUB_PASSWORD:
required: false
outputs:
test-tag:
value: ${{ jobs.build.outputs.test-tag }}
permissions: {}
jobs:
call-workflow:
uses: ./.github/workflows/build-general.yml
secrets: inherit
permissions:
security-events: write
actions: read
contents: read
issues: read
pull-requests: read
with:
node-code-pre-test: DISABLE
hadolint:
name: Lint Dockerfile with Hadolint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
with:
sparse-checkout: src/Dockerfile
sparse-checkout-cone-mode: false
persist-credentials: false
show-progress: false
- name: Lint
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf
with:
dockerfile: src/Dockerfile
failure-threshold: style
metadata:
name: Get Docker image metadata
runs-on: ubuntu-latest
outputs:
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
sanitized-name: ${{ steps.sanitize.outputs.name }}
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
- name: Sanitize image name for Docker Hub
id: sanitize
run: |
username=${name%/*}
(test $username == $name && echo "name=$name" || echo "name=$(echo $username | tr -d '-')/${name#*/}") >> $GITHUB_OUTPUT
env:
name: ${{ inputs.image-name }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: |
${{ github.event.repository.private && format('ghcr.io/{0}', inputs.image-name) || steps.sanitize.outputs.name }}
ghcr.io/${{ inputs.image-name }}
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}},enable=${{ !startsWith(github.ref_name, 'v0.0') }}
type=semver,pattern={{major}},enable=${{ !startsWith(github.ref_name, 'v0') }}
type=sha,prefix={{branch}}-,enable=${{ github.ref_type != 'tag' }}
type=schedule,pattern=weekly
build:
needs: metadata
name: Build Docker image
runs-on: ubuntu-latest
permissions:
contents: read
outputs:
test-tag: ${{ steps.set-outputs.outputs.test-tag }}
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
registry-1.docker.io:443
auth.docker.io:443
docker.io:443
production.cloudflare.docker.com:443
dl-cdn.alpinelinux.org:443
- name: Set outputs
id: set-outputs
run: |
echo "test-tag=${{ inputs.image-name }}:test" >> $GITHUB_OUTPUT
- name: Build
uses: warriors-life/.warriors-life-workflows/build-docker-image@dev # TODO: Why GitHub Actions don't support calling local actions from reusable workflows?
with:
tags: ${{ steps.set-outputs.outputs.test-tag }}
labels: ${{ needs.metadata.outputs.labels }}
annotations: ${{ needs.metadata.outputs.annotations }}
- name: Upload Docker image
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
with:
name: Docker image
path: /tmp/image.tar
snyk-docker:
if: needs.call-workflow.outputs.run-snyk == 'true'
needs: [build, call-workflow]
name: Check Docker image for vulnerabilities with Snyk
permissions:
security-events: write
runs-on: ubuntu-latest
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
api.snyk.io:443
- name: Download Docker image
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: Docker image
path: /tmp
- name: Load image
run: docker load --input /tmp/image.tar
- name: Run Snyk
uses: snyk/actions/docker@b98d498629f1c368650224d6d212bf7dfa89e4bf
env:
SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
with:
image: ${{ needs.build.outputs.test-tag }}
args: --sarif-file-output=snyk-docker.sarif
continue-on-error: true
- name: Replace security-severity for license-related findings # https://github.com/github/codeql-action/issues/2187
run: sed -i 's/"security-severity": "(undefined|null)"/"security-severity": "0"/g' snyk-docker.sarif

Check failure on line 171 in .github/workflows/build-docker.yml

View workflow run for this annotation

GitHub Actions / .github/workflows/build-docker.yml

Invalid workflow file

You have an error in your yaml syntax on line 171
- name: Upload output
uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808
with:
name: Snyk (Docker)
path: snyk-docker.sarif
- name: Upload SARIF to dashboard
if: "!github.event.repository.private"
uses: github/codeql-action/upload-sarif@f31a31c052207cc13b328d6295c5b728bb49568c
with:
category: Snyk (Docker)
sarif_file: snyk-docker.sarif
test-unit:
needs: build
name: Run unit tests
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
github.com:443
objects.githubusercontent.com:443
registry.npmjs.org:443
registry-1.docker.io:443
auth.docker.io:443
production.cloudflare.docker.com:443
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
with:
sparse-checkout: test
persist-credentials: false
show-progress: false
- name: Download Docker image
uses: actions/download-artifact@65a9edc5881444af0b9093a5e628f2fe47ea3b2e
with:
name: Docker image
path: /tmp
- name: Load image
run: docker load --input /tmp/image.tar
- name: Run unit tests
uses: warriors-life/.warriors-life-workflows/run-unit-tests@dev
with:
node-code-pre-test: ${{ format('export TEST_IMAGE="{0}" && {1}', needs.build.outputs.test-tag, inputs.node-code-pre-test) }}
push:
if: github.event_name != 'pull_request'
needs: [hadolint, metadata, build, snyk-docker, test-unit]
name: Push Docker image to the registry
runs-on: ubuntu-latest
permissions:
packages: write
contents: read
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
github.com:443
ghcr.io:443
registry-1.docker.io:443
auth.docker.io:443
index.docker.io:443
docker.io:443
production.cloudflare.docker.com:443
hub.docker.com:443
dl-cdn.alpinelinux.org:443
- name: Split image name
id: split
run: |
username=${name%/*}
test $username == $name && username=''
echo "username=$username" >> $GITHUB_OUTPUT
env:
name: ${{ inputs.image-name }}
- name: Login to GHCR
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ github.token }}
- name: Login to Docker Hub
if: "!github.event.repository.private"
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20
with:
username: ${{ secrets.DOCKERHUB_USERNAME || steps.split.outputs.username }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
- name: Build and push Docker image
uses: warriors-life/.warriors-life-workflows/build-docker-image@dev
with:
multi-platforms: true
tags: ${{ needs.metadata.outputs.tags }}
labels: ${{ needs.metadata.outputs.labels }}
annotations: ${{ needs.metadata.outputs.annotations }}
push: true
- name: Update Docker Hub description
if: "!github.event.repository.private && (github.ref_type == 'tag')"
uses: peter-evans/dockerhub-description@e98e4d1628a5f3be2be7c231e50981aee98723ae
with:
username: ${{ secrets.DOCKERHUB_USERNAME || steps.split.outputs.username }}
password: ${{ secrets.DOCKERHUB_PASSWORD }}
repository: ${{ needs.metadata.outputs.sanitized-name }}
short-description: ${{ github.event.repository.description }}
enable-url-completion: true
release:
if: github.ref_type == 'tag'
needs: [metadata, push]
name: Release
runs-on: ubuntu-latest
permissions:
contents: write
steps:
- name: Harden runner
uses: step-security/harden-runner@a4aa98b93cab29d9b1101a6143fb8bce00e2eac4
with:
disable-sudo: true
egress-policy: block
allowed-endpoints: >
api.github.com:443
uploads.github.com:443
github.com:443
registry-1.docker.io:443
auth.docker.io:443
docker.io:443
production.cloudflare.docker.com:443
dl-cdn.alpinelinux.org:443
- name: Checkout
uses: actions/checkout@44c2b7a8a4ea60a981eaca3cf939b5f4305c123b
with:
persist-credentials: false
show-progress: false
- name: Rebuild Docker image
uses: warriors-life/.warriors-life-workflows/build-docker-image@dev
with:
checkout: false
multi-platforms: true
tags: ${{ needs.metadata.outputs.tags }}
labels: ${{ needs.metadata.outputs.labels }}
annotations: ${{ needs.metadata.outputs.annotations }}
- name: Extract release notes
id: extract-release-notes
uses: ffurrer2/extract-release-notes@9989ccec43d726ef05aa1cd7b2854fb96b6df6ab
- name: Import GPG key
uses: crazy-max/ghaction-import-gpg@01dd5d3ca463c7f10f7f4f7b4f177225ac661ee4
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.GPG_PASSPHRASE }}
- name: Get archive name
id: archive-name
run: |
echo "name=$repository-${tag#v}" >> $GITHUB_OUTPUT
env:
tag: ${{ github.ref_name }}
repository: ${{ github.event.repository.name }}
- name: Sign files
run: |
git -c tar.tar.gz.command='gzip -cn' archive --format=tar.gz --prefix="$archivename/" -o "../$archivename.tar.gz" "$tag"
gpg --armor --detach-sign "../$archivename.tar.gz"
gpg --armor --detach-sign /tmp/image.tar
env:
tag: ${{ github.ref_name }}
archivename: ${{ steps.archive-name.outputs.name }}
- name: Release
uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87
with:
files: |
/tmp/image.tar
/tmp/image.tar.asc
../${{ steps.archive-name.outputs.name }}.tar.gz.asc
body: ${{ steps.extract-release-notes.outputs.release_notes }}
fail_on_unmatched_files: true