Fixes #99
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # This workflow will build and push a signed Docker image | |
| name: Build and sign image | |
| on: | |
| pull_request: | |
| types: | |
| - closed | |
| branches: | |
| - "main" | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| jobs: | |
| build_and_sign_image: | |
| if: ${{ github.event.pull_request.merged }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| security-events: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v3 | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@d13028333d784fcc802b67ec924bcebe75aa0a5f #v3.0.2 | |
| with: | |
| cosign-release: 'v1.13.1' | |
| - name: Log into registry ${{ env.REGISTRY }} for ${{ github.actor }} | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| - name: Build Docker Image | |
| id: docker-build-and-push | |
| uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| push: true | |
| tags: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest,${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{github.run_number}} | |
| - name: Sign the published Docker images | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| # This step uses the identity token to provision an ephemeral certificate | |
| # against the sigstore community Fulcio instance. | |
| run: cosign sign "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker-build-and-push.outputs.digest }}" | |
| # NOTE: This runs statically against the latest tag in Docker Hub which was not produced by this workflow | |
| # This should be updated once this workflow is fully implemented | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@1f0aa582c8c8f5f7639610d6d38baddfea4fdcee # 0.9.2 | |
| continue-on-error: true | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest | |
| format: 'sarif' | |
| output: 'trivy-results-${{ inputs.image }}.sarif' | |
| ignore-unfixed: 'true' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@d186a2a36cc67bfa1b860e6170d37fb9634742c7 # v2.2.11 | |
| continue-on-error: true | |
| with: | |
| sarif_file: 'trivy-results-${{ inputs.image }}.sarif' | |
| sha: ${{ github.sha }} | |
| ref: ${{ github.ref }} |