chore(deps): Bump ruby from a2c3be0
to 25a9df5
#472
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Pull Request | |
on: | |
pull_request: | |
branches: | |
- main | |
paths-ignore: | |
- .github/dependabot.yaml | |
- .github/workflows/commit.yaml | |
- .github/workflows/release.yaml | |
jobs: | |
build: | |
name: Build OCI Image | |
permissions: write-all | |
strategy: | |
fail-fast: false | |
matrix: | |
variant: [musl, glibc] | |
runs-on: ubuntu-latest | |
defaults: | |
run: | |
shell: bash | |
env: | |
PLATFORMS: "linux/amd64,linux/arm64" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Setup | |
id: setup | |
run: | | |
set -euo pipefail | |
source_date_epoch="$(git log -1 --pretty=%ct)" | |
echo "source_date_epoch=${source_date_epoch}" >> "${GITHUB_OUTPUT}" | |
echo "SOURCE_DATE_EPOCH=${source_date_epoch}" >> "${GITHUB_ENV}" | |
- name: Install Crane | |
uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4 | |
- name: Install Syft | |
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
owner: anchore | |
repository: syft | |
check_command: syft --version | |
version: latest | |
- name: Install Grype | |
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
owner: anchore | |
repository: grype | |
check_command: grype --version | |
version: latest | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Install Hadolint | |
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4 | |
with: | |
github_token: ${{ secrets.GITHUB_TOKEN }} | |
owner: hadolint | |
repository: hadolint | |
arch_amd64: x86_64 | |
os_linux: Linux | |
extract: false | |
filename_format: "{name}-{os}-{arch}" | |
check_command: hadolint --version | |
version: latest | |
- name: Run Hadolint | |
run: | | |
set -euo pipefail | |
hadolint --no-fail --format sarif ./${{ matrix.variant }}.dockerfile > ./hadolint-${{ matrix.variant }}.sarif | |
- name: Upload Hadolint SARIF report | |
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 | |
with: | |
category: hadolint-${{ matrix.variant }} | |
sarif_file: hadolint-${{ matrix.variant }}.sarif | |
- name: Generate OCI image metadata | |
id: metadata | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
flavor: | | |
latest=false | |
images: | | |
ghcr.io/${{ github.repository }} | |
tags: | | |
type=sha | |
labels: | | |
org.opencontainers.image.description=Fluentd aggregator OCI image based on the default Fluentd OCI image. | |
org.opencontainers.image.authors=Steve Hipwell <[email protected]> | |
- name: Login to GitHub Container Registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Build OCI image | |
id: build | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
file: ./${{ matrix.variant }}.dockerfile | |
context: . | |
provenance: false | |
sbom: false | |
platforms: ${{ env.PLATFORMS }} | |
cache-from: type=gha,scope=buildkit-${{ matrix.variant }} | |
cache-to: type=gha,scope=buildkit-${{ matrix.variant }},mode=max | |
tags: ${{ steps.metadata.outputs.tags }} | |
labels: ${{ steps.metadata.outputs.labels }} | |
push: true | |
build-args: | | |
SOURCE_DATE_EPOCH=${{ steps.setup.outputs.source_date_epoch }} | |
- name: Generate SBOMs | |
id: sboms | |
run: | | |
set -euo pipefail | |
default_image="ghcr.io/${{ github.repository }}" | |
sha_tag="${{ steps.metadata.outputs.version }}" | |
for platform in ${PLATFORMS//,/ } | |
do | |
digest="$(crane digest "${default_image}:${sha_tag}" --platform="${platform}")" | |
syft --source-name "${{ github.repository }}" --source-version "${digest}" --platform "${platform}" -o "spdx-json=syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json" "${default_image}@${digest}" | |
done | |
- name: Upload SBOM artifacts | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
with: | |
name: ${{ matrix.variant }}-sboms | |
retention-days: 28 | |
if-no-files-found: error | |
path: "*.spdx.json" | |
- name: Upload SBOMs to Dependency Graph | |
uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # v0.1.1 | |
with: | |
token: ${{ secrets.GITHUB_TOKEN }} | |
filePath: "." | |
filePattern: "*.spdx.json" | |
- name: Scan SBOMs with Grype | |
id: grype | |
run: | | |
set -euo pipefail | |
directory_path="grype-results" | |
mkdir -p "${directory_path}" | |
for platform in ${PLATFORMS//,/ } | |
do | |
sarif_path="${directory_path}/grype-scan-${{ matrix.variant }}-${platform#*/}.sarif" | |
grype --platform "${platform}" -o "sarif=${sarif_path}" "sbom:syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json" | |
done | |
echo "path=${directory_path}" >> $GITHUB_OUTPUT | |
- name: Upload Grype SARIF report | |
uses: github/codeql-action/upload-sarif@662472033e021d55d94146f66f6058822b0b39fd # v3.27.0 | |
with: | |
category: grype-${{ matrix.variant }} | |
sarif_file: ${{ steps.grype.outputs.path }} |