Skip to content

Commit

Permalink
feat: Use another step to avoid docker registry change
Browse files Browse the repository at this point in the history
  • Loading branch information
PerfectSlayer committed Aug 21, 2024
1 parent 3a22858 commit 203a15c
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 27 deletions.
43 changes: 25 additions & 18 deletions .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,25 +13,29 @@ on:
workflow_dispatch:

jobs:
build_push_and_check:
name: Build docker image, publish it and run vuln scanner against it
build_push:
name: Build and publish docker images
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
packages: write # for image publication to GitHub Packages
runs-on: ubuntu-latest
outputs:
LATEST_IMAGE_TAG: ${{ steps.build.outputs.LATEST_IMAGE_TAG }}
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # 4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # 2.4.1
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # 3.6.1
- name: Login to ghcr.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # 2.1.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # 3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Free Disk Space (Ubuntu) # Reclaim disk space for build
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1
- name: Build images
id: build
run: ./build
Expand All @@ -41,33 +45,36 @@ jobs:
run: ./build --describe >> $GITHUB_STEP_SUMMARY
- name: Push images
run: ./build --push
- name: Free Disk Space (Ubuntu) # Required by trivy to have enough space to scan full image
uses: jlumbroso/free-disk-space@76866dbe54312617f00798d1762df7f43def6e5c # v1.2.0
with:
large-packages: false # Temporary fix for https://github.com/jlumbroso/free-disk-space/issues/4

check:
name: Check published docker image
needs: build_push
permissions:
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
runs-on: ubuntu-latest
steps:
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: '${{ steps.build.outputs.LATEST_IMAGE_TAG }}'
image-ref: '${{ needs.build_push.outputs.LATEST_IMAGE_TAG }}'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'

keepalive-job:
name: Keep repository alive to prevent workflows to be disabled
if: ${{ always() }}
needs: build_push_and_check
needs: build_push
permissions:
actions: write
actions: write # for gautamkrishnar/keepalive-workflow to keep the workflow alive
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # 4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
- name: Keep workflow alive
uses: gautamkrishnar/keepalive-workflow@306efe4fc63923e36571682b4f4b3e3eee8b6625 # v1.2.6
with:
use_api: true
uses: gautamkrishnar/keepalive-workflow@24ba73b43d5ea8d2b3d56fb9b8de951ba9a3dd18 # v2.0.6
4 changes: 2 additions & 2 deletions .github/workflows/docker-tag.yml
Original file line number Diff line number Diff line change
Expand Up @@ -14,9 +14,9 @@ jobs:
packages: write
steps:
- name: Checkout repository
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # 3.3.0
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # 4.1.7
- name: Login to ghcr.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # 2.1.0
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # 3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/registry-cleanup.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
packages: write
steps:
- name: Prune untagged images
uses: vlaurin/action-ghcr-prune@0a539594d122b915e71c59733a5b115bfaaf5d52 #v0.5.0
uses: vlaurin/action-ghcr-prune@0cf7d39f88546edd31965acba78cdcb0be14d641 #v0.6.0
with:
token: ${{ secrets.GITHUB_TOKEN }}
organization: Datadog
Expand Down
13 changes: 7 additions & 6 deletions .github/workflows/vuln-check.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,22 +24,23 @@ jobs:
- name: Checkout code
uses: actions/checkout@v3

- name: Free Disk Space (Ubuntu) # Required by trivy to have enough space to scan full image
uses: jlumbroso/free-disk-space@76866dbe54312617f00798d1762df7f43def6e5c # v1.2.0
with:
large-packages: false # Temporary fix for https://github.com/jlumbroso/free-disk-space/issues/4
- name: Free Disk Space (Ubuntu) # Reclaim disk space for build
uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1

- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0
with:
image-ref: 'ghcr.io/datadog/dd-trace-java-docker-build:latest'
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
limit-severities-for-sarif: true
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}

- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
if: always()
with:
sarif_file: 'trivy-results.sarif'

0 comments on commit 203a15c

Please sign in to comment.