Skip to content

Merge pull request #2 from axoflow/feat-trivy #1

Merge pull request #2 from axoflow/feat-trivy

Merge pull request #2 from axoflow/feat-trivy #1

Workflow file for this run

name: Release
on:
push:
tags: ["v*"]
jobs:
Release:
permissions:
id-token: write
packages: write
contents: write
security-events: write
strategy:
matrix:
GOOS: [linux]
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v4
with:
fetch-depth: 0
- uses: sigstore/cosign-installer@v2
- uses: docker/setup-qemu-action@v3
with:
platforms: arm64
- uses: docker/setup-buildx-action@v3
- uses: actions/setup-go@v5
with:
go-version: '~1.21.7'
check-latest: true
- name: Generate distribution sources
run: make generate-sources
- name: Login to GitHub Package Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- shell: bash
run: |
echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_ENV
- uses: goreleaser/goreleaser-action@v5
id: goreleaser-action
with:
distribution: goreleaser
version: v1.24.0
args: release --clean --timeout 2h
env:
GOOS: ${{ matrix.GOOS }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
COSIGN_EXPERIMENTAL: true
- uses: actions/upload-artifact@v4
with:
name: all-artifacts
path: dist/*/*
- name: Install jq
run: sudo apt-get install -y jq
- name: Extract Docker image with digest
id: image-with-digest
shell: bash
run: |
echo '${{ steps.goreleaser-action.outputs.artifacts }}' >> output-artifacts.json
DOCKER_IMAGE=$(jq -r '.[] | select(.type == "Docker Manifest" and (.path | test(":[0-9]+"))) | "\(.path)@\(.extra.Digest)"' ./output-artifacts.json)
echo "DOCKER_IMAGE=$DOCKER_IMAGE" >> "$GITHUB_OUTPUT"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: ${{ steps.image-with-digest.outputs.DOCKER_IMAGE }}
format: sarif
output: trivy-results.sarif
- name: Upload Trivy scan results as artifact
uses: actions/upload-artifact@v4
with:
name: "[${{ github.job }}] Trivy scan results"
path: trivy-results.sarif
retention-days: 5
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif