Skip to content

Bump actions/checkout from 3 to 4 #26

Bump actions/checkout from 3 to 4

Bump actions/checkout from 3 to 4 #26

name: build and scan PR container
on:
pull_request:
jobs:
build:
name: Build PR image
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: create maven settings.xml
uses: s4u/[email protected]
with:
servers: |
[{
"id":"github-clearinghouse",
"username": "${{github.actor}}",
"password": "${{ secrets.GITHUB_TOKEN }}"
},
{
"id":"github-crypt4gh",
"username": "${{github.actor}}",
"password": "${{ secrets.GITHUB_TOKEN }}"
}]
- name: Copy settings.xml to project root
shell: bash
run: cp /home/runner/.m2/settings.xml ./settings.xml
- name: Log in to the Github Container registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build container
uses: docker/build-push-action@v4
with:
context: .
file: ./Dockerfile
push: true
tags: |
ghcr.io/${{ github.repository }}:PR${{ github.event.number }}
ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
labels: |
org.opencontainers.image.source=${{ github.event.repository.clone_url }}
org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
org.opencontainers.image.revision=${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@fbd16365eb88e12433951383f5e99bd901fc618f
with:
image-ref: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
format: "sarif"
hide-progress: true
ignore-unfixed: true
output: 'trivy-results.sarif'
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'