Skip to content

chore(deps): Bump the github-actions group with 4 updates #437

chore(deps): Bump the github-actions group with 4 updates

chore(deps): Bump the github-actions group with 4 updates #437

Workflow file for this run

name: Pull Request
on:
pull_request:
branches:
- main
paths-ignore:
- .github/dependabot.yaml
- .github/workflows/commit.yaml
- .github/workflows/release.yaml
jobs:
build:
name: Build OCI Image
permissions: write-all
strategy:
fail-fast: false
matrix:
variant: [musl, glibc]
runs-on: ubuntu-latest
defaults:
run:
shell: bash
env:
PLATFORMS: "linux/amd64,linux/arm64"
steps:
- name: Checkout
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Setup
id: setup
run: |
set -euo pipefail
source_date_epoch="$(git log -1 --pretty=%ct)"
echo "source_date_epoch=${source_date_epoch}" >> "${GITHUB_OUTPUT}"
echo "SOURCE_DATE_EPOCH=${source_date_epoch}" >> "${GITHUB_ENV}"
- name: Install Crane
uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4
- name: Install Syft
uses: anchore/sbom-action/download-syft@ab9d16d4b419c9d1a02df5213fa0ebe965ca5a57 # v0.17.1
with:
syft-version: latest
- name: Install Grype
uses: anchore/scan-action/download-grype@bc9adf64917dd9444d6cf4dd68620c34ca3a5f69 # v4.1.1
with:
grype-version: latest
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Install Hadolint
uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
with:
github_token: ${{ secrets.GITHUB_TOKEN }}
owner: hadolint
repository: hadolint
arch_amd64: x86_64
os_linux: Linux
extract: false
filename_format: "{name}-{os}-{arch}"
check_command: hadolint --version
version: latest
- name: Run Hadolint
run: |
set -euo pipefail
hadolint --no-fail --format sarif ./${{ matrix.variant }}.dockerfile > ./hadolint-${{ matrix.variant }}.sarif
- name: Upload Hadolint SARIF report
uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
with:
category: hadolint-${{ matrix.variant }}
sarif_file: hadolint-${{ matrix.variant }}.sarif
- name: Generate OCI image metadata
id: metadata
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
with:
flavor: |
latest=false
images: |
ghcr.io/${{ github.repository }}
tags: |
type=sha
labels: |
org.opencontainers.image.description=Fluentd aggregator OCI image based on the default Fluentd OCI image.
org.opencontainers.image.authors=Steve Hipwell <[email protected]>
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build OCI image
id: build
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
file: ./${{ matrix.variant }}.dockerfile
context: .
provenance: false
sbom: false
platforms: ${{ env.PLATFORMS }}
cache-from: type=gha,scope=buildkit-${{ matrix.variant }}
cache-to: type=gha,scope=buildkit-${{ matrix.variant }},mode=max
tags: ${{ steps.metadata.outputs.tags }}
labels: ${{ steps.metadata.outputs.labels }}
push: true
build-args: |
SOURCE_DATE_EPOCH=${{ steps.setup.outputs.source_date_epoch }}
- name: Generate SBOMs
id: sboms
run: |
set -euo pipefail
default_image="ghcr.io/${{ github.repository }}"
sha_tag="${{ steps.metadata.outputs.version }}"
for platform in ${PLATFORMS//,/ }
do
digest="$(crane digest "${default_image}:${sha_tag}" --platform="${platform}")"
syft --source-name "${{ github.repository }}" --source-version "${digest}" --platform "${platform}" -o "spdx-json=syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json" "${default_image}@${digest}"
done
- name: Upload SBOM artifacts
uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6
with:
name: ${{ matrix.variant }}-sboms
retention-days: 28
if-no-files-found: error
path: "*.spdx.json"
- name: Upload SBOMs to Dependency Graph
uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # v0.1.1
with:
token: ${{ secrets.GITHUB_TOKEN }}
filePath: "."
filePattern: "*.spdx.json"
- name: Scan SBOMs with Grype
id: grype
run: |
set -euo pipefail
directory_path="grype-results"
mkdir -p "${directory_path}"
for platform in ${PLATFORMS//,/ }
do
sarif_path="${directory_path}/grype-scan-${{ matrix.variant }}-${platform#*/}.sarif"
grype --platform "${platform}" -o "sarif=${sarif_path}" "sbom:syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json"
done
echo "path=${directory_path}" >> $GITHUB_OUTPUT
- name: Upload Grype SARIF report
uses: github/codeql-action/upload-sarif@429e1977040da7a23b6822b13c129cd1ba93dbb2 # v3.26.2
with:
category: grype-${{ matrix.variant }}
sarif_file: ${{ steps.grype.outputs.path }}