chore: Replaced Anchore actions (#359) #371

Workflow file for this run

.github/workflows/commit.yaml at 70ca270

	name: Commit

	on:
	workflow_dispatch:
	push:
	branches:
	- main
	paths-ignore:
	- .github/dependabot.yaml
	- .github/workflows/pull-request.yaml
	- .github/workflows/release.yaml

	jobs:
	build:
	name: Build OCI Image
	permissions: write-all
	strategy:
	fail-fast: false
	matrix:
	variant: [musl, glibc]
	runs-on: ubuntu-latest
	defaults:
	run:
	shell: bash
	env:
	PLATFORMS: "linux/amd64,linux/arm64"
	steps:
	- name: Checkout
	uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1

	- name: Setup
	id: setup
	run: \|
	set -euo pipefail

	source_date_epoch="$(git log -1 --pretty=%ct)"

	echo "source_date_epoch=${source_date_epoch}" >> "${GITHUB_OUTPUT}"
	echo "SOURCE_DATE_EPOCH=${source_date_epoch}" >> "${GITHUB_ENV}"

	- name: Install Crane
	uses: imjasonh/setup-crane@31b88efe9de28ae0ffa220711af4b60be9435f6e # v0.4

	- name: Install Syft
	uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	owner: anchore
	repository: syft
	check_command: syft --version
	version: latest

	- name: Install Grype
	uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	owner: anchore
	repository: grype
	check_command: grype --version
	version: latest

	- name: Install Cosign
	uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0

	- name: Set up QEMU
	uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1

	- name: Install Hadolint
	uses: action-stars/install-tool-from-github-release@ece2623611b240002e0dd73a0d685505733122f6 # v0.2.4
	with:
	github_token: ${{ secrets.GITHUB_TOKEN }}
	owner: hadolint
	repository: hadolint
	arch_amd64: x86_64
	os_linux: Linux
	extract: false
	filename_format: "{name}-{os}-{arch}"
	check_command: hadolint --version
	version: latest

	- name: Run Hadolint
	run: \|
	set -euo pipefail
	hadolint --no-fail --format sarif ./${{ matrix.variant }}.dockerfile > ./hadolint-${{ matrix.variant }}.sarif

	- name: Upload Hadolint SARIF report
	uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
	with:
	category: hadolint-${{ matrix.variant }}
	sarif_file: hadolint-${{ matrix.variant }}.sarif

	- name: Generate OCI image metadata
	id: metadata
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	flavor: \|
	latest=false
	images: \|
	ghcr.io/${{ github.repository }}
	tags: \|
	type=sha
	labels: \|
	org.opencontainers.image.description=Fluentd aggregator OCI image based on the default Fluentd OCI image.
	org.opencontainers.image.authors=Steve Hipwell <[email protected]>

	- name: Login to GitHub Container Registry
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	registry: ghcr.io
	username: ${{ github.actor }}
	password: ${{ secrets.GITHUB_TOKEN }}

	- name: Build OCI image
	id: build
	uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0
	with:
	file: ./${{ matrix.variant }}.dockerfile
	context: .
	provenance: false
	sbom: false
	platforms: ${{ env.PLATFORMS }}
	cache-from: type=gha,scope=buildkit-${{ matrix.variant }}
	cache-to: type=gha,scope=buildkit-${{ matrix.variant }},mode=max
	tags: ${{ steps.metadata.outputs.tags }}
	labels: ${{ steps.metadata.outputs.labels }}
	push: true
	build-args: \|
	SOURCE_DATE_EPOCH=${{ steps.setup.outputs.source_date_epoch }}

	- name: Generate SBOMs
	id: sboms
	run: \|
	set -euo pipefail

	default_image="ghcr.io/${{ github.repository }}"
	sha_tag="${{ steps.metadata.outputs.version }}"
	sbom_paths=""

	for platform in ${PLATFORMS//,/ }
	do
	digest="$(crane digest "${default_image}:${sha_tag}" --platform="${platform}")"

	sbom_path="syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json"
	syft --source-name "${{ github.repository }}" --source-version "${digest}" --platform "${platform}" -o "spdx-json=${sbom_path}" "${default_image}@${digest}"
	sbom_paths="${sbom_paths}${sbom_path},"
	done

	echo "paths=${sbom_paths%,}" >> $GITHUB_OUTPUT

	- name: Upload SBOM artifacts
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: ${{ matrix.variant }}-sboms
	retention-days: 28
	if-no-files-found: error
	path: "*.spdx.json"

	- name: Upload SBOMs to Dependency Graph
	uses: advanced-security/spdx-dependency-submission-action@5530bab9ee4bbe66420ce8280624036c77f89746 # v0.1.1
	with:
	token: ${{ secrets.GITHUB_TOKEN }}
	filePath: "."
	filePattern: "*.spdx.json"

	- name: Scan SBOMs with Grype
	id: grype
	run: \|
	set -euo pipefail

	directory_path="grype-results"
	mkdir -p "${directory_path}"

	for platform in ${PLATFORMS//,/ }
	do
	sarif_path="${directory_path}/grype-scan-${{ matrix.variant }}-${platform#*/}.sarif"
	grype --platform "${platform}" -o "sarif=${sarif_path}" "sbom:syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json"
	done

	echo "path=${directory_path}" >> $GITHUB_OUTPUT

	- name: Upload Grype SARIF report
	uses: github/codeql-action/upload-sarif@c36620d31ac7c881962c3d9dd939c40ec9434f2b # v3.26.12
	with:
	category: grype-${{ matrix.variant }}
	sarif_file: ${{ steps.grype.outputs.path }}

	- name: Login to DockerHub
	uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
	with:
	username: ${{ vars.DOCKERHUB_USERNAME }}
	password: ${{ secrets.DOCKERHUB_TOKEN }}

	- name: Push OCI image tags
	id: push
	run: \|
	set -euo pipefail

	default_image="ghcr.io/${{ github.repository }}"
	sha_tag="${{ steps.metadata.outputs.version }}"
	digest="${{ steps.build.outputs.digest }}"

	images="docker.io/${{ github.repository }}"
	tags="${{ matrix.variant }}-main"

	if [[ "${{ matrix.variant }}" == "musl" ]]
	then
	tags="${tags},main"
	fi

	references="${default_image}:${sha_tag}"

	for image in ${images//,/ }
	do
	crane copy --platform all "${default_image}:${sha_tag}@${digest}" "${image}:${sha_tag}"
	references="${references},${image}:${sha_tag}"
	done

	images="${images},${default_image}"

	for image in ${images//,/ }
	do
	for tag in ${tags//,/ }
	do
	crane tag --platform all "${image}:${sha_tag}@${digest}" "${tag}"
	references="${references},${image}:${tag}"
	done
	done

	echo "references=${references}" >> $GITHUB_OUTPUT

	- name: Sign OCI image
	run: \|
	set -euo pipefail

	default_image="ghcr.io/${{ github.repository }}"
	sha_tag="${{ steps.metadata.outputs.version }}"
	references="${{ steps.push.outputs.references }}"

	for reference in ${references//,/ }
	do
	cosign sign --yes=true --recursive "${reference}@${{ steps.build.outputs.digest }}"
	done

	for platform in ${PLATFORMS//,/ }
	do
	digest="$(crane digest "${default_image}:${sha_tag}@${{ steps.build.outputs.digest }}" --platform="${platform}")"

	for reference in ${references//,/ }
	do
	cosign attest --yes --type spdxjson --predicate syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json "${reference}@${digest}"
	cosign attach sbom --type spdx --input-format json --sbom syft-sbom-${{ matrix.variant }}-${platform#*/}.spdx.json "${reference}@${digest}"
	sbom_digest="$(crane digest "${reference%:*}:${digest/:/-}.sbom")"
	cosign sign --yes=true "${reference%:*}:${digest/:/-}.sbom@${sbom_digest}"
	done
	done

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: Replaced Anchore actions (#359) #371

Workflow file

chore: Replaced Anchore actions (#359) #371

Jobs

Run details

Workflow file for this run