Skip to content

Patch

Patch #11

Workflow file for this run

name: "Patch"
on:
schedule:
- cron: "0 0 * * *" # nightly
permissions:
contents: read
packages: write
jobs:
patch:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
images: ['ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64', 'ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64']
steps:
- name: Harden Runner
uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
with:
egress-policy: audit
- name: Login to ghcr.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
with:
scan-type: 'image'
format: 'json'
output: 'report.json'
ignore-unfixed: true
vuln-type: 'os'
image-ref: ${{ matrix.images }}
- name: Check Vuln Count
id: vuln_cout
run: |
report_file="report.json"
vuln_count=$(jq '.Results[0].Vulnerabilities | length' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Copa Action
if: steps.vuln_cout.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/copa-action@1eb86b0907bce48225b66dc9488c7d329c2d48a0 # v1.0.0
with:
image: ${{ matrix.images }}
image-report: 'report.json'
patched-tag: 'patched'
buildkit-version: 'v0.12.1'
- name: Push patched image
if: steps.copa.conclusion == 'success'
run: |
docker tag ghcr.io/azure/azure-workload-identity/proxy-init:patched ${{ matrix.images }}
docker push ${{ matrix.images }}
create-updated-manifest:
needs: patch
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@cba0d00b1fc9a034e1e642ea0f1103c282990604 # v2.5.0
with:
egress-policy: audit
- name: Login to ghcr.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker manifest create
run: |
export DOCKER_CLI_EXPERIMENTAL=enabled
docker manifest create ghcr.io/azure/azure-workload-identity/proxy-init:latest --amend ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64 --amend ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64
docker manifest push ghcr.io/azure/azure-workload-identity/proxy-init:latest