.github/workflows/container-scan.yaml

name: Container Scans

permissions:
  actions: read
  contents: write # for sbom-action artifact uploads

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  merge_group:
    paths-ignore:
    - "LICENSE"
    - "CODEOWNERS"
    
jobs:
  container-scans:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.10.3
        with:
          egress-policy: audit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Use Node.js latest
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
        with:
          node-version: 20
          cache: "npm"
      - name: Install Pepr Dependencies
        run: npm ci
      - name: Build Pepr Controller Image
        run: npm run build:image
      - name: Configure Grype Ignore File
        run: |
          mkdir -p ~/.grype
          echo "ignore:" > ~/.grype.yaml
          echo "  - vulnerability: GHSA-3xgq-45jj-v275" >> ~/.grype.yaml
      - name: Vulnerability Scan
        uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 # v6.0.0
        with:
          image: "pepr:dev"
          fail-build: true
          severity-cutoff: high
      - name: Generate SBOM
        uses: anchore/sbom-action@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
        with:
          image: pepr:dev
          upload-artifact: true
          upload-artifact-retention: 30