From 6cd931da50a22b3a939369afa3f4a5a920d2f7ff Mon Sep 17 00:00:00 2001 From: Paul Abel <128620221+pdabelf5@users.noreply.github.com> Date: Wed, 26 Jun 2024 09:18:42 +0100 Subject: [PATCH] add permissions for gcr login to base image build (#5860) --- .github/workflows/build-base-images.yml | 4 +++- .github/workflows/build-oss.yml | 6 +++--- .github/workflows/build-plus.yml | 15 ++++----------- 3 files changed, 10 insertions(+), 15 deletions(-) diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index a19a86772d..66fd1aa2d0 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -16,7 +16,6 @@ concurrency: permissions: contents: read - id-token: write jobs: checks: @@ -50,6 +49,7 @@ jobs: permissions: contents: read pull-requests: write # for scout report + id-token: write strategy: fail-fast: false matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }} @@ -113,6 +113,7 @@ jobs: needs: checks permissions: contents: read + id-token: write pull-requests: write # for scout report strategy: fail-fast: false @@ -180,6 +181,7 @@ jobs: needs: checks permissions: contents: read + id-token: write pull-requests: write # for scout report strategy: fail-fast: false diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index f06a819290..67d350c78e 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -112,11 +112,11 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: platforms: arm,arm64,ppc64le,s390x - if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Base Container uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0 @@ -182,7 +182,7 @@ jobs: - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 with: - image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }} + image-ref: ${{ steps.meta.outputs.tags }} format: "sarif" output: "${{ inputs.image }}-results/trivy.sarif" ignore-unfixed: "true" diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 75aa787dbe..fb5eb86337 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -117,11 +117,11 @@ jobs: uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 with: platforms: arm,arm64,ppc64le,s390x - if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Docker Buildx uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 - if: ${{ steps.images_exist.outputs.target_exists != 'true' }} + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} - name: Build Base Container uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0 @@ -196,17 +196,10 @@ jobs: mkdir -p "${{ inputs.image }}-results/" if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} - - name: Extract image name for Scans - id: scan-tag - run: | - tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]') - echo "tag=$tag" >> $GITHUB_OUTPUT - if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} - - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 with: - image-ref: ${{ steps.scan-tag.outputs.tag }} + image-ref: ${{ steps.meta.outputs.tags }} format: "sarif" output: "${{ inputs.image }}-results/trivy.sarif" ignore-unfixed: "true" @@ -224,7 +217,7 @@ jobs: uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0 with: command: cves,recommendations - image: ${{ steps.scan-tag.outputs.tag }} + image: ${{ steps.meta.outputs.tags }} ignore-base: true only-fixed: true sarif-file: "${{ inputs.image }}-results/scout.sarif"