diff --git a/.github/workflows/build-base-images.yml b/.github/workflows/build-base-images.yml index ff0d203344..b18d17dd64 100644 --- a/.github/workflows/build-base-images.yml +++ b/.github/workflows/build-base-images.yml @@ -16,7 +16,6 @@ concurrency: permissions: contents: read - id-token: write jobs: checks: @@ -44,6 +43,7 @@ jobs: permissions: contents: read pull-requests: write # for scout report + id-token: write strategy: fail-fast: false matrix: @@ -113,6 +113,7 @@ jobs: needs: checks permissions: contents: read + id-token: write pull-requests: write # for scout report strategy: fail-fast: false @@ -185,6 +186,7 @@ jobs: needs: checks permissions: contents: read + id-token: write pull-requests: write # for scout report strategy: fail-fast: false diff --git a/.github/workflows/build-oss.yml b/.github/workflows/build-oss.yml index 999071c05c..74a932e899 100644 --- a/.github/workflows/build-oss.yml +++ b/.github/workflows/build-oss.yml @@ -118,6 +118,16 @@ jobs: fi if: ${{ inputs.authenticated && ! inputs.full-build }} + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} + + - name: Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} + - name: Build Base Container uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: @@ -191,7 +201,7 @@ jobs: uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 continue-on-error: true with: - image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }} + image-ref: ${{ steps.meta.outputs.tags }} format: "sarif" output: "${{ inputs.image }}-results/trivy.sarif" ignore-unfixed: "true" diff --git a/.github/workflows/build-plus.yml b/.github/workflows/build-plus.yml index 60540ebc27..c2f9c376bc 100644 --- a/.github/workflows/build-plus.yml +++ b/.github/workflows/build-plus.yml @@ -123,6 +123,16 @@ jobs: fi if: ${{ inputs.authenticated && ! inputs.full-build }} + - name: Setup QEMU + uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 + with: + platforms: arm,arm64,ppc64le,s390x + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} + + - name: Docker Buildx + uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0 + if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }} + - name: Build Base Container uses: docker/build-push-action@f6010ea70151369b06f0194be1051fbbdff851b2 # v6.0.2 with: @@ -203,19 +213,13 @@ jobs: - name: Make directory for security scan results run: | mkdir -p "${{ inputs.image }}-results/" - - - name: Extract image name for Scans - id: scan-tag - run: | - tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]') - echo "tag=$tag" >> $GITHUB_OUTPUT if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0 continue-on-error: true with: - image-ref: ${{ steps.scan-tag.outputs.tag }} + image-ref: ${{ steps.meta.outputs.tags }} format: "sarif" output: "${{ inputs.image }}-results/trivy.sarif" ignore-unfixed: "true" @@ -234,7 +238,7 @@ jobs: continue-on-error: true with: command: cves,recommendations - image: ${{ steps.scan-tag.outputs.tag }} + image: ${{ steps.meta.outputs.tags }} ignore-base: true only-fixed: true sarif-file: "${{ inputs.image }}-results/scout.sarif"