chore(ci): update action #314
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Push Alpine Dev Image | |
| on: | |
| push: | |
| branches: | |
| - '0.2.2' | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| security-events: write | |
| jobs: | |
| push_dev_image: | |
| name: Build and Push Dev Image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: linux/amd64,linux/arm64 | |
| - uses: docker/setup-buildx-action@v3 | |
| with: | |
| install: true | |
| driver-opts: | | |
| image=moby/buildkit:v0.12.5 | |
| - name: Install Cosign | |
| uses: sigstore/[email protected] | |
| - uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - uses: docker/metadata-action@v5 | |
| id: meta | |
| with: | |
| images: orenlab/pytmbot | |
| tags: | | |
| type=raw,value=alpine-dev | |
| labels: | | |
| org.opencontainers.image.title=pyTMbot | |
| org.opencontainers.image.description=Telegram bot for Docker monitoring | |
| org.opencontainers.image.source=https://github.com/orenlab/pytmbot | |
| - uses: docker/build-push-action@v5 | |
| id: build-and-push | |
| with: | |
| context: . | |
| target: production | |
| file: Dockerfile | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| provenance: mode=max | |
| sbom: true | |
| - name: Sign the image with GitHub OIDC Token | |
| env: | |
| COSIGN_EXPERIMENTAL: 1 | |
| run: | | |
| IMAGE_REF="orenlab/pytmbot:alpine-dev" | |
| cosign sign --yes --tuf-root env://SIGSTORE_ROOT --attachment=sbom "${IMAGE_REF}" | |
| - name: Run Vulnerability Scan | |
| uses: anchore/scan-action@v3 | |
| id: scan | |
| with: | |
| image: orenlab/pytmbot:alpine-dev | |
| fail-build: false | |
| severity-cutoff: high | |
| acs-report-enable: true | |
| - name: Upload Anchore scan SARIF report | |
| uses: github/codeql-action/upload-sarif@v2 | |
| if: always() | |
| with: | |
| sarif_file: results.sarif | |
| - name: Generate vulnerability report | |
| if: always() | |
| run: | | |
| echo "## Security Scan Results" > vulnerability-report.md | |
| echo "Found vulnerabilities at or above HIGH severity level." >> vulnerability-report.md | |
| echo "Please review the full report in GitHub Security tab." >> vulnerability-report.md | |
| echo "Consider updating base images or packages to resolve these issues." >> vulnerability-report.md | |
| - name: Create Issue on High Severity | |
| if: failure() && steps.scan.outcome == 'failure' | |
| uses: actions/github-script@v6 | |
| with: | |
| script: | | |
| const fs = require('fs'); | |
| const report = fs.readFileSync('vulnerability-report.md', 'utf8'); | |
| await github.rest.issues.create({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| title: '🚨 High Severity Vulnerabilities Detected', | |
| body: report, | |
| labels: ['security', 'high-priority'] | |
| }); |