Skip to content
Docker

Update main.yml #39

Sign in to view logs

Update main.yml

Update main.yml #39

Workflow file for this run

.github/workflows/main.yml at 92e13a5
name: Docker
# This workflow uses actions that are not certified by GitHub.
# They are provided by a third-party and are governed by
# separate terms of service, privacy policy, and support
# documentation.
on:
# schedule:
# - cron: '27 0 * * *'
push:
branches: [ "docker-pipeline" ]
# # Publish semver tags as releases.
# tags: [ 'v*.*.*' ]
pull_request:
branches: [ "docker-pipeline" ]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
env:
# Use docker.io for Docker Hub if empty
REGISTRY: ghcr.io
# github.repository as <account>/<repo>
IMAGE_NAME: ${{ github.repository }}
TG: docker-pipeline
jobs:
build:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
security-events: write
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
# This is used to complete the identity challenge
# with sigstore/fulcio when running outside of PRs.
id-token: write
steps:
- name: Checkout repository
uses: actions/checkout@v4
with:
submodules: 'true'
token: ${{ secrets.PAT_TOKEN }}
- name: validating gradlle
uses: gradle/actions/wrapper-validation@v3
# - name: 'Dependency Review'
# uses: actions/dependency-review-action@v4
# # Commonly enabled options, see https://github.com/actions/dependency-review-action#configuration-options for all available options.
# with:
# comment-summary-in-pr: always
# fail-on-severity: moderate
# deny-licenses: GPL-1.0-or-later, LGPL-2.0-or-later
# retry-on-snapshot-warnings: true
- name: 'Dependency Review'
if: github.event_name == 'workflow_dispatch'
uses: actions/dependency-review-action@v4
with:
base-ref: 'docker-pipeline'
# - uses: github/codeql-action/init@v3
# with:
# languages: java
# - name: Autobuild
# uses: github/codeql-action/autobuild@v3
# - name: Perform CodeQL Analysis
# uses: github/codeql-action/analyze@v3
# - name: Run Trivy scanner
# uses: aquasecurity/trivy-action@master
# with:
# scan-type: 'fs'
# github-pat: ${{ secrets.GITHUB_TOKEN }}
# ignore-unfixed: true
# format: 'sarif'
# output: 'trivy-results.sarif'
# severity: 'CRITICAL'
# # hide-progress: true
# # output: trivy.txt
# - name: Publish Trivy Output to Summary
# run: |
# if [[ -s trivy.txt ]]; then
# {
# echo "### Security Output"
# echo "<details><summary>Click to expand</summary>"
# echo ""
# echo '```terraform'
# cat trivy.txt
# echo '```'
# echo "</details>"
# } >> $GITHUB_STEP_SUMMARY
# fi
##########################################################################
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
##############################################
- name: Run Codacy Analysis CLI
uses: codacy/codacy-analysis-cli-action@master
- name: Set up JDK 17
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'temurin'
- name: Generate and submit dependency graph
uses: gradle/actions/dependency-submission@v3
# Configure Gradle for optimal use in GiHub Actions, including caching of downloaded dependencies.
# See: https://github.com/gradle/actions/blob/main/setup-gradle/README.md
- name: Setup Gradle
uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
- name: Build with Gradle Wrapper
run: |
chmod +x ./gradlew
./gradlew build
# NOTE: The Gradle Wrapper is the default and recommended way to run Gradle (https://docs.gradle.org/current/userguide/gradle_wrapper.html).
# If your project does not have the Gradle Wrapper configured, you can use the following configuration to run Gradle with a specified version.
#
# - name: Setup Gradle
# uses: gradle/actions/setup-gradle@417ae3ccd767c252f5661f1ace9f835f9654f2b5 # v3.1.0
# with:
# gradle-version: '8.5'
#
# - name: Build with Gradle 8.5
# run: gradle build
- uses: actions/upload-artifact@master
with:
name: jar-file
path: build/libs
- uses: actions/download-artifact@master
with:
name: jar-file
# Install the cosign tool except on PR
# https://github.com/sigstore/cosign-installer
- name: Install cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@6e04d228eb30da1757ee4e1dd75a0ec73a653e06 #v3.1.1
with:
cosign-release: 'v2.1.1'
# Set up BuildKit Docker container builder to be able to build
# multi-platform images and export cache
# https://github.com/docker/setup-buildx-action
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
# Login against a Docker registry except on PR
# https://github.com/docker/login-action
- name: Log into registry ${{ env.REGISTRY }}
if: github.event_name != 'pull_request'
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
# Extract metadata (tags, labels) for Docker
# https://github.com/docker/metadata-action
- name: Extract Docker metadata
id: meta
uses: docker/metadata-action@96383f45573cb7f253c731d3b3ab81c87ef81934 # v5.0.0
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
# Build and push Docker image with Buildx (don't push on PR)
# https://github.com/docker/build-push-action
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
context: .
push: ${{ github.event_name != 'pull_request' }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@7b7aa264d83dc58691451798b4d117d53d21edfe
with:
image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}'
format: 'template'
template: '@/contrib/sarif.tpl'
output: 'trivy-results.sarif'
severity: 'CRITICAL,HIGH'
github-pat: ${{ secrets.PAT_TOKEN }}
docker-host: ///var/run/docker.sock
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# - name: Scan image in a private registry
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{env.TG}}"
# scan-type: 'image'
# format: 'sarif'
# output: 'trivy-results-image.sarif'
# github-pat: ${{ secrets.GITHUB_TOKEN }} # or ${{ secrets.github_pat_name }} if you're using a PAT
# severity: "MEDIUM,HIGH,CRITICAL"
# scanners: "vuln"
# # Sign the resulting Docker image digest except on PRs.
# # This will only write to the public Rekor transparency log when the Docker
# # repository is public to avoid leaking data. If you would like to publish
# # transparency data even for private images, pass --force to cosign below.
# # https://github.com/sigstore/cosign
# - name: Sign the published Docker image
# if: ${{ github.event_name != 'pull_request' }}
# env:
# # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
# TAGS: ${{ steps.meta.outputs.tags }}
# DIGEST: ${{ steps.build-and-push.outputs.digest }}
# # This step uses the identity token to provision an ephemeral certificate
# # against the sigstore community Fulcio instance.
# run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}