forked from advanced-security/reusable-workflows
-
Notifications
You must be signed in to change notification settings - Fork 0
128 lines (109 loc) · 3.76 KB
/
container.yml
File metadata and controls
128 lines (109 loc) · 3.76 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
name: Container Build and Release
on:
workflow_call:
inputs:
version:
description: "Semantic version of the image"
type: string
container-file:
description: "Path to the Dockerfile"
type: string
default: "Dockerfile"
container-context:
description: "Build's context is the set of files located in the specified PATH or URL"
type: string
default: "."
container-name:
description: "Name of the container"
type: string
default: "${{ github.repository }}"
publish:
description: "Publish the image to the registry"
type: string
default: "true"
sbom:
description: "Generate and upload SBOM"
type: string
default: "true"
scanning:
description: "Scan the image"
type: string
default: "true"
scanning-block:
description: "Block the build if vulnerabilities are found"
type: string
default: "false"
tags:
description: "Comma-separated list of tags"
type: string
default: "latest"
env:
REGISTRY: ghcr.io
jobs:
set-version:
runs-on: ubuntu-latest
outputs:
release: ${{ steps.set-version.outputs.release }}
version: ${{ steps.set-version.outputs.version }}
permissions:
id-token: write
contents: read
steps:
- name: "Checkout"
uses: actions/checkout@v6
- name: "Get and Set version"
id: set-version
env:
GH_TOKEN: ${{ github.token }}
run: |
set -e
if [[ -f .release.yml ]]; then
pip install yq
current_version=$(yq -r ".version" .release.yml)
echo "Current Version :: $current_version"
echo "version=$current_version" >> $GITHUB_OUTPUT
else
echo "Failed to find version..."
exit 1
fi
released_version=$(gh api -H "Accept: application/vnd.github+json" -H "X-GitHub-Api-Version: 2022-11-28" /repos/:owner/:repo/releases/latest | jq -r ".tag_name")
if [[ "$current_version" == "NA" || "$current_version" == "$released_version" ]]; then
echo "No new release found"
echo "release=false" >> "$GITHUB_OUTPUT"
else
echo "New release found"
echo "version=$current_version" >> "$GITHUB_OUTPUT"
echo "release=true" >> "$GITHUB_OUTPUT"
fi
# Scan the container
scan-image:
uses: githubabcs-devops/devsecops-reusable-workflows/.github/workflows/container-security.yml@main
needs: set-version
secrets: inherit
permissions:
id-token: write
contents: read
packages: read # Read Container Registry
security-events: write # Code Scanning
with:
version: ${{ needs.set-version.outputs.version }}
container-file: ${{ inputs.container-file }}
container-context: ${{ inputs.container-context }}
container-name: ${{ inputs.container-name }}
scanning-block: ${{ inputs.scanning-block }}
publish-image:
uses: githubabcs-devops/devsecops-reusable-workflows/.github/workflows/container-publish.yml@main
needs: [ scan-image, set-version ]
if: ${{ needs.set-version.outputs.release == 'true' }}
secrets: inherit
permissions:
id-token: write
contents: write # Upload SBOM to GitHub
packages: write # Push to Container Registry
attestations: write # Upload attestations
with:
version: ${{ needs.set-version.outputs.version }}
container-file: ${{ inputs.container-file }}
container-context: ${{ inputs.container-context }}
container-name: ${{ inputs.container-name }}
sbom: ${{ inputs.sbom }}