Skip to content

ci

ci #1595

Workflow file for this run

name: ci
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
on:
schedule:
- cron: '0 10 * * *'
push:
branches:
- 'master'
- 'releases/v*'
tags:
- 'v*'
pull_request:
paths-ignore:
- '.github/trivy-releases.json'
jobs:
image:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image:
- alpine:3.9
- alpine:latest
- moby/buildkit:master
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Scan for vulnerabilities
id: scan
uses: ./
with:
image: ${{ matrix.image }}
-
name: JSON result
run: cat ${{ steps.scan.outputs.json }}
tarball:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build
uses: docker/build-push-action@v6
with:
context: ./test
outputs: type=docker,dest=/tmp/image.tar
tags: name/app:latest
provenance: false
-
name: Scan for vulnerabilities
id: scan
uses: ./
with:
tarball: /tmp/image.tar
-
name: JSON result
run: cat ${{ steps.scan.outputs.json }}
sarif:
runs-on: ubuntu-latest
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
-
name: Build
uses: docker/build-push-action@v6
with:
context: ./test
outputs: type=docker,dest=/tmp/image.tar
tags: name/app:latest
provenance: false
-
name: Scan for vulnerabilities
id: scan
uses: ./
with:
tarball: /tmp/image.tar
dockerfile: ./test/Dockerfile
-
name: SARIF result
run: cat ${{ steps.scan.outputs.sarif }}
annotations:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image:
- alpine:3.9
- alpine:latest
- moby/buildkit:master
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Scan for vulnerabilities
uses: ./
with:
image: ${{ matrix.image }}
annotations: true
threshold:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
image:
- alpine:3.9
- alpine:3.10
- alpine:latest
- moby/buildkit:master
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Scan for vulnerabilities
continue-on-error: true
uses: ./
with:
image: ${{ matrix.image }}
severity_threshold: HIGH
build-scan-push:
runs-on: ubuntu-latest
services:
registry:
image: registry:2
ports:
- 5000:5000
env:
REPO_SLUG: localhost:5000/name/app
steps:
-
name: Checkout
uses: actions/checkout@v4
-
name: Docker meta
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REPO_SLUG }}
-
name: Set up QEMU
uses: docker/setup-qemu-action@v3
-
name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
with:
driver-opts: network=host
-
name: Build and load
uses: docker/build-push-action@v6
with:
context: ./test
file: ./test/Dockerfile
load: true
tags: ${{ steps.meta.outputs.tags }}
-
name: Scan for vulnerabilities
uses: ./
with:
image: ${{ env.REPO_SLUG }}:${{ steps.meta.outputs.version }}
dockerfile: ./test/Dockerfile
-
name: Build multi-platform and push
uses: docker/build-push-action@v6
with:
context: ./test
file: ./test/Dockerfile
platforms: linux/amd64,linux/arm64
push: true
tags: ${{ steps.meta.outputs.tags }}