Skip to content

Add payload validation for repository clone url #4255

Add payload validation for repository clone url

Add payload validation for repository clone url #4255

Workflow file for this run

name: Create and publish a Docker image to ghcr on main and nightly
on:
push:
branches:
- main
- nightly
paths:
- "**.go"
env:
REGISTRY: ghcr.io
CONTROLLER_IMAGE_NAME: ${{ github.repository }}-controller
WATCHER_IMAGE_NAME: ${{ github.repository }}-watcher
WEBHOOK_IMAGE_NAME: ${{ github.repository }}-webhook
TKN_PAC_IMAGE_NAME: ${{ github.repository }}-tkn-pac
jobs:
build-and-push-image:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
steps:
- name: Checkout repository
uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
id: buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker (Controller)
id: meta
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: ${{ env.REGISTRY }}/${{ env.CONTROLLER_IMAGE_NAME }}
- name: Build and push controller docker image
uses: docker/build-push-action@v6.9.0
with:
context: .
build-args: |
BINARY_NAME=pipelines-as-code-controller
push: true
cache-from: type=gha,scope=controller
cache-to: type=gha,mode=max,scope=controller
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64,linux/arm64
- name: Extract metadata (tags, labels) for Docker (Watcher)
id: meta-watcher
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: ${{ env.REGISTRY }}/${{ env.WATCHER_IMAGE_NAME }}
- name: Build and push watcher docker image
uses: docker/build-push-action@v6.9.0
with:
context: .
build-args: |
BINARY_NAME=pipelines-as-code-watcher
push: true
cache-from: type=gha,scope=watcher
cache-to: type=gha,mode=max,scope=watcher
tags: ${{ steps.meta-watcher.outputs.tags }}
labels: ${{ steps.meta-watcher.outputs.labels }}
platforms: linux/amd64,linux/arm64
- name: Extract metadata (tags, labels) for Docker (Webhook)
id: meta-webhook
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: ${{ env.REGISTRY }}/${{ env.WEBHOOK_IMAGE_NAME }}
- name: Build and push webhook docker image
uses: docker/build-push-action@v6.9.0
with:
context: .
build-args: |
BINARY_NAME=pipelines-as-code-webhook
push: true
cache-from: type=gha,scope=webhook
cache-to: type=gha,mode=max,scope=webhook
tags: ${{ steps.meta-webhook.outputs.tags }}
labels: ${{ steps.meta-webhook.outputs.labels }}
platforms: linux/amd64,linux/arm64
- name: Extract metadata (tags, labels) for tkn-pac
id: meta-cli
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81
with:
images: ${{ env.REGISTRY }}/${{ env.TKN_PAC_IMAGE_NAME }}
- name: Build and push cli docker image
uses: docker/build-push-action@v6.9.0
with:
context: .
build-args: |
BINARY_NAME=tkn-pac
push: true
cache-from: type=gha,scope=cli
cache-to: type=gha,mode=max,scope=cli
tags: ${{ steps.meta-cli.outputs.tags }}
labels: ${{ steps.meta-cli.outputs.labels }}
platforms: linux/amd64,linux/arm64