ci(patch): test #16
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Patch Images | |
| on: | |
| schedule: | |
| - cron: '0 6 */15 * *' # Every 15 days at 2 a.m. | |
| push: | |
| branches: | |
| - ci/patch-images | |
| jobs: | |
| setup: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| mymatrix: ${{ steps.dataStep.outputs.myoutput }} | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@v4 | |
| # Retrieve image list via python (you can choose to include the last 3 tags by passing the '--include-last-3-tags' argument to the script) | |
| - name: Export Image List With Python | |
| id: dataStep | |
| run: | | |
| cd utilities | |
| TARGETS=$(python3 image_list_json.py --retrieve-last-3-tags) | |
| echo $TARGETS | |
| echo "myoutput=$(jq -cn --argjson environments "$TARGETS" '{target: $environments}')" >> $GITHUB_OUTPUT | |
| patch: | |
| needs: setup | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: ${{fromJson(needs.setup.outputs.mymatrix)}} | |
| steps: | |
| - name: Print image name | |
| run: echo ${{matrix.target}} | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@v3.5.0 | |
| with: | |
| cosign-release: 'v2.2.4' | |
| - name: Log into harbor | |
| id: login | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d | |
| with: | |
| registry: registry.sighup.io | |
| username: ${{ secrets.SIGHUP_REGISTRY_USERNAME }} | |
| password: ${{ secrets.SIGHUP_REGISTRY_PASSWORD }} | |
| - name: Generate Trivy Report | |
| id: trivy | |
| continue-on-error: true | |
| uses: aquasecurity/trivy-action@69cbbc0cbbf6a2b0bab8dcf0e9f2d7ead08e87e4 | |
| with: | |
| scan-type: 'image' | |
| format: 'json' | |
| output: 'report.json' | |
| ignore-unfixed: true | |
| vuln-type: 'os' | |
| severity: 'HIGH,CRITICAL' | |
| image-ref: ${{ matrix.target }} | |
| - name: Check Vuln Count | |
| id: vuln_count | |
| continue-on-error: true | |
| run: | | |
| report_file="report.json" | |
| vuln_count=$(jq '.Results | length' "$report_file") | |
| echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT | |
| echo $vuln_count | |
| - name: Set Image Tag | |
| id: set_tag | |
| run: | | |
| TAG=$(echo "${{ matrix.target }}" | grep -o '[^:]*$') | |
| IMMUNIZED_TAG="${TAG}" | |
| PATCHED_TAG_SBOM=$(echo "${{ matrix.target }}" | tr '/:' '-') | |
| IMAGE_NAME=$(echo "${{ matrix.target }}" | sed -E 's|.*/([^:/]+/[^:/]+).*|\1|') | |
| echo "PATCHED_TAG=${IMMUNIZED_TAG}" >> $GITHUB_ENV | |
| echo "PATCHED_TAG_SBOM=${PATCHED_TAG_SBOM}" >> $GITHUB_ENV | |
| echo "IMAGE_NAME=${IMAGE_NAME}" >> $GITHUB_ENV | |
| - name: Copa Action | |
| # if: steps.vuln_count.outputs.vuln_count != '0' | |
| id: copa | |
| uses: project-copacetic/copa-action@v1.2.1 | |
| with: | |
| image: ${{ matrix.target }} | |
| image-report: 'report.json' | |
| patched-tag: ${{ env.PATCHED_TAG }} | |
| - name: Move image to new location if copa/trivy failed | |
| if: failure() && steps.copa.conclusion == 'failure' | |
| id: move | |
| run: | | |
| docker pull registry.sighup.io/fury/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }} | |
| docker tag registry.sighup.io/fury/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }} registry.sighup.io/fury/secured/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }} | |
| docker push registry.sighup.io/fury/secured/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }} | |
| - name: Tag Image for Harbor | |
| if: steps.copa.conclusion == 'success' | |
| run: | | |
| docker tag ${{ steps.copa.outputs.patched-image }} registry.sighup.io/fury/secured/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }} | |
| - name: Docker Push Patched Image | |
| id: push | |
| if: steps.copa.conclusion == 'success' | |
| run: | | |
| docker push registry.sighup.io/fury/secured/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }} | |
| - name: Produce Image SBOM | |
| id: sbom | |
| if: steps.push.conclusion == 'success' || steps.move.conclusion == 'success' | |
| uses: anchore/sbom-action@v0 | |
| with: | |
| image: "registry.sighup.io/fury/secured/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }}" | |
| artifact-name: ${{ env.PATCHED_TAG_SBOM }}.spdx.json | |
| - name: Sign Image with Cosign | |
| if: steps.push.conclusion == 'success' || steps.move.conclusion == 'success' | |
| run: | | |
| cosign sign --yes --key env://COSIGN_PRIVATE_KEY "registry.sighup.io/fury/secured/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }}" | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
| - name: Attest the Image with SBOM | |
| if: steps.sbom.conclusion == 'success' | |
| run: | | |
| echo "${{ env.PATCHED_TAG_SBOM }}" | |
| SBOM_FILE=$(find /tmp/sbom-action-* -name "*${{ env.PATCHED_TAG_SBOM }}*.spdx.json" -type f) | |
| echo "${SBOM_FILE}" | |
| if [ -z "$SBOM_FILE" ]; then | |
| echo "Error: .spdx file not found" | |
| exit 1 | |
| fi | |
| cosign attest --yes --key env://COSIGN_PRIVATE_KEY --type spdx --predicate "${SBOM_FILE}" "registry.sighup.io/fury/secured/${{ env.IMAGE_NAME }}:${{ env.PATCHED_TAG }}" | |
| env: | |
| COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
| COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} |