-
Notifications
You must be signed in to change notification settings - Fork 0
70 lines (60 loc) · 2.24 KB
/
build.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
name: Build and scan 🕷️📦
on:
push:
tags:
- 'v*.*.*'
permissions:
actions: read
contents: read
security-events: write
env:
BUILDAH_FORMAT: "docker"
REGISTRY: docker.io
REPOSITORY: docker.io/containerscrew/infratools
jobs:
build:
name: Build image
runs-on: ubuntu-latest
steps:
- name: Git checkout
uses: actions/checkout@v4
# For multiarch
- name: Install qemu dependency
run: |
sudo apt-get update
sudo apt-get install -y qemu-user-static buildah
# Step to set Docker tag based on the generated GitHub tag
- name: Set container tag
id: set_tag
run: |
# Extract the tag name from the full reference
IMAGE_TAG=$(echo "${{ github.ref }}" | sed 's|.*/||')
echo "IMAGE_TAG=$IMAGE_TAG" >> "$GITHUB_ENV"
- name: Buildah login docker.io
run: |
buildah login -u ${{ secrets.DOCKERHUB_AUTH_USERNAME }} -p ${{ secrets.DOCKERHUB_AUTH_TOKEN }} docker.io
# You can also use official github action from redhat: redhat-actions/buildah-build@v2
- name: Buildah multiarch
run: |
buildah manifest create multiarch
# TO DO: speed up the build with jobs=2 --arch amd64,arm64
buildah bud --jobs=0 --layers --arch amd64 --manifest multiarch --format=docker -f Containerfile .
buildah bud --jobs=0 --layers --arch arm64 --manifest multiarch --format=docker -f Containerfile .
buildah manifest push --all localhost/multiarch docker://$REPOSITORY:$IMAGE_TAG
buildah manifest rm localhost/multiarch
buildah logout $REGISTRY
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: '${{env.REPOSITORY}}:${{env.IMAGE_TAG}}'
format: 'sarif'
output: 'trivy-results.sarif'
vuln-type: 'os,library'
ignore-unfixed: false
env:
TRIVY_USERNAME: ${{ secrets.DOCKERHUB_AUTH_USERNAME }}
TRIVY_PASSWORD: ${{ secrets.DOCKERHUB_AUTH_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'