From 9de7e8f066cf05ce806733466b5defce481eed90 Mon Sep 17 00:00:00 2001 From: Steve Hipwell Date: Wed, 7 Dec 2022 11:22:08 +0000 Subject: [PATCH] chore: Updated GH Actions (#33) Signed-off-by: Steve Hipwell Signed-off-by: Steve Hipwell --- .github/workflows/commit.yaml | 49 +++++++++++----------- .github/workflows/pull-request.yaml | 34 ++++++++-------- .github/workflows/release.yaml | 63 ++++++++++++++++------------- 3 files changed, 75 insertions(+), 71 deletions(-) diff --git a/.github/workflows/commit.yaml b/.github/workflows/commit.yaml index e26b846..988af5b 100644 --- a/.github/workflows/commit.yaml +++ b/.github/workflows/commit.yaml @@ -20,14 +20,14 @@ jobs: shell: bash steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Install Cosign - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - name: Run Hadolint id: hadolint - uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1 + uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1 # v3.0.0 continue-on-error: true with: dockerfile: ./${{ matrix.os }}.dockerfile @@ -36,14 +36,14 @@ jobs: no-fail: false - name: Upload Hadolint SARIF report - uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb + uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35 with: - category: hadolint + category: hadolint-${{ matrix.os }} sarif_file: hadolint.sarif - name: Generate OCI image metadata id: metadata - uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea + uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1 with: flavor: | latest=false @@ -58,14 +58,14 @@ jobs: org.opencontainers.image.authors=Fluentd developers - name: Set up QEMU - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 + uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1 - name: Build OCI image id: build - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 + uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0 with: file: ./${{ matrix.os }}.dockerfile context: . @@ -77,29 +77,29 @@ jobs: load: true push: false - - name: Generate OCI image SBOM - uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d + - name: Generate OCI image Syft SBOM + uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1 with: - image: "ghcr.io/${{ github.repository }}:${{ matrix.os }}-main" + image: "ghcr.io/${{ github.repository }}:${{ steps.metadata.outputs.version }}" dependency-snapshot: true format: spdx-json - artifact-name: ${{ github.event.repository.name }}-sbom.spdx.json - output-file: ${{ github.event.repository.name }}-sbom.spdx.json + artifact-name: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom + output-file: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json - - name: Scan OCI image SBOM with Grype + - name: Scan OCI image Syft SBOM with Grype id: scan - uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1 + uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1 # v3.3.2 continue-on-error: true with: - sbom: ${{ github.event.repository.name }}-sbom.spdx.json + sbom: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json severity-cutoff: medium output-format: sarif fail-build: true - name: Upload Grype SARIF report - uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb + uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35 with: - category: grype + category: grype-${{ matrix.os }} sarif_file: ${{ steps.scan.outputs.sarif }} - name: Fail workflow @@ -110,21 +110,21 @@ jobs: exit 1 - name: Login to GitHub Container Registry - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to DockerHub - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & push OCI image id: build_push - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 + uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0 with: file: ./${{ matrix.os }}.dockerfile context: . @@ -139,7 +139,4 @@ jobs: - name: Sign OCI image env: COSIGN_EXPERIMENTAL: true - run: | - set -euo pipefail - cosign sign --yes --recursive ghcr.io/${{ github.repository }}:main@${{ steps.build_push.outputs.digest }} - cosign sign --yes --recursive docker.io/${{ secrets.DOCKERHUB_REPO }}:main@${{ steps.build_push.outputs.digest }} + run: echo "${{ steps.metadata.outputs.tags }}" | xargs -I {} cosign sign --yes --recursive {}@${{ steps.build_push.outputs.digest }} diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml index 747ff88..f28556a 100644 --- a/.github/workflows/pull-request.yaml +++ b/.github/workflows/pull-request.yaml @@ -19,10 +19,10 @@ jobs: shell: bash steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Run Hadolint - uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1 + uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1 # v3.0.0 with: dockerfile: ./${{ matrix.os }}.dockerfile format: sarif @@ -30,14 +30,14 @@ jobs: no-fail: true - name: Upload Hadolint SARIF report - uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb + uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35 with: - category: hadolint + category: hadolint-${{ matrix.os }} sarif_file: hadolint.sarif - name: Generate OCI image metadata id: metadata - uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea + uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1 with: flavor: | latest=false @@ -50,11 +50,11 @@ jobs: org.opencontainers.image.authors=Fluentd developers - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 + uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1 - name: Build OCI image id: build - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 + uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0 with: file: ./${{ matrix.os }}.dockerfile context: . @@ -66,26 +66,26 @@ jobs: load: true push: false - - name: Generate OCI image SBOM - uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d + - name: Generate OCI image Syft SBOM + uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1 with: - image: "${{ github.repository }}:${{ matrix.os }}-local" + image: "${{ github.repository }}:${{ steps.metadata.outputs.version }}" dependency-snapshot: true format: spdx-json - artifact-name: ${{ github.event.repository.name }}-sbom.spdx.json - output-file: ${{ github.event.repository.name }}-sbom.spdx.json + artifact-name: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom + output-file: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json - - name: Scan OCI image SBOM with Grype + - name: Scan OCI image Syft SBOM with Grype id: scan - uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1 + uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1 # v3.3.2 with: - sbom: ${{ github.event.repository.name }}-sbom.spdx.json + sbom: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json severity-cutoff: medium output-format: sarif fail-build: false - name: Upload Grype SARIF report - uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb + uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35 with: - category: grype + category: grype-${{ matrix.os }} sarif_file: ${{ steps.scan.outputs.sarif }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index d3b8d94..2575ab9 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -19,13 +19,13 @@ jobs: shell: bash steps: - name: Checkout - uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Install Cosign - uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b + uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 - name: Run Hadolint - uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1 + uses: hadolint/hadolint-action@4b5806eb9c6bee4954fc0e0cc3ad6175fc9782c1 # v3.0.0 continue-on-error: true with: dockerfile: ./${{ matrix.os }}.dockerfile @@ -34,14 +34,14 @@ jobs: no-fail: false - name: Upload Hadolint SARIF report - uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb + uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35 with: - category: hadolint + category: hadolint-${{ matrix.os }} sarif_file: hadolint.sarif - name: Generate OCI image metadata id: metadata - uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea + uses: docker/metadata-action@57396166ad8aefe6098280995947635806a0e6ea # v4.1.1 with: flavor: | latest=false @@ -62,14 +62,14 @@ jobs: org.opencontainers.image.authors=Fluentd developers - name: Set up QEMU - uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 + uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 + uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1 - name: Build OCI image id: build - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 + uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0 with: file: ./${{ matrix.os }}.dockerfile context: . @@ -81,29 +81,29 @@ jobs: load: true push: false - - name: Generate OCI image SBOM - uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d + - name: Generate OCI image Syft SBOM + uses: anchore/sbom-action@06e109483e6aa305a2b2395eabae554e51530e1d # v0.13.1 with: image: "ghcr.io/${{ github.repository }}:${{ steps.metadata.outputs.version }}" dependency-snapshot: true format: spdx-json - artifact-name: ${{ github.event.repository.name }}-sbom.spdx.json - output-file: ${{ github.event.repository.name }}-sbom.spdx.json + artifact-name: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom + output-file: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json - - name: Scan OCI image SBOM with Grype + - name: Scan OCI image Syft SBOM with Grype id: scan - uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1 + uses: anchore/scan-action@9a22e4caae42db0d4c687ab5431e1c3699d0def1 # v3.3.2 continue-on-error: true with: - sbom: ${{ github.event.repository.name }}-sbom.spdx.json + sbom: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json severity-cutoff: medium output-format: sarif fail-build: true - name: Upload Grype SARIF report - uses: github/codeql-action/upload-sarif@4238421316c33d73aeea2801274dd286f157c2bb + uses: github/codeql-action/upload-sarif@b2a92eb56d8cb930006a1c6ed86b0782dd8a4297 # v2.1.35 with: - category: grype + category: grype-${{ matrix.os }} sarif_file: ${{ steps.scan.outputs.sarif }} - name: Fail workflow @@ -114,21 +114,21 @@ jobs: exit 1 - name: Login to GitHub Container Registry - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Login to DockerHub - uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a + uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} - name: Build & push OCI image id: build_push - uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 + uses: docker/build-push-action@c56af957549030174b10d6867f20e78cfd7debc5 # v3.2.0 with: file: ./${{ matrix.os }}.dockerfile context: . @@ -143,13 +143,20 @@ jobs: - name: Sign OCI image env: COSIGN_EXPERIMENTAL: true - run: | - set -euo pipefail - cosign sign --yes --recursive ghcr.io/${{ github.repository }}:${{ steps.metadata.outputs.version }}@${{ steps.build_push.outputs.digest }} - cosign sign --yes --recursive docker.io/${{ secrets.DOCKERHUB_REPO }}:${{ steps.metadata.outputs.version }}@${{ steps.build_push.outputs.digest }} + run: echo "${{ steps.metadata.outputs.tags }}" | xargs -I {} cosign sign --yes --recursive {}@${{ steps.build_push.outputs.digest }} + + publish: + name: Publish Release + runs-on: ubuntu-latest + defaults: + run: + shell: bash + steps: + - name: Checkout + uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8 # v3.1.0 - name: Update Docker repository description - uses: peter-evans/dockerhub-description@93b93397c27ed52b4055b8c6b2f8d92456ab3c56 + uses: peter-evans/dockerhub-description@93b93397c27ed52b4055b8c6b2f8d92456ab3c56 # v3.1.2 with: username: ${{ secrets.DOCKERHUB_USERNAME }} password: ${{ secrets.DOCKERHUB_TOKEN }} @@ -157,13 +164,13 @@ jobs: - name: Get changelog entry id: changelog_reader - uses: mindsers/changelog-reader-action@b97ce03a10d9bdbb07beb491c76a5a01d78cd3ef + uses: mindsers/changelog-reader-action@b97ce03a10d9bdbb07beb491c76a5a01d78cd3ef # v2.2.2 with: path: ./CHANGELOG.md version: ${{ github.ref_name }} - name: Create release - uses: ncipollo/release-action@4c75f0f2e4ae5f3c807cf0904605408e319dcaac + uses: ncipollo/release-action@18eadf9c9b0f226f47f164f5373c6a44f0aae169 # v1.11.2 with: token: ${{ secrets.GITHUB_TOKEN }} allowUpdates: true