Build, Assess Vulnerability, Push, Sign Image

Build, Assess Vulnerability, Push, Sign Image #243

Summary
Jobs
- AMD64
- Multiarch
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/docker-build.yml at acb08a8

	name: Build, Assess Vulnerability, Push, Sign Image

	on:
	push:
	branches:
	- master
	paths-ignore:
	- '**/README.md'
	schedule:
	- cron: '43 19 /7 *'

	env:
	IMAGE_NAME: thermostat_api_server

	jobs:
	AMD64:
	runs-on: ubuntu-latest

	steps:
	- uses: actions/checkout@v4

	- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
	uses: aquasecurity/[email protected]
	with:
	scan-type: 'fs'
	format: 'github'
	output: 'dependency-results.sbom.json'
	image-ref: '.'
	github-pat: ${{ secrets.GITHUB_TOKEN }}

	- name: Attempt Build
	run: docker build . --file Dockerfile -t $IMAGE_NAME

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/[email protected]
	with:
	image-ref: ${{ env.IMAGE_NAME }}
	format: 'sarif'
	output: 'trivy-results.sarif'

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'trivy-results.sarif'

	- name: Log into Registry
	run: echo "${{ secrets.GITHUB_TOKEN }}" \| docker login ghcr.io -u ${{ github.actor }} --password-stdin

	- name: Build and push container image
	id: push-step
	uses: docker/build-push-action@master
	with:
	push: true
	tags: ghcr.io/aneisch/${{ env.IMAGE_NAME }}:latest

	# - name: Install cosign
	# uses: sigstore/cosign-installer@main

	# - name: Write signing key to disk
	# run: 'echo "$KEY" > cosign.key'
	# shell: bash
	# env:
	# KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}

	# - name: Sign the container image
	# env:
	# COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	# run: cosign sign --yes --key cosign.key ghcr.io/aneisch/${{ env.IMAGE_NAME }}@${{ steps.push-step.outputs.digest }}

	Multiarch:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v1

	- name: Set up Docker Buildx
	uses: docker/setup-buildx-action@v1

	- name: Cache Docker layers
	uses: actions/cache@v2
	with:
	path: /tmp/.buildx-cache
	key: ${{ runner.os }}-buildx-${{ github.sha }}
	restore-keys: \|
	${{ runner.os }}-buildx-

	- name: Log into Registry
	run: echo "${{ secrets.GITHUB_TOKEN }}" \| docker login ghcr.io -u ${{ github.actor }} --password-stdin

	- name: Build and push
	uses: docker/build-push-action@master
	id: push-step
	with:
	context: .
	file: ./Dockerfile
	push: true
	tags: ghcr.io/aneisch/thermostat_api_server:latest-arm64
	platforms: linux/arm64/v8
	cache-from: type=local,src=/tmp/.buildx-cache
	cache-to: type=local,dest=/tmp/.buildx-cache

	# - name: Write signing key to disk
	# run: 'echo "$KEY" > cosign.key'
	# shell: bash
	# env:
	# KEY: ${{ secrets.COSIGN_PRIVATE_KEY }}

	# - name: Install cosign
	# uses: sigstore/cosign-installer@main

	# - name: Sign the container image
	# env:
	# COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
	# run: cosign sign --yes --key cosign.key ghcr.io/aneisch/${{ env.IMAGE_NAME }}@${{ steps.push-step.outputs.digest }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build, Assess Vulnerability, Push, Sign Image #243

Workflow file

Build, Assess Vulnerability, Push, Sign Image #243

Jobs

Run details

Workflow file for this run