[deps]: Update anchore/scan-action action to v6 #770
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - "main" | |
| pull_request: | |
| jobs: | |
| build-artifacts: | |
| name: Build artifacts | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| - name: Set up .NET | |
| uses: actions/setup-dotnet@6bd8b7f7774af54e05809fcc5431931b3eb1ddee # v4.0.1 | |
| - name: Publish project | |
| working-directory: src/KeyConnector | |
| run: | | |
| echo "Publish" | |
| dotnet publish -c "Release" -o obj/build-output/publish | |
| cd obj/build-output/publish | |
| zip -r KeyConnector.zip . | |
| mv KeyConnector.zip ../../../ | |
| pwd | |
| ls -atlh ../../../ | |
| - name: Upload project artifact | |
| uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3 | |
| with: | |
| name: KeyConnector.zip | |
| path: src/KeyConnector/KeyConnector.zip | |
| if-no-files-found: error | |
| build-docker: | |
| name: Build Docker images | |
| runs-on: ubuntu-22.04 | |
| needs: build-artifacts | |
| permissions: | |
| security-events: write | |
| id-token: write | |
| env: | |
| _AZ_REGISTRY: bitwardenprod.azurecr.io | |
| _PROJECT_NAME: key-connector | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1 | |
| - name: Log in to Azure | |
| uses: Azure/login@e15b166166a8746d1a47596803bd8c1b595455cf # v1.6.0 | |
| with: | |
| creds: ${{ secrets.AZURE_PROD_KV_CREDENTIALS }} | |
| - name: Log in to ACR | |
| run: az acr login -n ${_AZ_REGISTRY%.azurecr.io} | |
| - name: Generate Docker image tag | |
| id: tag | |
| run: | | |
| IMAGE_TAG=$(echo "${GITHUB_REF:11}" | sed "s#/#-#g") # slash safe branch name | |
| if [[ "$IMAGE_TAG" == "main" ]]; then | |
| IMAGE_TAG=dev | |
| fi | |
| echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT | |
| - name: Generate full image name | |
| id: image-name | |
| env: | |
| IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} | |
| run: echo "name=${_AZ_REGISTRY}/${_PROJECT_NAME}:${IMAGE_TAG}" >> $GITHUB_OUTPUT | |
| - name: Get build artifact | |
| uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
| with: | |
| name: KeyConnector.zip | |
| - name: Set up build artifact | |
| run: | | |
| mkdir -p src/KeyConnector/obj/build-output/publish | |
| unzip KeyConnector.zip -d src/KeyConnector/obj/build-output/publish | |
| - name: Build Docker image | |
| id: build-docker | |
| uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
| with: | |
| context: src/KeyConnector | |
| file: src/KeyConnector/Dockerfile | |
| platforms: linux/amd64 | |
| push: true | |
| tags: ${{ steps.image-name.outputs.name }} | |
| - name: Install Cosign | |
| if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' | |
| uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
| - name: Sign image with Cosign | |
| if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' | |
| env: | |
| DIGEST: ${{ steps.build-docker.outputs.digest }} | |
| TAGS: ${{ steps.image-name.outputs.name }} | |
| run: | | |
| IFS="," read -a tags <<< "${TAGS}" | |
| images="" | |
| for tag in "${tags[@]}"; do | |
| images+="${tag}@${DIGEST} " | |
| done | |
| cosign sign --yes ${images} | |
| - name: Scan Docker image | |
| id: container-scan | |
| uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0 | |
| with: | |
| image: ${{ steps.image-name.outputs.name }} | |
| fail-build: false | |
| output-format: sarif | |
| - name: Upload Grype results to GitHub | |
| uses: github/codeql-action/upload-sarif@f779452ac5af1c261dce0346a8f964149f49322b # v3.26.13 | |
| with: | |
| sarif_file: ${{ steps.container-scan.outputs.sarif }} |