.github/workflows/container-scan.yaml

name: Container Scans

permissions:
  actions: read
  contents: write # for sbom-action artifact uploads

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main

jobs:
  container-scans:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1
        with:
          egress-policy: audit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Use Node.js latest
        uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
        with:
          node-version: 20
          cache: "npm"
      - name: Install Pepr Dependencies
        run: npm ci
      - name: Build Pepr Controller Image
        run: npm run build:image
      - name: Vulnerability Scan
        uses: anchore/scan-action@5ed195cc06065322983cae4bb31e2a751feb86fd # v5.2.0
        with:
          image: "pepr:dev"
          fail-build: true
          severity-cutoff: high
      - name: Generate SBOM
        uses: anchore/sbom-action@251a468eed47e5082b105c3ba6ee500c0e65a764 # v0.17.6
        with:
          image: pepr:dev
          upload-artifact: true
          upload-artifact-retention: 30