Update Trivy action #3931
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Docker Images | |
| permissions: | |
| contents: read | |
| security-events: write | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release/* | |
| - cloud/* | |
| pull_request: | |
| branches: | |
| - main | |
| workflow_dispatch: | |
| inputs: | |
| commit: | |
| description: "Commit sha" | |
| required: true | |
| jobs: | |
| build-push-images: | |
| runs-on: ubuntu-latest-16-cores | |
| # Usually, a successful job takes ~17 mins. | |
| # Anything more than 30 mins is a sign that job is stuck. | |
| # This is a workaround until we find the root cause. | |
| timeout-minutes: 30 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| submodules: "true" | |
| ref: ${{ github.event_name == 'workflow_dispatch' && github.event.inputs.commit || '' }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to DockerHub | |
| if: ${{ !env.ACT }} | |
| uses: docker/login-action@v1 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PAT }} | |
| - name: Set SHA when dispatched | |
| run: | | |
| SHA=$([ "$GITHUB_EVENT_NAME" = "workflow_dispatch" ] && echo "${{ github.event.inputs.commit }}" || echo "${GITHUB_SHA}") | |
| echo "SHA=${SHA}" >> $GITHUB_ENV | |
| - name: Prepare build args | |
| id: build_args | |
| run: | | |
| github_sha_short=${SHA:0:7} | |
| echo "IMAGE_TAG=sha-${github_sha_short}" >> $GITHUB_ENV | |
| TEMPORAL_SHA=$(git submodule status -- temporal | awk '{print $1}') | |
| echo "TEMPORAL_SHA=${TEMPORAL_SHA}" >> $GITHUB_ENV | |
| TCTL_SHA=$(git submodule status -- tctl | awk '{print $1}') | |
| echo "TCTL_SHA=${TCTL_SHA}" >> $GITHUB_ENV | |
| TAG_LATEST=${{(github.event_name == 'push' && github.ref == 'refs/heads/main') && 'true' || 'false'}} | |
| echo "TAG_LATEST=${TAG_LATEST}" >> $GITHUB_ENV | |
| echo "branch=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" >> $GITHUB_OUTPUT | |
| cat $GITHUB_OUTPUT | |
| - uses: actions/setup-go@v5 | |
| with: | |
| cache-dependency-path: "**/*.sum" | |
| go-version-file: 'temporal/go.mod' | |
| # You can't use `load` when building a multiarch image, so we build and load the | |
| # native image and build multiarch images later | |
| - name: Bake native images for security scanning | |
| run: BAKE_OUTPUT=docker make build-native | |
| - name: Bake and push multiarch images | |
| if: ${{ github.event_name == 'push' && !env.ACT }} | |
| run: BAKE_OUTPUT=registry make build | |
| # TODO: can we loop this somehow? | |
| - name: Run Trivy vulnerability scanner on Server image | |
| uses: ./.github/actions/trivy | |
| with: | |
| image-tags: temporaliotest/server:${{ env.IMAGE_TAG }} | |
| image-name: server | |
| - name: Run Trivy vulnerability scanner on Admin Tools image | |
| if: ${{ github.event_name == 'push' && !env.ACT }} | |
| uses: ./.github/actions/trivy | |
| with: | |
| image-tags: temporaliotest/admin-tools:${{ env.IMAGE_TAG }} | |
| image-name: admin-tools | |
| - name: Run Trivy vulnerability scanner on Auto Setup image | |
| if: ${{ github.event_name == 'push' && !env.ACT }} | |
| uses: ./.github/actions/trivy | |
| with: | |
| image-tags: temporaliotest/auto-setup:${{ env.IMAGE_TAG }} | |
| image-name: auto-setup | |
| - name: Ensure images work | |
| run: make IMAGE_TAG=${{env.IMAGE_TAG}} test | |
| - name: Upload compose logs | |
| if: always() | |
| continue-on-error: true | |
| uses: actions/upload-artifact@v3 | |
| with: | |
| name: docker-compose-logs | |
| path: docker-compose.log |