Skip to content

Image Scan

Image Scan #460

Workflow file for this run

name: Image Scan
on:
schedule:
# everyday at midnight.
- cron: '0 0 * * *'
workflow_dispatch: {}
push:
# TODO: add this once we have all images in the metadata.yaml
# paths:
# - '**/metadata.yaml'
branches:
- main
permissions:
security-events: write
jobs:
build-deps:
outputs:
local-artifact-mirror-image: ${{ steps.local-artifact-mirror.outputs.image }}
operator-image: ${{ steps.operator.outputs.image }}
operator-chart: ${{ steps.operator.outputs.chart }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # fetch all history so that we can get the previous tag
- name: Install dagger
run: |
curl -fsSL https://dl.dagger.io/dagger/install.sh | sh
sudo mv ./bin/dagger /usr/local/bin/dagger
- name: Build and push local-artifact-mirror image
id: local-artifact-mirror
run: |
make -C local-artifact-mirror build-ttl.sh
echo "image=$(cat local-artifact-mirror/build/image)" >> $GITHUB_OUTPUT
- name: Build and push operator image
id: operator
run: |
make -C operator build-ttl.sh build-chart-ttl.sh
echo "image=$(cat operator/build/image)" >> $GITHUB_OUTPUT
echo "chart=$(cat operator/build/chart)" >> $GITHUB_OUTPUT
buildtools:
name: Build buildtools
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache-dependency-path: "**/*.sum"
- name: Compile buildtools
run: |
make buildtools
- name: Upload buildtools artifact
uses: actions/upload-artifact@v4
with:
name: buildtools
path: output/bin/buildtools
output-matrix:
runs-on: ubuntu-latest
needs:
- build-deps
- buildtools
outputs:
matrix: ${{ steps.build-matrix.outputs.matrix }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache-dependency-path: "**/*.sum"
- name: Download buildtools artifact
uses: actions/download-artifact@v4
with:
name: buildtools
path: output/bin
- name: Compile buildtools
run: |
make buildtools
- name: Update embedded-cluster-operator metadata.yaml
env:
IMAGES_REGISTRY_SERVER: ttl.sh
OPERATOR_CHART: ${{ needs.build-deps.outputs.operator-chart }}
OPERATOR_IMAGE: ${{ needs.build-deps.outputs.operator-image }}
run: |
./scripts/ci-update-operator-metadata.sh
- name: Build
run: |
export LOCAL_ARTIFACT_MIRROR_IMAGE=${{ needs.build-deps.outputs.local-artifact-mirror-image }}
make embedded-cluster-linux-amd64
- name: List images
run: |
./output/bin/embedded-cluster version list-images > images.txt
- name: Upload images artifact
uses: actions/upload-artifact@v4
with:
name: images
path: images.txt
- name: Build images matrix
id: build-matrix
run: |
IMAGES="[$(awk '{print $1}' images.txt | xargs -n1 | awk '{print "\""$1"\","}' | sed '$ s/.$//')]"
echo "matrix=$(jq -cn --argjson images "$IMAGES" '{image: $images}')" >> $GITHUB_OUTPUT
scan:
runs-on: ubuntu-latest
needs: [output-matrix]
strategy:
fail-fast: false
matrix: ${{fromJson(needs.output-matrix.outputs.matrix)}}
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: ./.github/actions/scan-image
with:
image-ref: '${{ matrix.image }}'
upload-sarif: ${{ github.ref == 'refs/heads/main' }}