-
Notifications
You must be signed in to change notification settings - Fork 3
137 lines (120 loc) · 3.88 KB
/
image-scan.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
name: Image Scan
on:
schedule:
# everyday at midnight.
- cron: '0 0 * * *'
workflow_dispatch: {}
push:
# TODO: add this once we have all images in the metadata.yaml
# paths:
# - '**/metadata.yaml'
branches:
- main
permissions:
security-events: write
jobs:
build-deps:
outputs:
local-artifact-mirror-image: ${{ steps.local-artifact-mirror.outputs.image }}
operator-image: ${{ steps.operator.outputs.image }}
operator-chart: ${{ steps.operator.outputs.chart }}
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0 # fetch all history so that we can get the previous tag
- name: Install dagger
run: |
curl -fsSL https://dl.dagger.io/dagger/install.sh | sh
sudo mv ./bin/dagger /usr/local/bin/dagger
- name: Build and push local-artifact-mirror image
id: local-artifact-mirror
run: |
make -C local-artifact-mirror build-ttl.sh
echo "image=$(cat local-artifact-mirror/build/image)" >> $GITHUB_OUTPUT
- name: Build and push operator image
id: operator
run: |
make -C operator build-ttl.sh build-chart-ttl.sh
echo "image=$(cat operator/build/image)" >> $GITHUB_OUTPUT
echo "chart=$(cat operator/build/chart)" >> $GITHUB_OUTPUT
buildtools:
name: Build buildtools
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache-dependency-path: "**/*.sum"
- name: Compile buildtools
run: |
make buildtools
- name: Upload buildtools artifact
uses: actions/upload-artifact@v4
with:
name: buildtools
path: output/bin/buildtools
output-matrix:
runs-on: ubuntu-latest
needs:
- build-deps
- buildtools
outputs:
matrix: ${{ steps.build-matrix.outputs.matrix }}
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup go
uses: actions/setup-go@v5
with:
go-version-file: go.mod
cache-dependency-path: "**/*.sum"
- name: Download buildtools artifact
uses: actions/download-artifact@v4
with:
name: buildtools
path: output/bin
- name: Compile buildtools
run: |
make buildtools
- name: Update embedded-cluster-operator metadata.yaml
env:
IMAGES_REGISTRY_SERVER: ttl.sh
OPERATOR_CHART: ${{ needs.build-deps.outputs.operator-chart }}
OPERATOR_IMAGE: ${{ needs.build-deps.outputs.operator-image }}
run: |
./scripts/ci-update-operator-metadata.sh
- name: Build
run: |
export LOCAL_ARTIFACT_MIRROR_IMAGE=${{ needs.build-deps.outputs.local-artifact-mirror-image }}
make embedded-cluster-linux-amd64
- name: List images
run: |
./output/bin/embedded-cluster version list-images > images.txt
- name: Upload images artifact
uses: actions/upload-artifact@v4
with:
name: images
path: images.txt
- name: Build images matrix
id: build-matrix
run: |
IMAGES="[$(awk '{print $1}' images.txt | xargs -n1 | awk '{print "\""$1"\","}' | sed '$ s/.$//')]"
echo "matrix=$(jq -cn --argjson images "$IMAGES" '{image: $images}')" >> $GITHUB_OUTPUT
scan:
runs-on: ubuntu-latest
needs: [output-matrix]
strategy:
fail-fast: false
matrix: ${{fromJson(needs.output-matrix.outputs.matrix)}}
steps:
- name: Checkout
uses: actions/checkout@v4
- uses: ./.github/actions/scan-image
with:
image-ref: '${{ matrix.image }}'
upload-sarif: ${{ github.ref == 'refs/heads/main' }}