-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ci: pins all reference GitHub actions to a hash value (#242)
Signed-off-by: Jennifer Power <[email protected]>
- Loading branch information
Showing
6 changed files
with
62 additions
and
69 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -28,15 +28,15 @@ runs: | |
using: "composite" | ||
steps: | ||
- name: Set up QEMU | ||
uses: docker/setup-qemu-action@v3 | ||
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # pin@v3 | ||
|
||
- name: Set up Docker Buildx | ||
uses: docker/setup-buildx-action@v3 | ||
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # pin@v3 | ||
|
||
# Tags are defined here based on workflow triggers | ||
- name: Define metadata | ||
id: meta | ||
uses: docker/metadata-action@v5 | ||
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # pin@v5 | ||
with: | ||
images: ${{ inputs.image }} | ||
tags: | | ||
|
@@ -47,9 +47,9 @@ runs: | |
type=schedule,pattern={{date 'YYYYMMDD'}},prefix=${{ inputs.release_version }}. | ||
flavor: | | ||
latest=false | ||
- name: Build and export to Docker | ||
uses: docker/build-push-action@v5 | ||
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # pin@v5 | ||
id: build-and-export | ||
with: | ||
context: "${{ github.server_url }}/${{ github.repository }}.git#${{ inputs.git_ref }}" | ||
|
@@ -59,16 +59,16 @@ runs: | |
cache-to: type=gha,mode=max | ||
tags: ${{ steps.meta.outputs.tags }} | ||
labels: ${{ steps.meta.outputs.labels }} | ||
|
||
- name: Pre-push Image Scan | ||
uses: aquasecurity/[email protected] | ||
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # pin@0.19.0 | ||
with: | ||
image-ref: ${{ inputs.image }}:${{ steps.meta.outputs.version }} | ||
exit-code: 1 | ||
skip-files: "**/.venv/lib/**/METADATA" | ||
skip-files: "**/.venv/lib/**/METADATA" | ||
scanners: secret | ||
severity: HIGH,CRITICAL,MEDIUM | ||
|
||
- name: Pre-push testing | ||
if: ${{ inputs.skip_tests == 'false' }} | ||
uses: ./.github/actions/e2e-testing | ||
|
@@ -78,7 +78,7 @@ runs: | |
|
||
# Does not rebuild. Uses internal cache from previous step. | ||
- name: Build and Push | ||
uses: docker/build-push-action@v5 | ||
uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # pin@v5 | ||
id: build-and-push | ||
with: | ||
context: "${{ github.server_url }}/${{ github.repository }}.git#${{ inputs.git_ref }}" | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -4,7 +4,7 @@ on: | |
schedule: | ||
- cron: 0 0 */30 * * | ||
release: | ||
types: [published] | ||
types: [ published ] | ||
workflow_dispatch: | ||
inputs: | ||
tag: | ||
|
@@ -24,8 +24,8 @@ on: | |
required: false | ||
default: false | ||
env: | ||
IMAGE_NAME: trestle-bot | ||
IMAGE_REGISTRY: quay.io | ||
IMAGE_NAME: trestle-bot | ||
IMAGE_REGISTRY: quay.io | ||
|
||
concurrency: | ||
group: ${{ github.ref }}-${{ github.workflow }}-publish | ||
|
@@ -40,24 +40,24 @@ jobs: | |
id-token: write # needed for signing the images with GitHub OIDC Token | ||
steps: | ||
- name: Login to Quay | ||
uses: docker/login-action@v3 | ||
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # pin@v3 | ||
with: | ||
username: ${{ secrets.QUAY_USER }} | ||
password: ${{ secrets.QUAY_TOKEN }} | ||
registry: ${{ env.IMAGE_REGISTRY }} | ||
|
||
- name: Check out | ||
uses: actions/checkout@v4 | ||
uses: actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # pin@v4 | ||
with: | ||
persist-credentials: false | ||
|
||
- name: Set up cosign | ||
uses: sigstore/[email protected] | ||
uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # pin@v3.5.0 | ||
|
||
- name: Check if triggered by release or workflow dispatch | ||
id: check_event | ||
run: echo "event_type=${{ toJson(github.event_name) }}" >> "$GITHUB_OUTPUT" | ||
|
||
# Using intermediary variable to process event based input | ||
- name: Set environment information for release | ||
if: ${{ steps.check_event.outputs.event_type == 'release' }} | ||
|
@@ -107,7 +107,7 @@ jobs: | |
no_cache: ${{ env.NO_CACHE }} | ||
git_ref: ${{ env.BUILD_GIT_REF }} | ||
skip_tests: ${{ env.SKIP_TESTS }} | ||
|
||
- name: Sign the image with GitHub OIDC Token | ||
run: cosign sign --yes "$IMAGE" | ||
env: | ||
|