diff --git a/.github/workflows/docker-goss.yaml b/.github/workflows/docker-goss.yaml index e7a9f829..198dcb55 100644 --- a/.github/workflows/docker-goss.yaml +++ b/.github/workflows/docker-goss.yaml @@ -1,110 +1,110 @@ -name: Docker image for Goss - -on: - push: - branches: - - master - tags: - - "v*" - workflow_dispatch: - -env: - PLATFORMS: "linux/amd64,linux/arm64" - -jobs: - goss: - name: Build and push Docker image - runs-on: ubuntu-latest - permissions: - packages: write - contents: read - security-events: write # To upload Trivy sarif files - - steps: - - name: Checkout - uses: actions/checkout@v4 - - - name: Set up QEMU - uses: docker/setup-qemu-action@v3 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to GHCR - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: | - ghcr.io/${{ github.repository_owner }}/goss - - - name: Get latest git tag - if: github.ref_name == 'master' - id: get-latest-tag - run: | - # source: https://github.com/actions-ecosystem/action-get-latest-tag/blob/main/entrypoint.sh - set -e - git config --global --add safe.directory /github/workspace - git fetch --tags --force - # This suppress an error occurred when the repository is a complete one. - git fetch --prune --unshallow 2>/dev/null || true - latest_tag=$(git describe --abbrev=0 --tags || true) - echo "tag=${latest_tag}" >> "$GITHUB_OUTPUT" - echo "Latest tag: $latest_tag" - - - name: Set short git commit SHA - if: github.ref_name == 'master' - run: | - calculatedSha=$(git rev-parse --short ${{ github.sha }}) - echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV - echo "COMMIT_SHORT_SHA: $calculatedSha" - - - name: Get the current version of Go from project. - run: echo "GO_VERSION_FROM_PROJECT=$(go mod edit -json | jq -r .Go)" >> $GITHUB_ENV - - - name: Build master goss image - if: github.ref_name == 'master' - uses: docker/build-push-action@v6 - with: - build-args: | - GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }} - GOSS_VERSION=${{ steps.get-latest-tag.outputs.tag }}-${{ github.ref_name }}+${{ env.COMMIT_SHORT_SHA }} - context: . - push: true - tags: | - ghcr.io/${{ github.repository_owner }}/goss:master - labels: ${{ steps.meta.outputs.labels }} - platforms: ${{ env.PLATFORMS }} - - - name: Build release goss image - if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') - uses: docker/build-push-action@v6 - with: - build-args: | - GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }} - GOSS_VERSION=${{ github.ref_name }} - context: . - push: true - tags: | - ghcr.io/${{ github.repository_owner }}/goss:latest - ghcr.io/${{ github.repository_owner }}/goss:${{ github.ref_name }} - labels: ${{ steps.meta.outputs.labels }} - platforms: ${{ env.PLATFORMS }} - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.24.0 - with: - image-ref: ghcr.io/${{ github.repository_owner }}/goss:master - format: "sarif" - output: "trivy-results.sarif" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v3 - with: - sarif_file: "trivy-results.sarif" +name: Docker image for Goss + +on: + push: + branches: + - master + tags: + - "v*" + workflow_dispatch: + +env: + PLATFORMS: "linux/amd64,linux/arm64" + +jobs: + goss: + name: Build and push Docker image + runs-on: ubuntu-latest + permissions: + packages: write + contents: read + security-events: write # To upload Trivy sarif files + + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to GHCR + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@v5 + with: + images: | + ghcr.io/${{ github.repository_owner }}/goss + + - name: Get latest git tag + if: github.ref_name == 'master' + id: get-latest-tag + run: | + # source: https://github.com/actions-ecosystem/action-get-latest-tag/blob/main/entrypoint.sh + set -e + git config --global --add safe.directory /github/workspace + git fetch --tags --force + # This suppress an error occurred when the repository is a complete one. + git fetch --prune --unshallow 2>/dev/null || true + latest_tag=$(git describe --abbrev=0 --tags || true) + echo "tag=${latest_tag}" >> "$GITHUB_OUTPUT" + echo "Latest tag: $latest_tag" + + - name: Set short git commit SHA + if: github.ref_name == 'master' + run: | + calculatedSha=$(git rev-parse --short ${{ github.sha }}) + echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV + echo "COMMIT_SHORT_SHA: $calculatedSha" + + - name: Get the current version of Go from project. + run: echo "GO_VERSION_FROM_PROJECT=$(go mod edit -json | jq -r .Go)" >> $GITHUB_ENV + + - name: Build master goss image + if: github.ref_name == 'master' + uses: docker/build-push-action@v6 + with: + build-args: | + GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }} + GOSS_VERSION=${{ steps.get-latest-tag.outputs.tag }}-${{ github.ref_name }}+${{ env.COMMIT_SHORT_SHA }} + context: . + push: true + tags: | + ghcr.io/${{ github.repository_owner }}/goss:master + labels: ${{ steps.meta.outputs.labels }} + platforms: ${{ env.PLATFORMS }} + + - name: Build release goss image + if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') + uses: docker/build-push-action@v6 + with: + build-args: | + GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }} + GOSS_VERSION=${{ github.ref_name }} + context: . + push: true + tags: | + ghcr.io/${{ github.repository_owner }}/goss:latest + ghcr.io/${{ github.repository_owner }}/goss:${{ github.ref_name }} + labels: ${{ steps.meta.outputs.labels }} + platforms: ${{ env.PLATFORMS }} + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.24.0 + with: + image-ref: ghcr.io/${{ github.repository_owner }}/goss:master + format: "sarif" + output: "trivy-results.sarif" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: "trivy-results.sarif"