-
Notifications
You must be signed in to change notification settings - Fork 472
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pipeline for build goss docker image #909
Conversation
So is this essentially a replacement for: https://github.com/aelsabbahy/goss-docker Btw.. many thanks for the awesome work you've submitted! These are all great improvements. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a small question, and might be helpful to add some documentation to this PR (can be minimal). Otherwise, it seems ready to merge
labels: ${{ steps.meta.outputs.labels }} | ||
platforms: ${{ env.PLATFORMS }} | ||
|
||
- name: Run Trivy vulnerability scanner |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this some thing that typically runs before or after the container is pushed to the repository?
Also, when doing a goss release, this will run against the master branch, but not the released version?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a small add on and runs whenever (after) an image (goss:master
) is pushed into the repo. It scans the image goss:master
and not the repository. This is the same image as the tagged image at the time of creating a tag. The step should not trigger a failing, but serves to keep an overview of the image. It scans not only the goss binary, but the whole image including the operating system (base image).
This gives you an overview of the status of the CVEs at the time the image was published. In my opinion, this cannot replace a regular scan of your own code.
Did you mean this kind of documentation? Or something to the GH pipeline? |
Yup, this looks great! |
I will have a look why it is failing. I had tested it successfully. |
In my repo I have not problems and it works. But I cannot see the package in goss Repo: https://github.com/orgs/goss-org/packages?repo_name=goss Perhaps GH needs some time to activate. |
It seems that permissions have to set there for the package: https://docs.github.com/en/packages/learn-github-packages/configuring-a-packages-access-control-and-visibility |
Yeah it's set to private, but I can't set it to public due to org settings. I'll take a look at it sometime in the next couple of days. |
https://github.com/goss-org/goss/pkgs/container/goss Done, was pretty simple actually. |
Checklist
make test-all
(UNIX) passes. CI will also test thisDescription of change
Add building own docker image and upload to ghcr.io. Realted image: https://github.com/aelsabbahy/goss-docker/blob/master/Dockerfile
Build image from
<latest-tag>-master+<short commit sha>
(semantic version)<tag>
Add CVE scan to github security page
Related to: