mirror of
https://github.com/dexidp/dex.git
synced 2026-03-27 16:21:05 +00:00
58e387a5fa
Bumps [sigstore/cosign-installer](https://github.com/sigstore/cosign-installer) from 4.1.0 to 4.1.1.
- [Release notes](https://github.com/sigstore/cosign-installer/releases)
- [Commits](ba7bc0a3fe...cad07c2e89)
---
updated-dependencies:
- dependency-name: sigstore/cosign-installer
dependency-version: 4.1.1
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
270 lines
10 KiB
YAML
270 lines
10 KiB
YAML
name: Artifacts
|
|
|
|
on:
|
|
workflow_call:
|
|
inputs:
|
|
publish:
|
|
description: Publish artifacts to the artifact store
|
|
default: false
|
|
required: false
|
|
type: boolean
|
|
secrets:
|
|
DOCKER_USERNAME:
|
|
required: true
|
|
DOCKER_PASSWORD:
|
|
required: true
|
|
outputs:
|
|
container-image-name:
|
|
description: Container image name
|
|
value: ${{ jobs.container-images.outputs.name }}
|
|
container-image-digest:
|
|
description: Container image digest
|
|
value: ${{ jobs.container-images.outputs.digest }}
|
|
container-image-ref:
|
|
description: Container image ref
|
|
value: ${{ jobs.container-images.outputs.ref }}
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
container-images:
|
|
name: Container images
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
matrix:
|
|
variant:
|
|
- alpine
|
|
- distroless
|
|
|
|
permissions:
|
|
attestations: write
|
|
contents: read
|
|
packages: write
|
|
id-token: write
|
|
security-events: write
|
|
|
|
outputs:
|
|
name: ${{ steps.image-name.outputs.value }}
|
|
digest: ${{ steps.build.outputs.digest }}
|
|
ref: ${{ steps.image-ref.outputs.value }}
|
|
|
|
steps:
|
|
- name: Checkout repository
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
fetch-tags: true
|
|
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
|
|
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
|
|
- name: Set up Syft
|
|
uses: anchore/sbom-action/download-syft@e22c389904149dbc22b58101806040fa8d37a610 # v0.24.0
|
|
|
|
- name: Install cosign
|
|
uses: sigstore/cosign-installer@cad07c2e89fa2edd6e2d7bab4c1aa38e53f76003 # v4.1.1
|
|
|
|
- name: Set image name
|
|
id: image-name
|
|
run: echo "value=ghcr.io/${{ github.repository }}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Gather build metadata
|
|
id: meta
|
|
uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0
|
|
with:
|
|
images: |
|
|
${{ steps.image-name.outputs.value }}
|
|
${{ github.repository == 'dexidp/dex' && 'dexidp/dex' || '' }}
|
|
flavor: |
|
|
latest = false
|
|
tags: |
|
|
type=ref,event=branch,enable=${{ matrix.variant == 'alpine' }}
|
|
type=ref,event=pr,prefix=pr-,enable=${{ matrix.variant == 'alpine' }}
|
|
type=semver,pattern={{raw}},enable=${{ matrix.variant == 'alpine' }}
|
|
type=raw,value=latest,enable=${{ github.ref_name == github.event.repository.default_branch && matrix.variant == 'alpine' }}
|
|
type=ref,event=branch,suffix=-${{ matrix.variant }}
|
|
type=ref,event=pr,prefix=pr-,suffix=-${{ matrix.variant }}
|
|
type=semver,pattern={{raw}},suffix=-${{ matrix.variant }}
|
|
type=raw,value=latest,enable={{is_default_branch}},suffix=-${{ matrix.variant }}
|
|
labels: |
|
|
org.opencontainers.image.documentation=https://dexidp.io/docs/
|
|
|
|
# Multiple exporters are not supported yet
|
|
# See https://github.com/moby/buildkit/pull/2760
|
|
- name: Get version from git-version script
|
|
id: version
|
|
run: echo "value=$(bash ./scripts/git-version)" >> "$GITHUB_OUTPUT"
|
|
|
|
# Multiple exporters are not supported yet
|
|
# See https://github.com/moby/buildkit/pull/2760
|
|
- name: Determine build output
|
|
uses: haya14busa/action-cond@94f77f7a80cd666cb3155084e428254fea4281fd # v1.2.1
|
|
id: build-output
|
|
with:
|
|
cond: ${{ inputs.publish }}
|
|
if_true: type=image,push=true
|
|
if_false: type=oci,dest=image.tar
|
|
|
|
- name: Login to GitHub Container Registry
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ github.token }}
|
|
if: inputs.publish
|
|
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
|
|
with:
|
|
username: ${{ secrets.DOCKER_USERNAME }}
|
|
password: ${{ secrets.DOCKER_PASSWORD }}
|
|
if: inputs.publish
|
|
|
|
- name: Build and push image
|
|
id: build
|
|
uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0
|
|
with:
|
|
context: .
|
|
platforms: linux/amd64,linux/arm/v7,linux/arm64,linux/ppc64le,linux/s390x
|
|
tags: ${{ steps.meta.outputs.tags }}
|
|
build-args: |
|
|
BASE_IMAGE=${{ matrix.variant }}
|
|
VERSION=${{ steps.version.outputs.value }}
|
|
COMMIT_HASH=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
|
|
BUILD_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
|
|
labels: |
|
|
${{ steps.meta.outputs.labels }}
|
|
# cache-from: type=gha
|
|
# cache-to: type=gha,mode=max
|
|
outputs: ${{ steps.build-output.outputs.value }}
|
|
# push: ${{ inputs.publish }}
|
|
|
|
- name: Sign the images with GitHub OIDC Token
|
|
run: |
|
|
cosign sign --yes ${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}
|
|
if: inputs.publish
|
|
|
|
- name: Set image ref
|
|
id: image-ref
|
|
run: echo "value=${{ steps.image-name.outputs.value }}@${{ steps.build.outputs.digest }}" >> "$GITHUB_OUTPUT"
|
|
|
|
- name: Fetch image
|
|
run: skopeo --insecure-policy copy docker://${{ steps.image-ref.outputs.value }} oci-archive:image.tar
|
|
if: inputs.publish
|
|
|
|
# Uncomment the following lines for debugging:
|
|
# - name: Upload image as artifact
|
|
# uses: actions/upload-artifact@v3
|
|
# with:
|
|
# name: "[${{ github.job }}] OCI tarball"
|
|
# path: image.tar
|
|
|
|
- name: Extract OCI tarball
|
|
id: extract-oci
|
|
run: |
|
|
mkdir -p image
|
|
tar -xf image.tar -C image
|
|
|
|
image_name=$(jq -r '.manifests[0].annotations["io.containerd.image.name"]' image/index.json)
|
|
image_tag=$(jq -r '.manifests[0].annotations["org.opencontainers.image.ref.name"]' image/index.json)
|
|
|
|
echo "Copying $image_tag -> $image_name"
|
|
skopeo copy "oci:image:$image_tag" "docker-daemon:$image_name"
|
|
|
|
echo "value=$image_name" >> "$GITHUB_OUTPUT"
|
|
if: ${{ !inputs.publish }}
|
|
|
|
|
|
# - name: List tags
|
|
# run: skopeo --insecure-policy list-tags oci:image
|
|
#
|
|
# # See https://github.com/anchore/syft/issues/1545
|
|
# - name: Extract image from multi-arch image
|
|
# run: skopeo --override-os linux --override-arch amd64 --insecure-policy copy oci:image:${{ steps.image-name.outputs.value }}:${{ steps.meta.outputs.version }} docker-archive:docker.tar
|
|
#
|
|
# - name: Generate SBOM
|
|
# run: syft -o spdx-json=sbom-spdx.json docker-archive:docker.tar
|
|
#
|
|
# - name: Upload SBOM as artifact
|
|
# uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
|
|
# with:
|
|
# name: "[${{ github.job }}] SBOM"
|
|
# path: sbom-spdx.json
|
|
# retention-days: 5
|
|
|
|
# TODO: uncomment when the action is working for non ghcr.io pushes. GH Issue: https://github.com/actions/attest-build-provenance/issues/80
|
|
# - name: Generate build provenance attestation
|
|
# uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
|
|
# with:
|
|
# subject-name: dexidp/dex
|
|
# subject-digest: ${{ steps.build.outputs.digest }}
|
|
# push-to-registry: true
|
|
|
|
- name: Generate build provenance attestation
|
|
uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
|
|
with:
|
|
subject-name: ghcr.io/${{ github.repository }}
|
|
subject-digest: ${{ steps.build.outputs.digest }}
|
|
push-to-registry: true
|
|
if: inputs.publish
|
|
|
|
- name: Prepare image fs for scanning
|
|
run: |
|
|
image_ref=${{ steps.extract-oci.outputs.value != '' && steps.extract-oci.outputs.value || steps.image-ref.outputs.value }}
|
|
docker export $(docker create --rm $image_ref) -o docker-image.tar
|
|
|
|
mkdir -p docker-image
|
|
tar -xf docker-image.tar -C docker-image
|
|
|
|
## Use cache for the trivy-db to avoid the TOOMANYREQUESTS error https://github.com/aquasecurity/trivy-action/pull/397
|
|
## To avoid the trivy-db becoming outdated, we save the cache for one day
|
|
- name: Get data
|
|
id: date
|
|
run: echo "date=$(date +%Y-%m-%d)" >> $GITHUB_OUTPUT
|
|
|
|
- name: Restore trivy cache
|
|
uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
|
|
with:
|
|
path: cache/db
|
|
key: trivy-cache-${{ steps.date.outputs.date }}
|
|
restore-keys: trivy-cache-
|
|
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
|
|
with:
|
|
input: docker-image
|
|
format: sarif
|
|
output: trivy-results.sarif
|
|
scan-type: "rootfs"
|
|
scan-ref: "."
|
|
cache-dir: "./cache"
|
|
# Disable skipping trivy cache for now
|
|
env:
|
|
TRIVY_SKIP_DB_UPDATE: true
|
|
TRIVY_SKIP_JAVA_DB_UPDATE: true
|
|
|
|
## Trivy-db uses `0600` permissions.
|
|
## But `action/cache` use `runner` user by default
|
|
## So we need to change the permissions before caching the database.
|
|
- name: change permissions for trivy.db
|
|
run: sudo chmod 0644 ./cache/db/trivy.db
|
|
|
|
- name: Check Trivy sarif
|
|
run: cat trivy-results.sarif
|
|
|
|
- name: Upload Trivy scan results as artifact
|
|
uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
|
|
with:
|
|
name: "[${{ github.job }}] Trivy scan results"
|
|
path: trivy-results.sarif
|
|
retention-days: 5
|
|
overwrite: true
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab
|
|
uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v3.29.5
|
|
with:
|
|
sarif_file: trivy-results.sarif
|