Merge pull request #3 from userbradley/dependabot/github_actions/acti… #5

Summary
Jobs
- build
- scan
Run details
- Usage
- Workflow file

Workflow file for this run

.github/workflows/build-main.yaml at d6cea63

	name: Build Image for GCP

	env:
	CONTAINER: "prom-status"
	REPO: "public"

	on:
	push:
	branches:
	- main
	paths:
	- src/**
	- .github/workflows/build-main.yaml
	- Dockerfile

	jobs:
	build:
	outputs:
	image: ${{ steps.output.outputs.image }}
	runs-on: ubuntu-latest
	permissions:
	id-token: write
	contents: read
	packages: write

	steps:

	- name: Checkout code
	uses: actions/checkout@v4

	- id: 'auth'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/auth@v1'
	with:
	token_format: 'access_token'
	workload_identity_provider: ${{vars.WORKLOAD_IDENTITY_PROVIDER}}
	service_account: ${{vars.SERVICE_ACCOUNT}}

	- uses: 'docker/login-action@v2'
	name: Log docker in to Google Container Store
	with:
	registry: 'europe-west2-docker.pkg.dev'
	username: 'oauth2accesstoken'
	password: '${{ steps.auth.outputs.access_token }}'

	- name: 'Login to GitHub Container Registry'
	uses: docker/login-action@v2
	with:
	registry: 'ghcr.io'
	username: '${{github.actor}}'
	password: '${{secrets.GITHUB_TOKEN}}'

	- name: Generate Shortened SHA Hash for docker container
	id: sha
	run: echo "sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT

	- name: Generate Branch Normalized
	id: bnml
	run: echo ref=$(echo ${GITHUB_REF_NAME} \| cut -f2 -d'/') >> $GITHUB_OUTPUT

	- id: output
	run: echo image=${{ vars.AR }}/${{ env.REPO }}/${{ env.CONTAINER}}:${{steps.bnml.outputs.ref}}-${{steps.sha.outputs.sha}} >> $GITHUB_OUTPUT

	- name: Build and Push image
	uses: docker/build-push-action@v4
	with:
	push: true
	file: Dockerfile
	tags: \|
	${{ vars.AR }}/${{ env.REPO }}/${{ env.CONTAINER}}:${{steps.sha.outputs.sha}}
	${{ vars.AR }}/${{ env.REPO }}/${{ env.CONTAINER}}:${{steps.bnml.outputs.ref}}
	${{ vars.AR }}/${{ env.REPO }}/${{ env.CONTAINER}}:${{steps.bnml.outputs.ref}}-${{steps.sha.outputs.sha}}
	${{ vars.AR }}/${{ env.REPO }}/${{ env.CONTAINER}}:latest
	ghcr.io/userbradley/${{ env.CONTAINER}}:${{steps.sha.outputs.sha}}
	ghcr.io/userbradley/${{ env.CONTAINER}}:${{steps.bnml.outputs.ref}}
	ghcr.io/userbradley/${{ env.CONTAINER}}:${{steps.bnml.outputs.ref}}-${{steps.sha.outputs.sha}}
	ghcr.io/userbradley/${{ env.CONTAINER}}:latest

	scan:
	needs: build
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	id-token: write

	steps:

	- id: 'auth'
	name: 'Authenticate to Google Cloud'
	uses: 'google-github-actions/auth@v1'
	with:
	token_format: 'access_token'
	workload_identity_provider: ${{vars.WORKLOAD_IDENTITY_PROVIDER}}
	service_account: ${{vars.SERVICE_ACCOUNT}}

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: ${{ needs.build.outputs.image }}
	format: 'sarif'
	output: 'trivy-results.sarif'

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'trivy-results.sarif'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Merge pull request #3 from userbradley/dependabot/github_actions/acti… #5

Workflow file

Merge pull request #3 from userbradley/dependabot/github_actions/acti… #5

Jobs

Run details

Workflow file for this run