ubuntu #329
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ubuntu | |
| on: | |
| push: | |
| branches-ignore: | |
| - "renovate/**" | |
| paths: | |
| - "ubuntu/**" | |
| - "!ubuntu/*/README.md" | |
| - ".github/workflows/ubuntu.yml" | |
| pull_request: | |
| types: | |
| - opened | |
| - synchronize | |
| - labeled | |
| - reopened | |
| paths: | |
| - "ubuntu/**" | |
| - "!ubuntu/*/README.md" | |
| - ".github/workflows/ubuntu.yml" | |
| schedule: | |
| - cron: '0 7 * * *' | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }} | |
| cancel-in-progress: true | |
| jobs: | |
| build: | |
| name: docker-build | |
| permissions: | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| env: | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ubuntu | |
| strategy: | |
| matrix: | |
| IMAGE_TAG: | |
| - 22.04 | |
| - 24.04 | |
| outputs: | |
| image: ${{ steps.metadata.outputs.image }} | |
| digest2204: ${{ steps.metadata.outputs.digest2204 }} | |
| digest2404: ${{ steps.metadata.outputs.digest2404 }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set SOURCE_DATE_EPOCH | |
| id: set-source-date-epoch | |
| run: | | |
| git log -1 ubuntu/Dockerfile | |
| echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct ubuntu/Dockerfile)" >>"${GITHUB_OUTPUT}" | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/#-action@v3 | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build | |
| id: build | |
| uses: docker/build-push-action@v6 | |
| env: | |
| SOURCE_DATE_EPOCH: ${{ steps.set-source-date-epoch.outputs.SOURCE_DATE_EPOCH }} | |
| with: | |
| context: ubuntu | |
| platforms: linux/amd64,linux/arm64 | |
| provenance: true | |
| sbom: true | |
| cache-from: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ matrix.IMAGE_TAG }} | |
| build-args: | | |
| VERSION=${{ matrix.IMAGE_TAG }} | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ matrix.IMAGE_TAG }} | |
| - name: Pass metadata | |
| id: metadata | |
| run: | | |
| echo "image=${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}" >>"$GITHUB_OUTPUT" | |
| echo "digest${{ matrix.IMAGE_TAG }}=${{ steps.build.outputs.digest }}" | tr -d '.' >>"$GITHUB_OUTPUT" | |
| - name: Install cosign | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Sign | |
| if: ${{ github.event_name != 'pull_request' }} | |
| env: | |
| COSIGN_EXPERIMENTAL: "true" | |
| run: cosign sign -y ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }} | |
| - name: Run Trivy vulnerability scanner | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ env.REGISTRY }}/${{ github.repository }}/${{ env.IMAGE_NAME }}:${{ matrix.IMAGE_TAG }} | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| severity: 'CRITICAL,HIGH' | |
| transform: | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - build | |
| runs-on: ubuntu-latest | |
| outputs: | |
| images: ${{ steps.transform.outputs.images }} | |
| steps: | |
| - name: transform | |
| id: transform | |
| run: | | |
| echo '${{ toJSON(needs.build.outputs) }}' >outputs.json | |
| cat outputs.json | |
| IMAGES_JSON="$( | |
| jq --compact-output --raw-output '. as $everything | [ to_entries[] | select(.key | startswith("digest")) | {"image": $everything.image, "digest": .value}] | "images=\(.)"' outputs.json | |
| )" | |
| echo ${IMAGES_JSON} | |
| echo ${IMAGES_JSON} >>"$GITHUB_OUTPUT" | |
| provenance: | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - transform | |
| permissions: | |
| actions: read | |
| id-token: write | |
| packages: write | |
| strategy: | |
| matrix: | |
| images: ${{ fromJson(needs.transform.outputs.images) }} | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0 | |
| with: | |
| image: ${{ matrix.images.image }} | |
| digest: ${{ matrix.images.digest }} | |
| registry-username: ${{ github.actor }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} |