Bump library/alpine from 3.21.2 to 3.21.3 #264
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Meow Container | |
| on: | |
| push: | |
| branches: | |
| - '**' | |
| - '!dependabot/**' | |
| tags: | |
| - '**' | |
| pull_request: | |
| branches: [ main ] | |
| permissions: | |
| contents: read | |
| packages: write | |
| security-events: write | |
| jobs: | |
| build: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Build container image | |
| run: | | |
| docker build --label org.opencontainers.image.revision=${{ github.sha }} --iidfile meow.id . | |
| echo "MEOW_ID=$(cat meow.id)" >> ${GITHUB_ENV} | |
| - name: Test container image | |
| run: | | |
| test "$(docker run --rm ${MEOW_ID})" = "Meow! =^.^=" | |
| test "$(docker run --rm ${MEOW_ID} 2)" = "Meow! Meow! =^.^=" | |
| - name: Show image information | |
| run: | | |
| docker image inspect ${MEOW_ID} | |
| - name: Generate container tag(s) and name | |
| run: | | |
| TAGS=$(python3 tag-from-ref.py ${{ github.ref }}) | |
| echo "TAGS=${TAGS}" >> ${GITHUB_ENV} | |
| echo "CONTAINER_NAME=${{ github.repository_owner }}/hello-ghcr-meow" >> ${GITHUB_ENV} | |
| - name: Tag container image | |
| if: ${{ env.TAGS }} | |
| run: | | |
| for t in ${TAGS}; do | |
| full_tag=ghcr.io/${CONTAINER_NAME}:${t} | |
| docker tag ${MEOW_ID} ${full_tag} | |
| done | |
| echo "SCAN_REF=${full_tag}" >> ${GITHUB_ENV} | |
| - name: Tag container image with temporary tag | |
| if: ${{ ! env.TAGS }} | |
| run: | | |
| full_tag=ghcr.io/${CONTAINER_NAME}:${{ github.sha }} | |
| docker tag ${MEOW_ID} ${full_tag} | |
| echo "SCAN_REF=${full_tag}" >> ${GITHUB_ENV} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.29.0 | |
| with: | |
| image-ref: '${{ env.SCAN_REF }}' | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| - name: Docker login | |
| if: ${{ env.TAGS }} | |
| env: | |
| GHCR_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| run: > | |
| echo ${GHCR_TOKEN} | | |
| docker login ghcr.io -u ${{ github.repository_owner }} | |
| --password-stdin | |
| - name: Push the container image | |
| if: ${{ env.TAGS }} | |
| run: | | |
| for t in ${TAGS}; do | |
| docker push ghcr.io/${CONTAINER_NAME}:${t} | |
| done | |
| - name: Docker logout | |
| if: always() | |
| run: | | |
| docker logout ghcr.io |