Publish Image #8
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish Image | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| threshold: | |
| description: 'Scan threshold.' | |
| required: true | |
| default: 'high' | |
| type: choice | |
| options: | |
| - low | |
| - medium | |
| - high | |
| - critical | |
| override: | |
| description: 'Scan override.' | |
| required: true | |
| type: boolean | |
| jobs: | |
| scan-image: | |
| name: 'Scan Image' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # 4.0.0 | |
| - name: Cache Cargo | |
| uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # 3.3.2 | |
| id: cache-cargo | |
| with: | |
| key: cache-cargo-${{ hashFiles('**/Cargo.lock', '**/Cargo.toml', '**/*.rs') }} | |
| path: | | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/git/db/ | |
| ~/.cargo/bin/ | |
| target/ | |
| - name: Build Action | |
| uses: docker://rust@sha256:bef59af02f103760cd57e8d6ccadf364954b0ae5e74ea7c7203d26744aeec051 # 1.71.0 | |
| env: | |
| CARGO_HOME: '/github/home/' | |
| with: | |
| args: cargo build --release | |
| - name: Move Binaries | |
| shell: bash | |
| run: | | |
| sudo mv target/release/action action && \ | |
| sudo chown runner:runner action && \ | |
| sudo chmod 555 action | |
| - name: Docker Setup | |
| uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # 2.10.0 | |
| - name: Build Image | |
| uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # 4.1.1 | |
| with: | |
| tags: '${{ github.repository }}:latest' | |
| context: . | |
| push: false | |
| load: true | |
| - name: Scan image | |
| uses: anchore/scan-action@24fd7c9060f3c96848dd1929fac8d796fb5ae4b4 # 3.3.6 | |
| with: | |
| image: '${{ github.repository }}:latest' | |
| severity-cutoff: ${{ inputs.threshold }} | |
| fail-build: ${{ inputs.override != 'true' }} | |
| publish-image: | |
| name: 'Publish Image' | |
| runs-on: ubuntu-latest | |
| needs: scan-image | |
| permissions: | |
| contents: write | |
| packages: write | |
| id-token: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # 4.0.0 | |
| - name: Cache Cargo | |
| uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # 3.3.2 | |
| id: cache-cargo | |
| with: | |
| key: cache-cargo-${{ hashFiles('**/Cargo.lock', '**/Cargo.toml', '**/*.rs') }} | |
| path: | | |
| ~/.cargo/registry/cache/ | |
| ~/.cargo/registry/index/ | |
| ~/.cargo/git/db/ | |
| ~/.cargo/bin/ | |
| target/ | |
| - name: Build Action | |
| uses: docker://rust@sha256:bef59af02f103760cd57e8d6ccadf364954b0ae5e74ea7c7203d26744aeec051 # 1.71.0 | |
| env: | |
| CARGO_HOME: '/github/home/' | |
| with: | |
| args: cargo build --release | |
| - name: Move Binaries | |
| shell: bash | |
| run: | | |
| sudo mv target/release/action action && \ | |
| sudo chown runner:runner action && \ | |
| sudo chmod 555 action | |
| - name: Install cosign | |
| uses: sigstore/cosign-installer@11086d25041f77fe8fe7b9ea4e48e3b9192b8f19 # 3.1.2 | |
| with: | |
| cosign-release: 'v2.2.0' | |
| - name: Docker Setup | |
| uses: docker/setup-buildx-action@885d1462b80bc1c1c7f0b00334ad271f09369c55 # 2.10.0 | |
| - name: Docker Login | |
| uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # 2.2.0 | |
| with: | |
| registry: 'ghcr.io' | |
| username: '${{ github.actor }}' | |
| password: '${{ github.token }}' | |
| - name: Extract Metadata | |
| id: metadata | |
| uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # 4.6.0 | |
| with: | |
| images: 'ghcr.io/${{ github.repository }}' | |
| - name: Build / Push Image | |
| id: build-push | |
| uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # 4.1.1 | |
| with: | |
| provenance: false | |
| sbom: false | |
| labels: ${{ steps.metadata.outputs.labels }} | |
| tags: ${{ steps.metadata.outputs.tags }} | |
| context: . | |
| push: true | |
| - name: Generate Manifest | |
| uses: anchore/sbom-action@78fc58e266e87a38d4194b2137a3d4e9bcaf7ca1 # 0.14.3 | |
| with: | |
| image: 'ghcr.io/${{ github.repository }}@${{ steps.build-push.outputs.digest }}' | |
| dependency-snapshot: true | |
| output-file: 'bom.spdx' | |
| format: spdx | |
| - name: Sign / Attest Image | |
| run: | | |
| cosign sign --yes \ | |
| 'ghcr.io/${{ github.repository }}@${{ steps.build-push.outputs.digest }}' | |
| cosign attest --yes --predicate 'bom.spdx' \ | |
| 'ghcr.io/${{ github.repository }}@${{ steps.build-push.outputs.digest }}' |