Secure image build #13
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Secure image build | |
| on: workflow_dispatch | |
| permissions: | |
| contents: read | |
| jobs: | |
| build-and-push-image: | |
| name: Build and push image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Build image | |
| uses: redhat-actions/buildah-build@v2 | |
| with: | |
| image: quay.io/rh_ee_jablair/ubi9 | |
| tags: v0.0.1-${{ github.sha }} | |
| containerfiles: | | |
| ./2024-08-28-rhacs-actions-pipeline/Containerfile | |
| - name: Push to quay.io | |
| uses: redhat-actions/push-to-registry@v2 | |
| with: | |
| image: ubi9 | |
| tags: v0.0.1-${{ github.sha }} | |
| registry: quay.io/rh_ee_jablair | |
| username: ${{ secrets.QUAY_USERNAME }} | |
| password: ${{ secrets.QUAY_PASSWORD }} | |
| scan-image: | |
| runs-on: ubuntu-latest | |
| needs: build-and-push-image | |
| permissions: | |
| id-token: write | |
| steps: | |
| - name: Rhacs login | |
| uses: stackrox/central-login@v1 | |
| with: | |
| endpoint: ${{ secrets.CENTRAL_ENDPOINT }} | |
| skip-tls-verify: true | |
| - name: Install roxctl | |
| uses: stackrox/roxctl-installer-action@v1 | |
| with: | |
| central-endpoint: ${{ secrets.CENTRAL_ENDPOINT }} | |
| central-token: ${{ secrets.ROX_API_TOKEN }} | |
| skip-tls-verify: true | |
| - name: Scan image with roxctl | |
| shell: bash | |
| run: | | |
| roxctl image scan --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1-${{ github.sha }}" --insecure-skip-tls-verify |