-
Notifications
You must be signed in to change notification settings - Fork 0
74 lines (60 loc) · 2.62 KB
/
build-deploy-from-branch.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
name: Build and deploy from branch.
on:
pull_request:
jobs:
build_deploy_branch:
runs-on: ubuntu-latest
environment: dev-cd
permissions:
id-token: write
packages: write
contents: write
steps:
- name: Checkout the source code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
token: ${{ secrets.GIT_PAT }}
fetch-depth: 0
- name: Log in to the Container registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: https://ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Set up QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1
- name: Build the app image
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0
with:
push: true
context: .
file: src/main/docker/Dockerfile.multistage
platforms: linux/amd64
tags: ghcr.io/${{ github.repository }}:${{ github.head_ref || github.ref_name }}
secrets: |
"gh_user=${{ secrets.GIT_USER }}"
"gh_token=${{ secrets.GIT_PAT }}"
- name: Run the Trivy scan action itself with GitHub Advanced Security code scanning integration enabled
id: scan
uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # v0.22.0
with:
image-ref: "ghcr.io/${{ github.repository }}:${{ github.head_ref || github.ref_name }}"
format: 'sarif'
output: 'results.sarif'
- name: Upload Anchore Scan Report
uses: github/codeql-action/upload-sarif@9550da953dd3b29aedf76cd635101e48eae5eebd # CodeQL Bundle v2.17.4
with:
sarif_file: 'results.sarif'
- name: CVE Description escaped extraction and print
run: |
SCAN_RESULTS=$(jq -r 'try .runs[0].tool.driver.rules | map(.help.text) | join("\\n")' results.sarif)
echo "CVE_CRITICAL=$(echo $SCAN_RESULTS | grep -o CRITICAL | wc -l)" >> $GITHUB_ENV
echo "CVE_HIGH=$(echo $SCAN_RESULTS | grep -o HIGH | wc -l)" >> $GITHUB_ENV
echo "CVE_MEDIUM=$(echo $SCAN_RESULTS | grep -o MEDIUM | wc -l)" >> $GITHUB_ENV
echo $SCAN_RESULTS
- name: Fails if CVE HIGH or CRITICAL are detected
id: cve-threshold
if: env.CVE_HIGH > 0 || env.CVE_CRITICAL > 0
run: exit 1