Skip to content

Bump step-security/harden-runner from 1.5.0 to 2.6.0 #1871

Bump step-security/harden-runner from 1.5.0 to 2.6.0

Bump step-security/harden-runner from 1.5.0 to 2.6.0 #1871

Workflow file for this run

# Copyright 2020 Wayback Archiver. All rights reserved.
# Use of this source code is governed by the GNU GPL v3
# license that can be found in the LICENSE file.
#
name: Docker
on:
push:
tags:
- "v*"
branches:
- 'main'
- 'develop'
paths-ignore:
- "**.md"
- 'snapcraft.yaml'
- 'requirements.txt'
- '.github/**'
- '!.github/workflows/docker.yml'
- 'docs/**'
- 'mkdocs.yml'
pull_request:
branches:
- 'main'
paths-ignore:
- "**.md"
- 'snapcraft.yaml'
- 'requirements.txt'
- '.github/**'
- '!.github/workflows/docker.yml'
- 'docs/**'
- 'mkdocs.yml'
workflow_dispatch:
permissions:
contents: read
# New runs to only cancel in-progress runs of the same workflow.
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
publish:
name: Build and push Docker image
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write
outputs:
image: ${{ steps.prep.outputs.ghcr }}
version: ${{ steps.meta.outputs.version }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
ghcr.io:443
github.com:443
api.github.com:443
pkg-containers.githubusercontent.com:443
docker.io:443
auth.docker.io:443
index.docker.io:443
registry-1.docker.io:443
production.cloudflare.docker.com:443
dl-cdn.alpinelinux.org:443
storage.googleapis.com:443
proxy.golang.org:443
sum.golang.org:443
- name: Checkout default branch
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
fetch-depth: 0
- name: Install Cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
with:
cosign-release: 'v1.13.1'
- name: Prepare
id: prep
run: |
GHCR_HOST=ghcr.io
DOCKER_HOST=docker.io
DOCKER_IMAGE_SCOPE=${{ github.repository }} # foo/bar
if [ "${{ github.event_name }}" = "schedule" ]; then
DOCKER_IMAGE_VERSION=nightly
elif [[ $GITHUB_REF == refs/tags/* ]]; then
DOCKER_IMAGE_VERSION=${GITHUB_REF#refs/*/v}
TAGS="${DOCKER_HOST}/${DOCKER_IMAGE_SCOPE}:latest,${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}:latest"
else
DOCKER_IMAGE_VERSION=edge
fi
TAGS="${TAGS},${DOCKER_HOST}/${DOCKER_IMAGE_SCOPE}:${DOCKER_IMAGE_VERSION},${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}:${DOCKER_IMAGE_VERSION}"
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
echo "version=${DOCKER_IMAGE_VERSION}" >> $GITHUB_OUTPUT
echo "docker=${DOCKER_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT
echo "ghcr=${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT
echo "images=${DOCKER_HOST}/${DOCKER_IMAGE_SCOPE},${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
- name: Login to Docker Hub
if: github.event_name != 'pull_request'
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
username: ${{ vars.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate meta
id: meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
with:
images: ${{ steps.prep.outputs.images }}
tags: |
type=semver,pattern=${{ steps.prep.outputs.version }}
type=raw,${{ steps.prep.outputs.version }}
- name: Build artifacts
uses: docker/bake-action@6c87dcca988e4e074e3ab1f976a70f63ec9673fb # v2.3.0
env:
WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }}
with:
files: ./docker-bake.hcl
targets: artifact-all
set: |
*.cache-from=type=local,src=/tmp/.image-cache/artifacts
*.cache-to=type=local,dest=/tmp/.image-cache-new/artifacts
- name: Build and push Docker image
uses: docker/bake-action@6c87dcca988e4e074e3ab1f976a70f63ec9673fb # v2.3.0
env:
WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }}
with:
files: |
./docker-bake.hcl
${{ steps.meta.outputs.bake-file }}
targets: release
push: ${{ github.event_name != 'pull_request' }}
set: |
*.cache-from=type=local,src=/tmp/.image-cache/image
*.cache-to=type=local,dest=/tmp/.image-cache-new/image
- name: Sign image with a key
if: github.event_name != 'pull_request'
env:
TAGS: ${{ steps.meta.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSPHARSE}}
run: |
cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
- name: Check manifest
if: github.event_name != 'pull_request'
run: |
docker buildx imagetools inspect ${{ steps.prep.outputs.docker }}:${{ steps.meta.outputs.version }}
docker buildx imagetools inspect ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }}
- name: Inspect image
if: github.event_name != 'pull_request'
run: |
docker pull ${{ steps.prep.outputs.docker }}:${{ steps.meta.outputs.version }}
docker image inspect ${{ steps.prep.outputs.docker }}:${{ steps.meta.outputs.version }}
docker pull ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }}
docker image inspect ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }}
- name: Cosign verify
if: github.event_name != 'pull_request'
run: |
IMAGE_NAME=${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }}
cat cosign.pub
cosign verify --key cosign.pub $IMAGE_NAME
allinone:
name: AllInOne Docker image
runs-on: ubuntu-latest
permissions:
packages: write
id-token: write
outputs:
image: ${{ steps.prep.outputs.ghcr }}
version: ${{ steps.meta.outputs.version }}
steps:
- name: Harden Runner
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0
with:
egress-policy: block
disable-telemetry: true
allowed-endpoints: >
ghcr.io:443
github.com:443
api.github.com:443
docker.io:443
pkg-containers.githubusercontent.com:443
auth.docker.io:443
registry-1.docker.io:443
production.cloudflare.docker.com:443
dl-cdn.alpinelinux.org:443
storage.googleapis.com:443
proxy.golang.org:443
sum.golang.org:443
- name: Checkout default branch
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
with:
fetch-depth: 0
- name: Install Cosign
if: github.event_name != 'pull_request'
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1
with:
cosign-release: 'v1.13.1'
- name: Prepare
id: prep
run: |
GHCR_HOST=ghcr.io
DOCKER_IMAGE_SCOPE=${{ github.repository }} # foo/bar
if [ "${{ github.event_name }}" = "schedule" ]; then
DOCKER_IMAGE_VERSION=nightly
elif [[ $GITHUB_REF == refs/tags/* ]]; then
DOCKER_IMAGE_VERSION=${GITHUB_REF#refs/*/v}
TAGS="${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}"
else
DOCKER_IMAGE_VERSION=edge
fi
TAGS="${TAGS},${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}:${DOCKER_IMAGE_VERSION}"
echo "tags=${TAGS}" >> $GITHUB_OUTPUT
echo "version=${DOCKER_IMAGE_VERSION}" >> $GITHUB_OUTPUT
echo "ghcr=${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT
echo "images=${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1
- name: Login to GitHub Container Registry
if: github.event_name != 'pull_request'
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate meta
id: meta
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
with:
images: ${{ steps.prep.outputs.images }}
flavor: |
suffix=-bundle,onlatest=true
tags: |
type=semver,pattern=${{ steps.prep.outputs.version }}
type=raw,${{ steps.prep.outputs.version }}
- name: Build artifacts
uses: docker/bake-action@6c87dcca988e4e074e3ab1f976a70f63ec9673fb # v2.3.0
env:
WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }}
with:
files: ./docker-bake.hcl
targets: artifact-all
set: |
*.cache-from=type=local,src=/tmp/.image-cache/artifacts
*.cache-to=type=local,dest=/tmp/.image-cache-new/artifacts
- name: Build and push Docker image
uses: docker/bake-action@6c87dcca988e4e074e3ab1f976a70f63ec9673fb # v2.3.0
env:
WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }}
with:
files: |
./docker-bake.hcl
${{ steps.meta.outputs.bake-file }}
targets: bundle
push: ${{ github.event_name != 'pull_request' }}
set: |
*.cache-from=type=local,src=/tmp/.image-cache/image
*.cache-to=type=local,dest=/tmp/.image-cache-new/image
- name: Sign image with a key
if: github.event_name != 'pull_request'
env:
TAGS: ${{ steps.meta.outputs.tags }}
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}}
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSPHARSE}}
run: |
cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS}
- name: Check manifest
if: github.event_name != 'pull_request'
run: |
docker buildx imagetools inspect ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }}
- name: Inspect image
if: github.event_name != 'pull_request'
run: |
docker pull ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }}
docker image inspect ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }}
- name: Cosign verify
if: github.event_name != 'pull_request'
run: |
IMAGE_NAME=${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }}
cat cosign.pub
cosign verify --key cosign.pub $IMAGE_NAME
trivy-standalone:
name: Trivy for standalone
uses: wabarc/.github/.github/workflows/reusable-trivy.yml@main
needs: publish
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
#actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
with:
scan-type: 'image'
image-ref: '${{ needs.publish.outputs.image }}:${{ needs.publish.outputs.version }}'
sarif: 'container-standalone.sarif'
trivy-bundle:
name: Trivy for bundle
uses: wabarc/.github/.github/workflows/reusable-trivy.yml@main
needs: allinone
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
#actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
with:
scan-type: 'image'
image-ref: '${{ needs.allinone.outputs.image }}:${{ needs.allinone.outputs.version }}'
sarif: 'container-bundle.sarif'