Bump step-security/harden-runner from 1.5.0 to 2.6.0 #1871
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Copyright 2020 Wayback Archiver. All rights reserved. | |
# Use of this source code is governed by the GNU GPL v3 | |
# license that can be found in the LICENSE file. | |
# | |
name: Docker | |
on: | |
push: | |
tags: | |
- "v*" | |
branches: | |
- 'main' | |
- 'develop' | |
paths-ignore: | |
- "**.md" | |
- 'snapcraft.yaml' | |
- 'requirements.txt' | |
- '.github/**' | |
- '!.github/workflows/docker.yml' | |
- 'docs/**' | |
- 'mkdocs.yml' | |
pull_request: | |
branches: | |
- 'main' | |
paths-ignore: | |
- "**.md" | |
- 'snapcraft.yaml' | |
- 'requirements.txt' | |
- '.github/**' | |
- '!.github/workflows/docker.yml' | |
- 'docs/**' | |
- 'mkdocs.yml' | |
workflow_dispatch: | |
permissions: | |
contents: read | |
# New runs to only cancel in-progress runs of the same workflow. | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
publish: | |
name: Build and push Docker image | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
id-token: write | |
outputs: | |
image: ${{ steps.prep.outputs.ghcr }} | |
version: ${{ steps.meta.outputs.version }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 | |
with: | |
egress-policy: block | |
disable-telemetry: true | |
allowed-endpoints: > | |
ghcr.io:443 | |
github.com:443 | |
api.github.com:443 | |
pkg-containers.githubusercontent.com:443 | |
docker.io:443 | |
auth.docker.io:443 | |
index.docker.io:443 | |
registry-1.docker.io:443 | |
production.cloudflare.docker.com:443 | |
dl-cdn.alpinelinux.org:443 | |
storage.googleapis.com:443 | |
proxy.golang.org:443 | |
sum.golang.org:443 | |
- name: Checkout default branch | |
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
with: | |
fetch-depth: 0 | |
- name: Install Cosign | |
if: github.event_name != 'pull_request' | |
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 | |
with: | |
cosign-release: 'v1.13.1' | |
- name: Prepare | |
id: prep | |
run: | | |
GHCR_HOST=ghcr.io | |
DOCKER_HOST=docker.io | |
DOCKER_IMAGE_SCOPE=${{ github.repository }} # foo/bar | |
if [ "${{ github.event_name }}" = "schedule" ]; then | |
DOCKER_IMAGE_VERSION=nightly | |
elif [[ $GITHUB_REF == refs/tags/* ]]; then | |
DOCKER_IMAGE_VERSION=${GITHUB_REF#refs/*/v} | |
TAGS="${DOCKER_HOST}/${DOCKER_IMAGE_SCOPE}:latest,${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}:latest" | |
else | |
DOCKER_IMAGE_VERSION=edge | |
fi | |
TAGS="${TAGS},${DOCKER_HOST}/${DOCKER_IMAGE_SCOPE}:${DOCKER_IMAGE_VERSION},${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}:${DOCKER_IMAGE_VERSION}" | |
echo "tags=${TAGS}" >> $GITHUB_OUTPUT | |
echo "version=${DOCKER_IMAGE_VERSION}" >> $GITHUB_OUTPUT | |
echo "docker=${DOCKER_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT | |
echo "ghcr=${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT | |
echo "images=${DOCKER_HOST}/${DOCKER_IMAGE_SCOPE},${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 | |
- name: Login to Docker Hub | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 | |
with: | |
username: ${{ vars.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Login to GitHub Container Registry | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate meta | |
id: meta | |
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0 | |
with: | |
images: ${{ steps.prep.outputs.images }} | |
tags: | | |
type=semver,pattern=${{ steps.prep.outputs.version }} | |
type=raw,${{ steps.prep.outputs.version }} | |
- name: Build artifacts | |
uses: docker/bake-action@6c87dcca988e4e074e3ab1f976a70f63ec9673fb # v2.3.0 | |
env: | |
WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }} | |
with: | |
files: ./docker-bake.hcl | |
targets: artifact-all | |
set: | | |
*.cache-from=type=local,src=/tmp/.image-cache/artifacts | |
*.cache-to=type=local,dest=/tmp/.image-cache-new/artifacts | |
- name: Build and push Docker image | |
uses: docker/bake-action@6c87dcca988e4e074e3ab1f976a70f63ec9673fb # v2.3.0 | |
env: | |
WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }} | |
with: | |
files: | | |
./docker-bake.hcl | |
${{ steps.meta.outputs.bake-file }} | |
targets: release | |
push: ${{ github.event_name != 'pull_request' }} | |
set: | | |
*.cache-from=type=local,src=/tmp/.image-cache/image | |
*.cache-to=type=local,dest=/tmp/.image-cache-new/image | |
- name: Sign image with a key | |
if: github.event_name != 'pull_request' | |
env: | |
TAGS: ${{ steps.meta.outputs.tags }} | |
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | |
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSPHARSE}} | |
run: | | |
cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS} | |
- name: Check manifest | |
if: github.event_name != 'pull_request' | |
run: | | |
docker buildx imagetools inspect ${{ steps.prep.outputs.docker }}:${{ steps.meta.outputs.version }} | |
docker buildx imagetools inspect ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }} | |
- name: Inspect image | |
if: github.event_name != 'pull_request' | |
run: | | |
docker pull ${{ steps.prep.outputs.docker }}:${{ steps.meta.outputs.version }} | |
docker image inspect ${{ steps.prep.outputs.docker }}:${{ steps.meta.outputs.version }} | |
docker pull ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }} | |
docker image inspect ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }} | |
- name: Cosign verify | |
if: github.event_name != 'pull_request' | |
run: | | |
IMAGE_NAME=${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }} | |
cat cosign.pub | |
cosign verify --key cosign.pub $IMAGE_NAME | |
allinone: | |
name: AllInOne Docker image | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
id-token: write | |
outputs: | |
image: ${{ steps.prep.outputs.ghcr }} | |
version: ${{ steps.meta.outputs.version }} | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@1b05615854632b887b69ae1be8cbefe72d3ae423 # v2.6.0 | |
with: | |
egress-policy: block | |
disable-telemetry: true | |
allowed-endpoints: > | |
ghcr.io:443 | |
github.com:443 | |
api.github.com:443 | |
docker.io:443 | |
pkg-containers.githubusercontent.com:443 | |
auth.docker.io:443 | |
registry-1.docker.io:443 | |
production.cloudflare.docker.com:443 | |
dl-cdn.alpinelinux.org:443 | |
storage.googleapis.com:443 | |
proxy.golang.org:443 | |
sum.golang.org:443 | |
- name: Checkout default branch | |
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
with: | |
fetch-depth: 0 | |
- name: Install Cosign | |
if: github.event_name != 'pull_request' | |
uses: sigstore/cosign-installer@9becc617647dfa20ae7b1151972e9b3a2c338a2b # v2.8.1 | |
with: | |
cosign-release: 'v1.13.1' | |
- name: Prepare | |
id: prep | |
run: | | |
GHCR_HOST=ghcr.io | |
DOCKER_IMAGE_SCOPE=${{ github.repository }} # foo/bar | |
if [ "${{ github.event_name }}" = "schedule" ]; then | |
DOCKER_IMAGE_VERSION=nightly | |
elif [[ $GITHUB_REF == refs/tags/* ]]; then | |
DOCKER_IMAGE_VERSION=${GITHUB_REF#refs/*/v} | |
TAGS="${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}" | |
else | |
DOCKER_IMAGE_VERSION=edge | |
fi | |
TAGS="${TAGS},${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}:${DOCKER_IMAGE_VERSION}" | |
echo "tags=${TAGS}" >> $GITHUB_OUTPUT | |
echo "version=${DOCKER_IMAGE_VERSION}" >> $GITHUB_OUTPUT | |
echo "ghcr=${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT | |
echo "images=${GHCR_HOST}/${DOCKER_IMAGE_SCOPE}" >> $GITHUB_OUTPUT | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1 | |
- name: Login to GitHub Container Registry | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.1.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Generate meta | |
id: meta | |
uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0 | |
with: | |
images: ${{ steps.prep.outputs.images }} | |
flavor: | | |
suffix=-bundle,onlatest=true | |
tags: | | |
type=semver,pattern=${{ steps.prep.outputs.version }} | |
type=raw,${{ steps.prep.outputs.version }} | |
- name: Build artifacts | |
uses: docker/bake-action@6c87dcca988e4e074e3ab1f976a70f63ec9673fb # v2.3.0 | |
env: | |
WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }} | |
with: | |
files: ./docker-bake.hcl | |
targets: artifact-all | |
set: | | |
*.cache-from=type=local,src=/tmp/.image-cache/artifacts | |
*.cache-to=type=local,dest=/tmp/.image-cache-new/artifacts | |
- name: Build and push Docker image | |
uses: docker/bake-action@6c87dcca988e4e074e3ab1f976a70f63ec9673fb # v2.3.0 | |
env: | |
WAYBACK_IPFS_APIKEY: ${{ secrets.WAYBACK_IPFS_APIKEY }} | |
with: | |
files: | | |
./docker-bake.hcl | |
${{ steps.meta.outputs.bake-file }} | |
targets: bundle | |
push: ${{ github.event_name != 'pull_request' }} | |
set: | | |
*.cache-from=type=local,src=/tmp/.image-cache/image | |
*.cache-to=type=local,dest=/tmp/.image-cache-new/image | |
- name: Sign image with a key | |
if: github.event_name != 'pull_request' | |
env: | |
TAGS: ${{ steps.meta.outputs.tags }} | |
COSIGN_PRIVATE_KEY: ${{secrets.COSIGN_PRIVATE_KEY}} | |
COSIGN_PASSWORD: ${{secrets.COSIGN_PASSPHARSE}} | |
run: | | |
cosign sign --key env://COSIGN_PRIVATE_KEY ${TAGS} | |
- name: Check manifest | |
if: github.event_name != 'pull_request' | |
run: | | |
docker buildx imagetools inspect ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }} | |
- name: Inspect image | |
if: github.event_name != 'pull_request' | |
run: | | |
docker pull ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }} | |
docker image inspect ${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }} | |
- name: Cosign verify | |
if: github.event_name != 'pull_request' | |
run: | | |
IMAGE_NAME=${{ steps.prep.outputs.ghcr }}:${{ steps.meta.outputs.version }} | |
cat cosign.pub | |
cosign verify --key cosign.pub $IMAGE_NAME | |
trivy-standalone: | |
name: Trivy for standalone | |
uses: wabarc/.github/.github/workflows/reusable-trivy.yml@main | |
needs: publish | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
#actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
with: | |
scan-type: 'image' | |
image-ref: '${{ needs.publish.outputs.image }}:${{ needs.publish.outputs.version }}' | |
sarif: 'container-standalone.sarif' | |
trivy-bundle: | |
name: Trivy for bundle | |
uses: wabarc/.github/.github/workflows/reusable-trivy.yml@main | |
needs: allinone | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
#actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
with: | |
scan-type: 'image' | |
image-ref: '${{ needs.allinone.outputs.image }}:${{ needs.allinone.outputs.version }}' | |
sarif: 'container-bundle.sarif' |