Image Scan #2215
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Image Scan | |
on: | |
schedule: | |
# everyday at midnight. | |
- cron: '0 0 * * *' | |
workflow_dispatch: {} | |
push: | |
# TODO: add this once we have all images in the metadata.yaml | |
# paths: | |
# - '**/metadata.yaml' | |
branches: | |
- main | |
paths-ignore: | |
- '.claude/**' | |
permissions: | |
security-events: write | |
jobs: | |
build-deps: | |
outputs: | |
local-artifact-mirror-image: ${{ steps.local-artifact-mirror.outputs.image }} | |
operator-image: ${{ steps.operator.outputs.image }} | |
operator-chart: ${{ steps.operator.outputs.chart }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v5 | |
with: | |
fetch-depth: 0 # fetch all history so that we can get the previous tag | |
- name: Install dagger | |
run: | | |
curl -fsSL https://dl.dagger.io/dagger/install.sh | sh | |
sudo mv ./bin/dagger /usr/local/bin/dagger | |
- name: Build and push local-artifact-mirror image | |
id: local-artifact-mirror | |
run: | | |
make -C local-artifact-mirror build-ttl.sh | |
echo "image=$(cat local-artifact-mirror/build/image)" >> $GITHUB_OUTPUT | |
- name: Build and push operator image | |
id: operator | |
run: | | |
make -C operator build-ttl.sh build-chart-ttl.sh | |
echo "image=$(cat operator/build/image)" >> $GITHUB_OUTPUT | |
echo "chart=$(cat operator/build/chart)" >> $GITHUB_OUTPUT | |
buildtools: | |
name: Build buildtools | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v5 | |
- name: Setup go | |
uses: actions/setup-go@v6 | |
with: | |
go-version-file: go.mod | |
cache-dependency-path: "**/*.sum" | |
- name: Compile buildtools | |
run: | | |
make buildtools | |
- name: Upload buildtools artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: buildtools | |
path: output/bin/buildtools | |
output-matrix: | |
runs-on: ubuntu-latest | |
needs: | |
- build-deps | |
- buildtools | |
outputs: | |
matrix: ${{ steps.build-matrix.outputs.matrix }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v5 | |
- name: Setup go | |
uses: actions/setup-go@v6 | |
with: | |
go-version-file: go.mod | |
cache-dependency-path: "**/*.sum" | |
- name: Download buildtools artifact | |
uses: actions/download-artifact@v5 | |
with: | |
name: buildtools | |
path: output/bin | |
- name: Compile buildtools | |
run: | | |
make buildtools | |
- name: Update embedded-cluster-operator metadata.yaml | |
env: | |
IMAGES_REGISTRY_SERVER: ttl.sh | |
OPERATOR_CHART: ${{ needs.build-deps.outputs.operator-chart }} | |
OPERATOR_IMAGE: ${{ needs.build-deps.outputs.operator-image }} | |
run: | | |
./scripts/ci-update-operator-metadata.sh | |
- name: Build | |
run: | | |
export LOCAL_ARTIFACT_MIRROR_IMAGE=${{ needs.build-deps.outputs.local-artifact-mirror-image }} | |
make embedded-cluster-linux-amd64 | |
- name: List images | |
run: | | |
./output/bin/embedded-cluster version list-images > images.txt | |
- name: Upload images artifact | |
uses: actions/upload-artifact@v4 | |
with: | |
name: images | |
path: images.txt | |
- name: Build images matrix | |
id: build-matrix | |
run: | | |
IMAGES="[$(awk '{print $1}' images.txt | xargs -n1 | awk '{print "\""$1"\","}' | sed '$ s/.$//')]" | |
echo "matrix=$(jq -cn --argjson images "$IMAGES" '{image: $images}')" >> $GITHUB_OUTPUT | |
scan: | |
runs-on: ubuntu-latest | |
needs: [output-matrix] | |
strategy: | |
fail-fast: false | |
matrix: ${{fromJson(needs.output-matrix.outputs.matrix)}} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v5 | |
- uses: ./.github/actions/scan-image | |
with: | |
image-ref: '${{ matrix.image }}' | |
upload-sarif: ${{ github.ref == 'refs/heads/main' }} | |
# TODO: set this to true once we are fully using securebuild images | |
fail-build: 'false' | |
severity-cutoff: 'medium' | |
output-file: 'results.sarif' | |
retention-days: '90' | |
category-prefix: 'image-scan-' | |
only-fixed: 'true' |