name: Reusable workflow to run trivy scan on: workflow_call: inputs: image-name: required: true type: string image-tag: required: false type: string tag-suffix: required: true type: string dockerfile: required: true type: string ref: required: false default: main type: string build-args: required: true type: string build-arch: required: true type: string build-platform: required: true type: string secrets: IS_FORK: required: false env: IMAGE_NAME: ${{ inputs.image-name }} TAG_SUFFIX: ${{ inputs.tag-suffix }} ARCH: ${{ inputs.build-arch }} DOCKERFILE: ${{ inputs.dockerfile }} IS_FORK: ${{ secrets.IS_FORK }} permissions: contents: read jobs: build-publish: name: Build and Publish runs-on: ubuntu-latest permissions: contents: read packages: write id-token: write outputs: image-tag: ${{ steps.container_info.outputs.image-tag }} steps: - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: ref: ${{ inputs.ref }} - name: Setup QEMU uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0 with: platforms: all - name: Setup Docker Buildx uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0 with: version: 'v0.4.2' install: true - name: Setup Go uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0 id: setup-go with: go-version-file: "go.mod" - name: Download Go modules if: ${{ steps.setup-go.outputs.cache-hit != 'true' }} run: go mod download - name: Fetch History shell: bash run: git fetch --prune --unshallow - name: Login to Docker uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0 if: env.IS_FORK != '' with: registry: ghcr.io username: ${{ github.actor }} password: ${{ github.token }} - name: Get docker image tag id: container_info shell: bash env: GITHUB_REF: ${{ github.ref }} run: | # rebuild-image if [ "${{ inputs.image-tag }}" != "" ]; then TAG="${{ inputs.image-tag }}${{ inputs.tag-suffix }}" # main / release-x.y elif [[ "$GITHUB_REF" == "refs/heads/main" || "$GITHUB_REF" =~ refs/heads/release-.* ]]; then TAG=${GITHUB_REF#refs/heads/}${{ inputs.tag-suffix }} # Pull Request else TAG=$(make docker.tag) fi echo "image-tag=${TAG}" >> $GITHUB_OUTPUT - name: Build & Publish Artifacts if: env.IS_FORK != '' shell: bash env: IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }} BUILD_ARGS: ${{ inputs.build-args }} DOCKER_BUILD_ARGS: >- --push --platform ${{ inputs.build-platform }} run: make docker.build - name: Build & Publish Artifacts fork if: env.IS_FORK == '' shell: bash env: IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }} BUILD_ARGS: ${{ inputs.build-args }} DOCKER_BUILD_ARGS: --load run: make docker.build - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # master with: image-ref: ${{ inputs.image-name }}:${{ steps.container_info.outputs.image-tag }} format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' sign: runs-on: ubuntu-latest needs: build-publish permissions: contents: read id-token: write #for keyless sign packages: write #to update packages with added SBOMs. steps: - uses: step-security/harden-runner@0634a2670c59f64b4a01f0f96f84700a4088b9f0 # v2.12.0 with: egress-policy: audit - name: Checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 - name: Sign image if: env.IS_FORK != '' uses: ./.github/actions/sign with: image-name: ${{ inputs.image-name }} image-tag: ${{ needs.build-publish.outputs.image-tag }}