logic855
/
helm-external-secrets
mirror da https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169
							name: Reusable workflow to run trivy scan

on:
  workflow_call:
    inputs:
      image-name:
        required: true
        type: string
      image-tag:
        required: false
        type: string
      tag-suffix:
        required: true
        type: string
      dockerfile:
        required: true
        type: string
      ref:
        required: false
        default: main
        type: string
      build-args:
        required: true
        type: string
      build-arch:
        required: true
        type: string
      build-platform:
        required: true
        type: string
      username:
        required: true
        type: string
    secrets:
      GHCR_TOKEN:
        required: true
      IS_FORK:
        required: false

env:
  IMAGE_NAME: ${{ inputs.image-name }}
  TAG_SUFFIX: ${{ inputs.tag-suffix }}
  ARCH: ${{ inputs.build-arch }}
  DOCKERFILE: ${{ inputs.dockerfile }}
  IS_FORK: ${{ secrets.IS_FORK }}

jobs:
  build-publish:
    name: Build and Publish
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    outputs:
      image-tag: ${{ steps.container_info.outputs.image-tag }}
    steps:
      - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
        with:
          ref: ${{ inputs.ref }}

      - name: Setup QEMU
        uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
        with:
          platforms: all

      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@b5ca514318bd6ebac0fb2aedd5d36ec1b5c232a2 # v3.10.0
        with:
          version: 'v0.4.2'
          install: true

      - name: Setup Go
        uses: actions/setup-go@0aaccfd150d50ccaeb58ebd88d36e91967a5f35b # v5.4.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        if: ${{ steps.setup-go.outputs.cache-hit != 'true' }}
        run: go mod download

      - name: Fetch History
        shell: bash
        run: git fetch --prune --unshallow

      - name: Login to Docker
        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
        if: env.IS_FORK != ''
        with:
          registry: ghcr.io
          username: ${{ inputs.username }}
          password: ${{ secrets.GHCR_TOKEN }}

      - name: Get docker image tag
        id: container_info
        shell: bash
        env:
          GITHUB_REF: ${{ github.ref }}
        run: |
          # rebuild-image
          if [ "${{ inputs.image-tag }}" != "" ]; then
            TAG="${{ inputs.image-tag }}${{ inputs.tag-suffix }}"
          # main / release-x.y
          elif [[ "$GITHUB_REF" == "refs/heads/main" || "$GITHUB_REF" =~ refs/heads/release-.*  ]]; then
            TAG=${GITHUB_REF#refs/heads/}${{ inputs.tag-suffix }}
          # Pull Request
          else
            TAG=$(make docker.tag)
          fi
          echo "image-tag=${TAG}" >> $GITHUB_OUTPUT

      - name: Build & Publish Artifacts
        if: env.IS_FORK != ''
        shell: bash
        env:
          IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }}
          BUILD_ARGS: ${{ inputs.build-args }}
          DOCKER_BUILD_ARGS: >-
            --push
            --platform ${{ inputs.build-platform }}
        run: make docker.build

      - name: Build & Publish Artifacts fork
        if: env.IS_FORK == ''
        shell: bash
        env:
          IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }}
          BUILD_ARGS: ${{ inputs.build-args }}
          DOCKER_BUILD_ARGS: --load
        run: make docker.build

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@6c175e9c4083a92bbca2f9724c8a5e33bc2d97a5 # master
        with:
          image-ref: ${{ inputs.image-name }}:${{ steps.container_info.outputs.image-tag }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

  sign:
    runs-on: ubuntu-latest
    needs: build-publish
    permissions:
      contents: read
      id-token: write #for keyless sign
      packages: write #to update packages with added SBOMs.
    steps:
      - uses: step-security/harden-runner@c6295a65d1254861815972266d5933fd6e532bdf # v2.11.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Sign image
        if: env.IS_FORK != ''
        uses: ./.github/actions/sign
        with:
          image-name: ${{ inputs.image-name }}
          image-tag: ${{ needs.build-publish.outputs.image-tag }}
          GHCR_USERNAME: ${{ inputs.username }}
          GHCR_TOKEN: ${{ secrets.GHCR_TOKEN }}
          GITHUB_TOKEN: ${{ secrets.GHCR_TOKEN }}