logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174
							name: Reusable workflow to run trivy scan

on:
  workflow_call:
    inputs:
      image-name:
        required: true
        type: string
      image-tag:
        required: false
        type: string
      tag-suffix:
        required: true
        type: string
      dockerfile:
        required: true
        type: string
      ref:
        required: false
        default: main
        type: string
      build-args:
        required: true
        type: string
      build-arch:
        required: true
        type: string
      build-platform:
        required: true
        type: string
    secrets:
      IS_FORK:
        required: false

env:
  IMAGE_NAME: ${{ inputs.image-name }}
  TAG_SUFFIX: ${{ inputs.tag-suffix }}
  ARCH: ${{ inputs.build-arch }}
  DOCKERFILE: ${{ inputs.dockerfile }}
  IS_FORK: ${{ secrets.IS_FORK }}

permissions:
  contents: read

jobs:
  build-publish:
    name: Build and Publish
    runs-on: ubuntu-latest
    permissions:
      contents: read
      packages: write
      id-token: write
    outputs:
      image-tag: ${{ steps.container_info.outputs.image-tag }}
    steps:
      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit

      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          ref: ${{ inputs.ref }}
          persist-credentials: false

      - name: Setup QEMU
        uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0
        with:
          platforms: all

      - name: Setup Docker Buildx
        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0

      - name: Setup Go
        uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6.4.0
        id: setup-go
        with:
          go-version-file: "go.mod"

      - name: Download Go modules
        run: go mod download

      - name: Fetch History
        shell: bash
        run: git fetch --prune --unshallow

      - name: Login to Docker
        uses: docker/login-action@4907a6ddec9925e35a0a9e82d7399ccc52663121 # v4.1.0
        if: env.IS_FORK != ''
        with:
          registry: ghcr.io
          username: ${{ github.actor }}
          password: ${{ github.token }}

      - name: Get docker image tag
        id: container_info
        shell: bash
        env:
          GITHUB_REF: ${{ github.ref }}
          INPUT_IMAGE_TAG: ${{ inputs.image-tag }}
          INPUT_TAG_SUFFIX: ${{ inputs.tag-suffix }}
        run: |
          # rebuild-image
          if [ "$INPUT_IMAGE_TAG" != "" ]; then
            TAG="${INPUT_IMAGE_TAG}${INPUT_TAG_SUFFIX}"
          # main
          elif [[ "$GITHUB_REF" == "refs/heads/main" ]]; then
            TAG=${GITHUB_REF#refs/heads/}${INPUT_TAG_SUFFIX}
          # Pull Request
          else
            TAG=$(make docker.tag)
          fi
          echo "image-tag=${TAG}" >> $GITHUB_OUTPUT

      - name: Build & Publish Artifacts
        if: env.IS_FORK != ''
        shell: bash
        env:
          IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }}
          BUILD_ARGS: ${{ inputs.build-args }}
          DOCKER_BUILD_ARGS: >-
            --no-cache
            --push
            --platform ${{ inputs.build-platform }}
        run: make docker.build

      - name: Build & Publish Artifacts fork
        if: env.IS_FORK == ''
        shell: bash
        env:
          IMAGE_TAG: ${{ steps.container_info.outputs.image-tag }}
          BUILD_ARGS: ${{ inputs.build-args }}
          DOCKER_BUILD_ARGS: --no-cache --load
        run: make docker.build
      # images are large to the point trivy fails due to no space on disk left
      # This is a silly attempt to clean up space for trivy to run more
      # consistently
      - name: Cleanup unused cache
        shell: bash
        run: |
          docker system prune --force
          go clean -cache
          go clean -modcache
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # master
        with:
          image-ref: ${{ inputs.image-name }}:${{ steps.container_info.outputs.image-tag }}
          format: 'table'
          exit-code: '1'
          ignore-unfixed: true
          vuln-type: 'os,library'
          severity: 'CRITICAL,HIGH'

  sign:
    runs-on: ubuntu-latest
    needs: build-publish
    permissions:
      contents: read
      id-token: write #for keyless sign
      packages: write #to update packages with added SBOMs.
    steps:
      - uses: step-security/harden-runner@fe104658747b27e96e4f7e80cd0a94068e53901d # v2.16.1
        with:
          egress-policy: audit
      - name: Checkout
        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
        with:
          persist-credentials: false
      - name: Sign image
        if: env.IS_FORK != ''
        uses: ./.github/actions/sign
        with:
          image-name: ${{ inputs.image-name }}
          image-tag: ${{ needs.build-publish.outputs.image-tag }}