Update untar.sh #63
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and push lecture5 image | |
on: | |
push: | |
branches: | |
- main | |
- features/lecture5-2 | |
- features/tarball | |
pull_request: | |
env: | |
REGISTRY: ghcr.io | |
IMAGE_NAME: austriandatalab/multi-stage-step2 | |
jobs: | |
build-and-push-image: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: write | |
packages: write | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
- name: Login to the Container registry | |
uses: docker/login-action@f054a8b539a109f9f41c372932f1ae047eff08c9 | |
with: | |
registry: ${{ env.REGISTRY }} | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@98669ae865ea3cffbcbaa878cf57c20bbf1c6c38 | |
with: | |
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=tag | |
type=ref,event=pr | |
type=match,pattern=\d.\d.\d.* | |
type=sha | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v1 | |
- name: Generate certs | |
run: | | |
chmod +x scripts/generate_certs.sh | |
source scripts/generate_certs.sh | |
docker build --tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} -f Dockerfile5 . | |
#docker buildx build \ | |
#--tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }} \ | |
#--platform linux/amd64,linux/arm64 -f Dockerfile5 . --push | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@0.18.0 | |
with: | |
image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
#exit-code: '1' | |
#ignore-unfixed: true | |
#vuln-type: 'os,library' | |
#severity: 'CRITICAL,HIGH' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
if: always() | |
with: | |
sarif_file: 'trivy-results.sarif' | |
- name: Scan the image and upload dependency results | |
uses: anchore/sbom-action@bb716408e75840bbb01e839347cd213767269d4a | |
with: | |
image: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' | |
artifact-name: image.spdx.json | |
dependency-snapshot: true | |
# env: | |
# # This is where you will need to introduce the Snyk API token created with your Snyk account | |
# SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }} | |
# - name: Snyk Container monitor | |
# run: snyk container monitor '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.sha }}' --file=Dockerfile2 | |
# # Push the Snyk Code results into GitHub Code Scanning tab | |
# - name: Upload result to GitHub Code Scanning | |
# uses: github/codeql-action/upload-sarif@v2 | |
# with: | |
# sarif_file: snyk-code.sarif | |
# - name: Build and push Docker image | |
# uses: docker/build-push-action@ad44023a93711e3deb337508980b4b5e9bcdc5dc | |
# with: | |
# context: . | |
# push: true | |
# tags: ${{ steps.meta.outputs.tags }} | |
# labels: ${{ steps.meta.outputs.labels }} |