Skip to content

Build action

Build action #174

Workflow file for this run

name: Build action
# on:
# push:
# branches:
# - main
on:
workflow_dispatch:
push:
branches:
- main
schedule:
- cron: '15 3 * * *' # every day at 03:15 (just wanted to avoid midnight)
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
name: Build image
runs-on: ubuntu-latest
# https://docs.github.com/en/actions/reference/authentication-in-a-workflow
permissions:
id-token: write
packages: write
contents: read
security-events: write
steps:
- name: Generate snapshot date
id: snapshot-date
run: |
echo ::set-output name=date::$(date -u +%Y%m%d)
echo ::set-output name=epoch::$(date -u +%s)
shell: bash
- uses: actions/checkout@main
- uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
- uses: sigstore/cosign-installer@main
- uses: chainguard-dev/actions/setup-melange@main
- uses: chainguard-dev/actions/melange-keygen@main
- name: Build hello package
uses: chainguard-dev/actions/melange-build-pkg@main
with:
config: hello.melange.yaml
sign-with-key: true
signing-key-path: ${{ github.workspace }}/melange.rsa
archs: x86_64,amd64
# - uses: chainguard-images/actions/apko-publish@6e9cfac3c961818d9c5ce339a9c559cc0c2e5464
- uses: distroless/actions/apko-publish@main
id: apko
with:
config: latest.apko.yaml
tag: ghcr.io/${{ github.repository }}:latest
keyring-append: ${{ github.workspace }}/melange.rsa.pub
source-date-epoch: ${{ steps.snapshot-date.outputs.epoch }}
- uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ github.token }}
- shell: bash
run: |
docker images
COSIGN_EXPERIMENTAL=true cosign sign ${{ steps.apko.outputs.digest }} --yes
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: ${{ steps.apko.outputs.digest }}
exit-code: '1'
ignore-unfixed: true
vuln-type: 'os,library'
severity: 'CRITICAL,HIGH'
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'