Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix trivy fleetctl workflow #23643

Merged
merged 2 commits into from
Nov 12, 2024
Merged

Fix trivy fleetctl workflow #23643

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
53c9741
Fix trivy fleetctl workflow
lucasmrod Nov 8, 2024
55d8f33
Add missing permissions for id-token
lucasmrod Nov 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 19 additions & 1 deletion .github/workflows/build-and-check-fleetctl-docker-and-deps.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,10 @@ defaults:
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
shell: bash

env:
AWS_REGION: us-east-2
AWS_IAM_ROLE: arn:aws:iam::160035666661:role/github-actions-role

permissions:
contents: read

Expand All @@ -23,7 +27,7 @@ jobs:
runs-on: ubuntu-22.04
environment: Docker Hub
permissions:
contents: write
id-token: write # for aws-actions/configure-aws-credentials
Comment on lines -26 to +30
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

guessing this is ok since the workflow passed, but confirming contents: write wasn't needed here?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, probably a copy-paste residue when I created the workflow.

steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
Expand All @@ -33,6 +37,11 @@ jobs:
- name: Checkout
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

- uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
role-to-assume: ${{env.AWS_IAM_ROLE}}
aws-region: ${{ env.AWS_REGION }}

- name: Login to Docker Hub
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
Expand All @@ -58,6 +67,9 @@ jobs:

- name: Run Trivy vulnerability scanner on fleetdm/wix
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: "fleetdm/wix"
format: "table"
Expand All @@ -68,6 +80,9 @@ jobs:

- name: Run Trivy vulnerability scanner on fleetdm/bomutils
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: "fleetdm/bomutils"
format: "table"
Expand All @@ -78,6 +93,9 @@ jobs:

- name: Run Trivy vulnerability scanner on fleetdm/fleetctl
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
with:
image-ref: "fleetdm/fleetctl"
format: "table"
Expand Down
Loading