diff --git a/.github/workflows/image-publish.yml b/.github/workflows/image-publish.yml index b2e15832..1461c197 100644 --- a/.github/workflows/image-publish.yml +++ b/.github/workflows/image-publish.yml @@ -1,7 +1,7 @@ name: Publish Docker Image on: schedule: - # Once weekly on fridays at noon + # Once weekly on Fridays at noon - cron: "00 12 * * 5" workflow_dispatch: @@ -20,25 +20,25 @@ jobs: IMAGE_NAME: ${{ github.repository }} steps: - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4 + uses: actions/checkout@v4 - name: Set up QEMU for cross-platform builds - uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 + uses: docker/setup-qemu-action@v3 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 + uses: docker/setup-buildx-action@v3 - name: Compute version number id: version-string run: | DATE="$(date +%Y%m%d)" COMMIT="$(git rev-parse --short HEAD)" - echo "tag=0.$DATE.$GITHUB_RUN_NUMBER+ref.$COMMIT" >> "$GITHUB_OUTPUT" + echo "tag=0.$DATE.$GITHUB_RUN_NUMBER-ref.$COMMIT" >> "$GITHUB_OUTPUT" - name: Login to GHCR - uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 + uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - name: Set container metadata - uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5 + uses: docker/metadata-action@v5 id: docker-metadata with: images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} @@ -73,15 +73,13 @@ jobs: run: | git lfs install git lfs pull - - name: Build image + - name: Build and Push Image id: image-build - uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v5 + uses: docker/build-push-action@v5 with: - github-token: ${{ github.token }} context: . platforms: linux/amd64,linux/arm64 push: true - file: ./Dockerfile tags: ${{ steps.docker-metadata.outputs.tags }} labels: ${{ steps.docker-metadata.outputs.labels }} cache-from: type=gha @@ -90,15 +88,30 @@ jobs: gh_token=${{ secrets.GH_CI_TOKEN }} build-args: | LATEST_COMMIT_SHA=${{ env.LATEST_COMMIT_SHA }} - - name: Install cosign - if: github.event_name != 'pull_request' - uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + - name: Capture Image Digest + id: image-digest + run: | + echo "digest=$(docker inspect --format='{{index .RepoDigests 0}}' ghcr.io/${{ env.IMAGE_NAME }}:${{ steps.version-string.outputs.tag }})" >> "$GITHUB_OUTPUT" - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # v0.29.0 with: - image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ steps.version-string.outputs.tag }}' + image-ref: '${{ steps.image-digest.outputs.digest }}' format: 'table' exit-code: '1' ignore-unfixed: true vuln-type: 'os,library' severity: 'CRITICAL,HIGH' + - name: Install cosign + if: github.event_name != 'pull_request' + uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 + - name: Sign the images with GitHub OIDC Token + env: + DIGEST: ${{ steps.image-build.outputs.digest }} + TAGS: ${{ steps.docker-metadata.outputs.tags }} + run: | + images="" + for tag in ${TAGS}; do + images+="${tag}@${DIGEST} " + done + cosign sign --yes ${images} +