simplify makefile/build, update scan #3
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and Deploy | |
| on: | |
| push: | |
| branches: ["master"] | |
| # Publish semver tags as releases. | |
| tags: [ "v*.*.*" ] | |
| pull_request: | |
| branches: ["master"] | |
| release: | |
| types: ["created"] | |
| workflow_dispatch: | |
| inputs: {} | |
| env: | |
| TARGET: linux/amd64 | |
| BUILD_FLAGS: --no-cache | |
| jobs: | |
| build: | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Need tags for Makefile logic to work | |
| fetch-depth: 0 | |
| - name: Build the Docker images | |
| run: make images | |
| scan: | |
| needs: [ "build" ] | |
| runs-on: ubuntu-22.04 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Need tags for Makefile logic to work | |
| fetch-depth: 0 | |
| - name: Build the Docker image for Trivy | |
| env: | |
| # amd build so that local 'docker images' can access images | |
| TARGET: linux/amd64 | |
| BUILD_FLAGS: --load --no-cache | |
| run: make images | |
| - name: Run Trivy Vulnerability Scanner for Root Image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'k8s-wait-for:latest' | |
| exit-code: 1 | |
| format: 'sarif' | |
| output: 'trivy-results-root.sarif' | |
| skip-files: /usr/local/bin/kubectl | |
| - name: Run Trivy Vulnerability Scanner for Non-Root Image | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: 'k8s-wait-for:no-root-latest' | |
| exit-code: 1 | |
| format: 'sarif' | |
| output: 'trivy-results-non-root.sarif' | |
| skip-files: /usr/local/bin/kubectl | |
| # just upload root scan results | |
| - name: Upload Trivy Scan Results to GitHub Security Tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: 'trivy-results-root.sarif' | |
| deploy: | |
| needs: [ "scan" ] | |
| runs-on: ubuntu-22.04 | |
| if: github.event_name == 'release' && github.event.action == 'created' | |
| steps: | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v2 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v2 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GHCR_TOKEN }} | |
| - uses: actions/checkout@v4 | |
| with: | |
| # Need tags for Makefile logic to work | |
| fetch-depth: 0 | |
| - name: Build and Push Docker Images | |
| run: make push |