Bump actions/dependency-review-action from 3.0.6 to 3.0.7 (#152) #375

Summary
Jobs
- Build Image
Run details
- Usage
- Workflow file

Workflow file for this run

	name: CI

	on:
	push:
	branches:
	- main
	tags:
	- "v[0-9]+.[0-9]+.[0-9]+"
	pull_request:
	branches:
	- main

	env:
	platforms: "linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"

	concurrency:
	group: ${{ github.ref_name }}-ci
	cancel-in-progress: true

	permissions:
	contents: read

	jobs:
	build:
	name: Build Image
	runs-on: ubuntu-22.04
	permissions:
	contents: write # for lucacome/draft-release to create a draft release
	security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
	packages: write # for docker/build-push-action to push to GHCR
	steps:
	- name: Checkout Repository
	uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3

	- name: DockerHub Login
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
	with:
	username: ${{ secrets.DOCKER_USERNAME }}
	password: ${{ secrets.DOCKER_PASSWORD }}
	if: github.event_name != 'pull_request'

	- name: Login to GitHub Container Registry
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
	with:
	registry: ghcr.io
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	if: github.event_name != 'pull_request'

	- name: Login to Quay.io
	uses: docker/login-action@465a07811f14bebb1938fbed4728c6a1ff8901fc # v2.2.0
	with:
	registry: quay.io
	username: ${{ secrets.QUAY_USERNAME }}
	password: ${{ secrets.QUAY_ROBOT_TOKEN }}
	if: github.event_name != 'pull_request'

	- name: Setup QEMU
	uses: docker/setup-qemu-action@2b82ce82d56a2a04d2637cd93a637ae1b359c0a7 # v2.2.0
	with:
	platforms: arm64,ppc64le,s390x
	if: github.event_name != 'pull_request'

	- name: Docker Buildx
	uses: docker/setup-buildx-action@4c0219f9ac95b02789c1075625400b2acbff50b1 # v2.9.1

	- name: Output Variables
	id: vars
	run: \|
	echo "version=$(git describe --tags)" >> $GITHUB_OUTPUT
	echo "chart_version=$(yq '.appVersion' <helm-charts/nginx-ingress/Chart.yaml)" >> $GITHUB_OUTPUT
	echo "openshift_version=$(yq '.annotations["com.redhat.openshift.versions"]' <bundle/metadata/annotations.yaml \| cut -dv -f2)" >> $GITHUB_OUTPUT

	- name: Docker meta
	id: meta
	uses: docker/metadata-action@818d4b7b91585d195f67373fd9cb0332e31a7175 # v4.6.0
	with:
	images: \|
	nginx/nginx-ingress-operator
	ghcr.io/nginxinc/nginx-ingress-operator
	quay.io/nginx/nginx-ingress-operator
	tags: \|
	type=edge
	type=ref,event=pr
	type=semver,pattern={{version}}
	labels: \|
	org.opencontainers.image.documentation=https://docs.nginx.com/nginx-ingress-controller
	org.opencontainers.image.vendor=NGINX Inc <kubernetes@nginx.com>
	name="NGINX Ingress Operator"
	maintainer="kubernetes@nginx.com"
	vendor="NGINX Inc"
	version=${{ steps.vars.outputs.version }}
	release=1
	summary="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"
	description="The NGINX Ingress Operator is a Kubernetes/OpenShift component which deploys and manages one or more NGINX/NGINX Plus Ingress Controllers"

	- name: Build Image
	uses: docker/build-push-action@2eb1c1961a95fc15694676618e422e8ba1d63825 # v4.1.1
	with:
	context: "."
	cache-from: type=gha
	cache-to: type=gha,mode=max
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	platforms: ${{ github.event_name != 'pull_request' && env.platforms \|\| '' }}
	load: ${{ github.event_name == 'pull_request' }}
	push: ${{ github.event_name != 'pull_request' }}
	no-cache: ${{ github.event_name != 'pull_request' }}
	pull: true
	sbom: ${{ github.event_name != 'pull_request' }}
	provenance: false

	- name: Run Trivy vulnerability scanner
	uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # 0.11.2
	continue-on-error: true
	with:
	image-ref: nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }}
	format: "sarif"
	output: "trivy-results.sarif"
	ignore-unfixed: "true"

	- name: Upload Trivy scan results to GitHub Security tab
	uses: github/codeql-action/upload-sarif@cdcdbb579706841c47f7063dda365e292e5cad7a # v2.13.4
	continue-on-error: true
	with:
	sarif_file: "trivy-results.sarif"

	- name: Upload Scan Results
	uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
	continue-on-error: true
	with:
	name: "trivy-results.sarif"
	path: "trivy-results.sarif"
	if: always()

	- name: Create/Update Draft
	uses: lucacome/draft-release@f6dc37dcdf44be100a649b72c62c628776750190 # v0.2.2
	with:
	minor-label: "enhancement"
	major-label: "change"
	variables: \|
	nic_version=${{ steps.vars.outputs.chart_version }}
	openshift_version=${{ steps.vars.outputs.openshift_version }}
	notes-footer: \|
	## Compatibility

	- NGINX Ingress Controller {{nic_version}}
	- OpenShift {{openshift_version}} or newer.
	if: github.event_name != 'pull_request'

	- name: Certify Images
	continue-on-error: true
	run: \|
	curl -fsSL https://github.com/redhat-openshift-ecosystem/openshift-preflight/releases/download/1.6.9/preflight-linux-amd64 --output preflight
	chmod +x preflight

	IFS=',' read -ra arch_list <<< "${{ env.platforms }}"

	for arch in "${arch_list[@]}"; do
	architecture=("${arch#*/}")
	./preflight check container quay.io/nginx/nginx-ingress-operator:${{ steps.meta.outputs.version }} --pyxis-api-token ${{ secrets.PYXIS_API_TOKEN }} --certification-project-id ${{ secrets.CERTIFICATION_PROJECT_ID }} --platform $architecture --submit
	done
	if: ${{ github.ref_type == 'tag' }}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump actions/dependency-review-action from 3.0.6 to 3.0.7 (#152) #375

Workflow file

Bump actions/dependency-review-action from 3.0.6 to 3.0.7 (#152) #375

Jobs

Run details

Workflow file for this run