Skip to content

Commit

Permalink
Updated versions of GitHub actions
Browse files Browse the repository at this point in the history
  • Loading branch information
@dotneft
dotneft committed Jul 8, 2024
1 parent e018c30 commit 2d49a27
Show file tree
Hide file tree
Showing 8 changed files with 108 additions and 71 deletions.
6 changes: 3 additions & 3 deletions .github/workflows/dependency-review.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand All @@ -27,6 +27,6 @@ jobs:
github.com:443
- name: 'Checkout Repository'
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: 'Dependency Review'
uses: actions/dependency-review-action@be8bc500ee15e96754d2a6f2d34be14e945a46f3 # v4.1.2
uses: actions/dependency-review-action@72eb03d02c7872a771aacd928f3123ac62ad6d3a # v4.3.3
4 changes: 2 additions & 2 deletions .github/workflows/dockerhub_description.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
- web-service
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand All @@ -57,7 +57,7 @@ jobs:
hub.docker.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
fetch-depth: 1

Expand Down
91 changes: 62 additions & 29 deletions .github/workflows/images_build.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,7 @@ env:
TRUNK_ONLY_EVENT: ${{ contains(fromJSON('["schedule"]'), github.event_name) }}
AUTO_PUSH_IMAGES: ${{ ! contains(fromJSON('["workflow_dispatch"]'), github.event_name) && vars.AUTO_PUSH_IMAGES }}

DOCKER_REGISTRY: ${{ vars.DOCKER_REGISTRY }}
DOCKER_REPOSITORY: ${{ vars.DOCKER_REPOSITORY }}
LATEST_BRANCH: ${{ github.event.repository.default_branch }}
TRUNK_GIT_BRANCH: "refs/heads/trunk"
Expand Down Expand Up @@ -63,7 +64,7 @@ jobs:
sha_short: ${{ steps.branch_info.outputs.sha_short }}
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand All @@ -73,7 +74,7 @@ jobs:
objects.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
Expand Down Expand Up @@ -171,9 +172,10 @@ jobs:
contents: read
id-token: write
packages: write
attestations: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand Down Expand Up @@ -396,7 +398,7 @@ jobs:
ziply.mm.fcix.net:80
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
Expand All @@ -412,13 +414,13 @@ jobs:
run: cosign version

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
with:
image: tonistiigi/binfmt:latest
platforms: all

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
with:
driver-opts: image=moby/buildkit:master

Expand All @@ -443,7 +445,7 @@ jobs:
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
Expand Down Expand Up @@ -490,22 +492,22 @@ jobs:
- name: Login to DockerHub
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ${{ env.DOCKER_REGISTRY_TEST }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build and publish image
id: docker_build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
with:
context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}
Expand Down Expand Up @@ -540,6 +542,15 @@ jobs:
cosign sign --yes ${images}
echo "::endgroup::"
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, env.BASE_BUILD_NAME ) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true

- name: Image metadata
env:
CACHE_FILE_NAME: ${{ env.BASE_CACHE_FILE_NAME }}
Expand Down Expand Up @@ -574,9 +585,10 @@ jobs:
contents: read
id-token: write
packages: write
attestations: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand All @@ -589,6 +601,7 @@ jobs:
go.mongodb.org:443
golang.org:443
google.golang.org:443
golang.zabbix.com:443
gopkg.in:443
ghcr.io:443
index.docker.io:443
Expand All @@ -605,7 +618,7 @@ jobs:
pkg-containers.githubusercontent.com:443
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
Expand All @@ -621,13 +634,13 @@ jobs:
run: cosign version

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
with:
image: tonistiigi/binfmt:latest
platforms: all

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
with:
driver-opts: image=moby/buildkit:master

Expand All @@ -652,7 +665,7 @@ jobs:
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
Expand Down Expand Up @@ -702,7 +715,7 @@ jobs:
cosign verify \
--certificate-oidc-issuer-regexp "$OIDC_ISSUER" \
--certificate-identity-regexp "$IDENTITY_REGEX" \
"$BASE_IMAGE"
"$BASE_IMAGE" | jq
echo "::endgroup::"
- name: Prepare cache data
Expand Down Expand Up @@ -742,22 +755,22 @@ jobs:
- name: Login to DockerHub
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Login to ${{ env.DOCKER_REGISTRY_TEST }}
if: ${{ env.AUTO_PUSH_IMAGES != 'true' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
registry: ${{ env.DOCKER_REGISTRY_TEST }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Build ${{ matrix.build }}/${{ matrix.os }} and push
id: docker_build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
with:
context: ${{ format('{0}/{1}/{2}/', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
Expand Down Expand Up @@ -791,6 +804,15 @@ jobs:
cosign sign --yes ${images}
echo "::endgroup::"
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true

- name: Image metadata
env:
CACHE_FILE_NAME: ${{ env.BUILD_CACHE_FILE_NAME }}
Expand Down Expand Up @@ -826,9 +848,10 @@ jobs:
contents: read
id-token: write
packages: write
attestations: write
steps:
- name: Block egress traffic
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
uses: step-security/harden-runner@17d0e2bd7d51742c71671bd19fa12bdc9d40a3d6 # v2.8.1
with:
disable-sudo: true
egress-policy: block
Expand Down Expand Up @@ -1054,8 +1077,9 @@ jobs:
ziply.mm.fcix.net:443
ziply.mm.fcix.net:80
- name: Checkout repository
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
ref: ${{ env.TRUNK_ONLY_EVENT == 'true' && env.TRUNK_GIT_BRANCH || '' }}
fetch-depth: 1
Expand All @@ -1071,13 +1095,13 @@ jobs:
run: cosign version

- name: Set up QEMU
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
uses: docker/setup-qemu-action@5927c834f5b4fdf503fca6f4c7eccda82949e1ee # v3.1.0
with:
image: tonistiigi/binfmt:latest
platforms: all

- name: Set up Docker Buildx
uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
uses: docker/setup-buildx-action@4fd812986e6c8c2a69e18311145f9371337f27d4 # v3.4.0
with:
driver-opts: image=moby/buildkit:master

Expand All @@ -1091,9 +1115,9 @@ jobs:
# Chromium on Alpine is available only on linux/amd64, linux/arm64 platforms
if ([ "$MATRIX_OS" == "alpine" ] || [ "$MATRIX_OS" == "centos" ]) && [ "$MATRIX_BUILD" == "web-service" ]; then
platform_list="linux/amd64,linux/arm64"
# Chromium on Ubuntu is not available on s390x platform
# Chromium on Ubuntu is not available on s390x and armhf platform
elif [ "$MATRIX_OS" == "ubuntu" ] && [ "$MATRIX_BUILD" == "web-service" ]; then
platform_list="linux/amd64,linux/arm/v7,linux/arm64"
platform_list="linux/amd64,linux/arm64"
else
platform_list=$(jq -r ".[\"os-linux\"].\"$MATRIX_OS\" | join(\",\")" "$MATRIX_FILE")
fi
Expand Down Expand Up @@ -1131,7 +1155,7 @@ jobs:
with:
images: |
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY_TEST, env.DOCKER_REPOSITORY_TEST, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES != 'true' }}
${{ format('{0}/{1}{2}', env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }},enable=${{ env.AUTO_PUSH_IMAGES == 'true' }}
context: ${{ env.TRUNK_ONLY_EVENT == 'true' && 'git' || '' }}
tags: |
type=semver,enable=${{ needs.init_build.outputs.current_branch != 'trunk' }},pattern={{version}},prefix=${{ matrix.os }}-
Expand Down Expand Up @@ -1183,7 +1207,7 @@ jobs:
cosign verify \
--certificate-oidc-issuer-regexp "${OIDC_ISSUER}" \
--certificate-identity-regexp "${IDENTITY_REGEX}" \
"${BASE_IMAGE}"
"${BASE_IMAGE}" | jq
echo "::endgroup::"
- name: Prepare cache data
Expand All @@ -1209,14 +1233,14 @@ jobs:
- name: Login to DockerHub
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0
uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}

- name: Build and push image
id: docker_build
uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0
uses: docker/build-push-action@1a162644f9a7e87d8f4b053101d1d9a712edc18c # v6.3.0
with:
context: ${{ format('{0}/{1}/{2}', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
file: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, matrix.build, matrix.os) }}
Expand Down Expand Up @@ -1250,6 +1274,15 @@ jobs:
cosign sign --yes ${images}
echo "::endgroup::"
- name: Attest images
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
id: attest
uses: actions/attest-build-provenance@v1
with:
subject-name: ${{ format('{0}/{1}/{2}{3}', env.DOCKER_REGISTRY, env.DOCKER_REPOSITORY, env.IMAGES_PREFIX, matrix.build ) }}
subject-digest: ${{ steps.docker_build.outputs.digest }}
push-to-registry: true

- name: Image metadata
if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
env:
Expand Down
Loading

0 comments on commit 2d49a27

Please sign in to comment.