diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 9a408b10..50a89684 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -5,7 +5,7 @@ on: branches: - master tags: - - 'v[0-9]+.[0-9]+.[0-9]+' + - "v[0-9]+.[0-9]+.[0-9]+" pull_request: branches: - master @@ -18,71 +18,114 @@ concurrency: cancel-in-progress: true jobs: - build-docker: - name: Build Docker Image - runs-on: ubuntu-20.04 - strategy: - matrix: - os: [debian, alpine] - steps: - - name: Checkout Repository - uses: actions/checkout@v4 + build-docker: + name: Build Docker Image + runs-on: ubuntu-22.04 + services: + registry: + image: registry:2 + ports: + - 5000:5000 + strategy: + fail-fast: false + matrix: + os: [debian, alpine] + steps: + - name: Checkout Repository + uses: actions/checkout@v4 - - name: Output Variables - id: var - run: | - echo "::set-output name=nginx_version::$(grep -m1 'FROM nginx:' > $GITHUB_OUTPUT - - name: Setup QEMU - uses: docker/setup-qemu-action@v3 - with: - platforms: arm,arm64,ppc64le,s390x - if: github.event_name != 'pull_request' + - name: Setup QEMU + uses: docker/setup-qemu-action@v3 + with: + platforms: arm,arm64,ppc64le,s390x - - name: Docker Buildx - uses: docker/setup-buildx-action@v3 - with: - buildkitd-flags: --debug + - name: Docker Buildx + uses: docker/setup-buildx-action@v3 + with: + buildkitd-flags: --debug + driver-opts: network=host - - name: DockerHub Login - uses: docker/login-action@v3 - with: - username: ${{ secrets.DOCKER_USERNAME }} - password: ${{ secrets.DOCKER_PASSWORD }} - if: github.event_name != 'pull_request' + - name: DockerHub Login + uses: docker/login-action@v3 + with: + username: ${{ secrets.DOCKER_USERNAME }} + password: ${{ secrets.DOCKER_PASSWORD }} + if: github.event_name != 'pull_request' - - name: Login to GitHub Container Registry - uses: docker/login-action@v3 - with: - registry: ghcr.io - username: ${{ github.repository_owner }} - password: ${{ secrets.GITHUB_TOKEN }} - if: github.event_name != 'pull_request' + - name: Login to GitHub Container Registry + uses: docker/login-action@v3 + with: + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.GITHUB_TOKEN }} + if: github.event_name != 'pull_request' - - name: Docker meta - id: meta - uses: docker/metadata-action@v5 - with: - images: | - opentracing/nginx-opentracing - ghcr.io/opentracing-contrib/nginx-opentracing - flavor: suffix=${{ matrix.os != 'debian' && '-' || '' }}${{ matrix.os != 'debian' && matrix.os || '' }},onlatest=true - tags: | - type=edge - type=ref,event=pr - type=semver,pattern={{version}} - type=raw,value=nginx-${{ steps.var.outputs.nginx_version }},enable=${{ contains(github.ref, 'refs/tags/') }} + - name: Docker meta + id: meta + uses: docker/metadata-action@v5 + with: + images: | + name=opentracing/nginx-opentracing,enable=${{ github.event_name != 'pull_request' }} + name=ghcr.io/opentracing-contrib/nginx-opentracing,enable=${{ github.event_name != 'pull_request' }} + name=localhost:5000/opentracing/nginx-opentracing + flavor: suffix=${{ matrix.os != 'debian' && '-' || '' }}${{ matrix.os != 'debian' && matrix.os || '' }},onlatest=true + tags: | + type=edge + type=ref,event=pr + type=semver,pattern={{version}} + type=raw,value=nginx-${{ steps.var.outputs.nginx_version }},enable=${{ contains(github.ref, 'refs/tags/') }} + env: + DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index - - name: Build (and push if not PR) - uses: docker/build-push-action@v5 - with: - pull: true - load: ${{ github.event_name == 'pull_request' }} - push: ${{ github.event_name != 'pull_request' }} - platforms: ${{ github.event_name != 'pull_request' && env.PLATFORMS || '' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha,scope=${{ matrix.os }} - cache-to: type=gha,scope=${{ matrix.os }},mode=max - target: final - build-args: BUILD_OS=${{ matrix.os }} + - name: Build and push + uses: docker/build-push-action@v5 + with: + pull: true + push: true + platforms: "linux/arm,linux/amd64,linux/arm64,linux/ppc64le,linux/s390x" + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} + annotations: ${{ steps.meta.outputs.annotations }} + cache-from: type=gha,scope=${{ matrix.os }} + cache-to: type=gha,scope=${{ matrix.os }},mode=max + target: final + sbom: true + provenance: mode=max + build-args: BUILD_OS=${{ matrix.os }} + + - name: Inspect SBOM and output manifest + run: | + docker buildx imagetools inspect localhost:5000/opentracing/nginx-opentracing:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom.json + docker buildx imagetools inspect localhost:5000/opentracing/nginx-opentracing:${{ steps.meta.outputs.version }} --format '{{ json (index .Provenance "linux/amd64").SLSA }}' > provenance.json + docker buildx imagetools inspect localhost:5000/opentracing/nginx-opentracing:${{ steps.meta.outputs.version }} --raw + + - name: Scan SBOM + id: scan + uses: anchore/scan-action@v3 + with: + sbom: "sbom.json" + only-fixed: true + add-cpes-if-none: true + fail-build: false + + - name: Upload scan result to GitHub Security tab + uses: github/codeql-action/upload-sarif@v3 + continue-on-error: true + with: + sarif_file: ${{ steps.scan.outputs.sarif }} + if: always() + + - name: Upload Scan Results + uses: actions/upload-artifact@v4 + continue-on-error: true + with: + name: scan-results + path: | + ${{ steps.scan.outputs.sarif }} + *.json + if: always()