opentracing-contrib · lucacome · Feb 18, 2024 · Feb 15, 2024 · Feb 16, 2024
diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml
@@ -5,7 +5,7 @@ on:
     branches:
       - master
     tags:
-      - 'v[0-9]+.[0-9]+.[0-9]+'
+      - "v[0-9]+.[0-9]+.[0-9]+"
   pull_request:
     branches:
       - master
@@ -18,71 +18,114 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-    build-docker:
-      name: Build Docker Image
-      runs-on: ubuntu-20.04
-      strategy:
-        matrix:
-          os: [debian, alpine]
-      steps:
-        - name: Checkout Repository
-          uses: actions/checkout@v4
+  build-docker:
+    name: Build Docker Image
+    runs-on: ubuntu-22.04
+    services:
+      registry:
+        image: registry:2
+        ports:
+          - 5000:5000
+    strategy:
+      fail-fast: false
+      matrix:
+        os: [debian, alpine]
+    steps:
+      - name: Checkout Repository
+        uses: actions/checkout@v4
 
-        - name: Output Variables
-          id: var
-          run: |
-            echo "::set-output name=nginx_version::$(grep -m1 'FROM nginx:' <Dockerfile | awk -F'[: ]' '{print $3}')"
+      - name: Output Variables
+        id: var
+        run: |
+          echo "nginx_version=$(grep -m1 'FROM nginx:' <Dockerfile | awk -F'[: ]' '{print $3}')" >> $GITHUB_OUTPUT
 
-        - name: Setup QEMU
-          uses: docker/setup-qemu-action@v3
-          with:
-            platforms: arm,arm64,ppc64le,s390x
-          if: github.event_name != 'pull_request'
+      - name: Setup QEMU
+        uses: docker/setup-qemu-action@v3
+        with:
+          platforms: arm,arm64,ppc64le,s390x
 
-        - name: Docker Buildx
-          uses: docker/setup-buildx-action@v3
-          with:
-            buildkitd-flags: --debug
+      - name: Docker Buildx
+        uses: docker/setup-buildx-action@v3
+        with:
+          buildkitd-flags: --debug
+          driver-opts: network=host
 
-        - name: DockerHub Login
-          uses: docker/login-action@v3
-          with:
-            username: ${{ secrets.DOCKER_USERNAME }}
-            password: ${{ secrets.DOCKER_PASSWORD }}
-          if: github.event_name != 'pull_request'
+      - name: DockerHub Login
+        uses: docker/login-action@v3
+        with:
+          username: ${{ secrets.DOCKER_USERNAME }}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+        if: github.event_name != 'pull_request'
 
-        - name: Login to GitHub Container Registry
-          uses: docker/login-action@v3
-          with:
-            registry: ghcr.io
-            username: ${{ github.repository_owner }}
-            password: ${{ secrets.GITHUB_TOKEN }}
-          if: github.event_name != 'pull_request'
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.repository_owner }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+        if: github.event_name != 'pull_request'
 
-        - name: Docker meta
-          id: meta
-          uses: docker/metadata-action@v5
-          with:
-            images: |
-              opentracing/nginx-opentracing
-              ghcr.io/opentracing-contrib/nginx-opentracing
-            flavor: suffix=${{ matrix.os != 'debian' && '-' || '' }}${{ matrix.os != 'debian' && matrix.os || '' }},onlatest=true
-            tags: |
-              type=edge
-              type=ref,event=pr
-              type=semver,pattern={{version}}
-              type=raw,value=nginx-${{ steps.var.outputs.nginx_version }},enable=${{ contains(github.ref, 'refs/tags/') }}
+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            name=opentracing/nginx-opentracing,enable=${{ github.event_name != 'pull_request' }}
+            name=ghcr.io/opentracing-contrib/nginx-opentracing,enable=${{ github.event_name != 'pull_request' }}
+            name=localhost:5000/opentracing/nginx-opentracing
+          flavor: suffix=${{ matrix.os != 'debian' && '-' || '' }}${{ matrix.os != 'debian' && matrix.os || '' }},onlatest=true
+          tags: |
+            type=edge
+            type=ref,event=pr
+            type=semver,pattern={{version}}
+            type=raw,value=nginx-${{ steps.var.outputs.nginx_version }},enable=${{ contains(github.ref, 'refs/tags/') }}
+        env:
+          DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
 
-        - name: Build (and push if not PR)
-          uses: docker/build-push-action@v5
-          with:
-            pull: true
-            load: ${{ github.event_name == 'pull_request' }}
-            push: ${{ github.event_name != 'pull_request' }}
-            platforms: ${{ github.event_name != 'pull_request' && env.PLATFORMS || '' }}
-            tags: ${{ steps.meta.outputs.tags }}
-            labels: ${{ steps.meta.outputs.labels }}
-            cache-from: type=gha,scope=${{ matrix.os }}
-            cache-to: type=gha,scope=${{ matrix.os }},mode=max
-            target: final
-            build-args: BUILD_OS=${{ matrix.os }}
+      - name: Build and push
+        uses: docker/build-push-action@v5
+        with:
+          pull: true
+          push: true
+          platforms: "linux/arm,linux/amd64,linux/arm64,linux/ppc64le,linux/s390x"
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          annotations: ${{ steps.meta.outputs.annotations }}
+          cache-from: type=gha,scope=${{ matrix.os }}
+          cache-to: type=gha,scope=${{ matrix.os }},mode=max
+          target: final
+          sbom: true
+          provenance: mode=max
+          build-args: BUILD_OS=${{ matrix.os }}
+
+      - name: Inspect SBOM and output manifest
+        run: |
+          docker buildx imagetools inspect localhost:5000/opentracing/nginx-opentracing:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom.json
+          docker buildx imagetools inspect localhost:5000/opentracing/nginx-opentracing:${{ steps.meta.outputs.version }} --format '{{ json (index .Provenance "linux/amd64").SLSA }}' > provenance.json
+          docker buildx imagetools inspect localhost:5000/opentracing/nginx-opentracing:${{ steps.meta.outputs.version }} --raw
+
+      - name: Scan SBOM
+        id: scan
+        uses: anchore/scan-action@v3
+        with:
+          sbom: "sbom.json"
+          only-fixed: true
+          add-cpes-if-none: true
+          fail-build: false
+
+      - name: Upload scan result to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v3
+        continue-on-error: true
+        with:
+          sarif_file: ${{ steps.scan.outputs.sarif }}
+        if: always()
+
+      - name: Upload Scan Results
+        uses: actions/upload-artifact@v4
+        continue-on-error: true
+        with:
+          name: scan-results
+          path: |
+            ${{ steps.scan.outputs.sarif }}
+            *.json
+        if: always()