[upgrade] latest workflows
This commit is contained in:
ElevenNotes
70
.github/workflows/cve.yml
vendored
Normal file
70
.github/workflows/cve.yml
vendored
Normal file
@@ -0,0 +1,70 @@
|
|||||||
|
name: cve
|
||||||
|
|
||||||
|
on:
|
||||||
|
workflow_dispatch:
|
||||||
|
schedule:
|
||||||
|
- cron: "30 15 */2 * *"
|
||||||
|
|
||||||
|
jobs:
|
||||||
|
cve:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: init / checkout
|
||||||
|
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
|
||||||
|
with:
|
||||||
|
ref: ${{ github.ref_name }}
|
||||||
|
fetch-depth: 0
|
||||||
|
|
||||||
|
- name: init / setup environment
|
||||||
|
uses: actions/github-script@62c3794a3eb6788d9a2a72b219504732c0c9a298
|
||||||
|
with:
|
||||||
|
script: |
|
||||||
|
const { existsSync, readFileSync } = require('node:fs');
|
||||||
|
const { resolve } = require('node:path');
|
||||||
|
const { inspect } = require('node:util');
|
||||||
|
const { Buffer } = require('node:buffer');
|
||||||
|
const inputs = `${{ toJSON(github.event.inputs) }}`;
|
||||||
|
const opt = {input:{}, dot:{}};
|
||||||
|
|
||||||
|
try{
|
||||||
|
if(inputs.length > 0){
|
||||||
|
opt.input = JSON.parse(inputs);
|
||||||
|
if(opt.input?.etc){
|
||||||
|
opt.input.etc = JSON.parse(Buffer.from(opt.input.etc, 'base64').toString('ascii'));
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}catch(e){
|
||||||
|
core.warning('could not parse github.event.inputs');
|
||||||
|
}
|
||||||
|
|
||||||
|
try{
|
||||||
|
const path = resolve('.json');
|
||||||
|
if(existsSync(path)){
|
||||||
|
try{
|
||||||
|
opt.dot = JSON.parse(readFileSync(path).toString());
|
||||||
|
}catch(e){
|
||||||
|
throw new Error('could not parse .json');
|
||||||
|
}
|
||||||
|
}else{
|
||||||
|
throw new Error('.json does not exist');
|
||||||
|
}
|
||||||
|
}catch(e){
|
||||||
|
core.setFailed(e);
|
||||||
|
}
|
||||||
|
|
||||||
|
core.info(inspect(opt, {showHidden:false, depth:null, colors:true}));
|
||||||
|
|
||||||
|
core.exportVariable('WORKFLOW_IMAGE', `${opt.dot.image}:${(opt.dot?.semver?.version === undefined) ? 'rolling' : opt.dot.semver.version}`);
|
||||||
|
core.exportVariable('WORKFLOW_GRYPE_SEVERITY_CUTOFF', (opt.dot?.grype?.severity || 'high'));
|
||||||
|
|
||||||
|
|
||||||
|
- name: grype / scan
|
||||||
|
id: grype
|
||||||
|
uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
|
||||||
|
with:
|
||||||
|
image: ${{ env.WORKFLOW_IMAGE }}
|
||||||
|
fail-build: true
|
||||||
|
severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }}
|
||||||
|
output-format: 'sarif'
|
||||||
|
by-cve: true
|
||||||
|
cache-db: true
|
||||||
8
.github/workflows/docker.yml
vendored
8
.github/workflows/docker.yml
vendored
@@ -101,7 +101,7 @@ jobs:
|
|||||||
const docker = {
|
const docker = {
|
||||||
image:{
|
image:{
|
||||||
name:opt.dot.image,
|
name:opt.dot.image,
|
||||||
arch:(opt.dot.arch || 'linux/amd64,linux/arm64'),
|
arch:(opt.input?.etc?.arch || opt.dot?.arch || 'linux/amd64,linux/arm64'),
|
||||||
prefix:((opt.input?.etc?.semverprefix) ? `${opt.input?.etc?.semverprefix}-` : ''),
|
prefix:((opt.input?.etc?.semverprefix) ? `${opt.input?.etc?.semverprefix}-` : ''),
|
||||||
suffix:((opt.input?.etc?.semversuffix) ? `-${opt.input?.etc?.semversuffix}` : ''),
|
suffix:((opt.input?.etc?.semversuffix) ? `-${opt.input?.etc?.semversuffix}` : ''),
|
||||||
description:(opt.dot?.readme?.description || ''),
|
description:(opt.dot?.readme?.description || ''),
|
||||||
@@ -228,7 +228,7 @@ jobs:
|
|||||||
with:
|
with:
|
||||||
driver-opts: network=host
|
driver-opts: network=host
|
||||||
|
|
||||||
- name: docker / build & push & tag grype
|
- name: docker / build image locally
|
||||||
if: env.WORKFLOW_BUILD == 'true'
|
if: env.WORKFLOW_BUILD == 'true'
|
||||||
id: docker-build
|
id: docker-build
|
||||||
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
|
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
|
||||||
@@ -257,7 +257,7 @@ jobs:
|
|||||||
cache-db: true
|
cache-db: true
|
||||||
|
|
||||||
- name: grype / fail
|
- name: grype / fail
|
||||||
if: env.WORKFLOW_BUILD == 'true' && (failure() || steps.grype.outcome == 'failure')
|
if: env.WORKFLOW_BUILD == 'true' && (failure() || steps.grype.outcome == 'failure') && steps.docker-build.outcome == 'success'
|
||||||
uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
|
uses: anchore/scan-action@dc6246fcaf83ae86fcc6010b9824c30d7320729e
|
||||||
with:
|
with:
|
||||||
image: ${{ env.DOCKER_CACHE_GRYPE }}
|
image: ${{ env.DOCKER_CACHE_GRYPE }}
|
||||||
@@ -267,7 +267,7 @@ jobs:
|
|||||||
by-cve: true
|
by-cve: true
|
||||||
cache-db: true
|
cache-db: true
|
||||||
|
|
||||||
- name: docker / build & push
|
- name: docker / build image from cache and push to registries
|
||||||
if: env.WORKFLOW_BUILD == 'true'
|
if: env.WORKFLOW_BUILD == 'true'
|
||||||
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
|
uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d
|
||||||
with:
|
with:
|
||||||
|
|||||||
Reference in New Issue
Block a user