diff --git a/.github/workflows/docker.yml b/.github/workflows/docker.yml index 2f94227..4107c4c 100644 --- a/.github/workflows/docker.yml +++ b/.github/workflows/docker.yml @@ -72,9 +72,11 @@ jobs: LOCAL_SEMVER_PATCH=$(awk -F. '{ print $3 }' <<< ${json_semver_version}) LOCAL_SEMVER_PREFIX="" LOCAL_SEMVER_SUFFIX="" + LOCAL_SEMVER_RC="" LOCAL_TAGS="${LOCAL_IMAGE}:${LOCAL_SHA}" if [ ! -z ${input_semverprefix} ]; then LOCAL_SEMVER_PREFIX="${input_semverprefix}-"; fi if [ ! -z ${input_semversuffix} ]; then LOCAL_SEMVER_SUFFIX="-${input_semversuffix}"; fi + if [ ! -z ${json_semver_rc} ]; then LOCAL_SEMVER_RC="-${json_semver_rc}"; fi if [ ! -z ${LOCAL_SEMVER_MAJOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${LOCAL_IMAGE}:${LOCAL_SEMVER_PREFIX}${LOCAL_SEMVER_MAJOR}${LOCAL_SEMVER_SUFFIX}"; fi if [ ! -z ${LOCAL_SEMVER_MINOR} ]; then LOCAL_TAGS="${LOCAL_TAGS},${LOCAL_IMAGE}:${LOCAL_SEMVER_PREFIX}${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}${LOCAL_SEMVER_SUFFIX}"; fi if [ ! -z ${LOCAL_SEMVER_PATCH} ]; then LOCAL_TAGS="${LOCAL_TAGS},${LOCAL_IMAGE}:${LOCAL_SEMVER_PREFIX}${LOCAL_SEMVER_MAJOR}.${LOCAL_SEMVER_MINOR}.${LOCAL_SEMVER_PATCH}${LOCAL_SEMVER_SUFFIX}"; fi @@ -87,10 +89,10 @@ jobs: if [ ! -z ${input_uid} ]; then echo "IMAGE_UID=${input_uid}" >> $GITHUB_ENV; else echo "IMAGE_UID=${json_uid:-1000}" >> $GITHUB_ENV; fi if [ ! -z ${input_gid} ]; then echo "IMAGE_GID=${input_gid}" >> $GITHUB_ENV; else echo "IMAGE_GID=${json_gid:-1000}" >> $GITHUB_ENV; fi - : # set prefix or suffix globally + : # set rc, prefix or suffix globally echo "IMAGE_SEMVER_PREFIX=${LOCAL_SEMVER_PREFIX}" >> $GITHUB_ENV echo "IMAGE_SEMVER_SUFFIX=${LOCAL_SEMVER_SUFFIX}" >> $GITHUB_ENV - + echo "IMAGE_VERSION_RC=${LOCAL_SEMVER_RC}" >> $GITHUB_ENV - name: docker / login to hub uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 @@ -104,7 +106,8 @@ jobs: - name: docker / setup buildx uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 - - name: grype / build & push + - name: grype / build & push & tag + id: grype-tag uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d with: context: . @@ -122,23 +125,31 @@ jobs: APP_GID=${{ env.IMAGE_GID }} APP_VERSION_PREFIX=${{ env.IMAGE_SEMVER_PREFIX }} APP_VERSION_SUFFIX=${{ env.IMAGE_SEMVER_SUFFIX }} + APP_VERSION_RC=${{ env.IMAGE_VERSION_RC }} APP_NO_CACHE=$(date +%s) tags: | ${{ env.IMAGE }}:${{ env.IMAGE_SEMVER_PREFIX }}grype${{ env.IMAGE_SEMVER_SUFFIX }} - name: grype / scan - id: scan + id: grype-scan uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 with: image: ${{ env.IMAGE }}:${{ env.IMAGE_SEMVER_PREFIX }}grype${{ env.IMAGE_SEMVER_SUFFIX }} severity-cutoff: ${{ env.WORKFLOW_GRYPE_SEVERITY_CUTOFF }} + by-cve: true + output-format: 'sarif' + output-file: ${{ runner.temp }}/_github_home/grype.sarif - - name: grype / report / print + - name: grype / report / sarif to markdown + id: sarif-to-md if: success() || failure() - run: cat ${{ steps.scan.outputs.sarif }} + continue-on-error: true + uses: 11notes/action-sarif-to-markdown@b2656b3171cb3cddc50d50b2f86921cb2e6aeab1 + with: + sarif_file: grype.sarif - name: grype / delete tag - if: success() || failure() + if: steps.grype-tag.outcome == 'success' run: | curl --request DELETE \ --url https://hub.docker.com/v2/repositories/${{ env.IMAGE }}/tags/${{ env.IMAGE_SEMVER_PREFIX }}grype${{ env.IMAGE_SEMVER_SUFFIX }}/ \ @@ -147,9 +158,11 @@ jobs: --fail - name: grype / report / upload + if: steps.grype-scan.outcome == 'success' uses: github/codeql-action/upload-sarif@48ab28a6f5dbc2a99bf1e0131198dd8f1df78169 with: - sarif_file: ${{ steps.scan.outputs.sarif }} + sarif_file: ${{ steps.grype-scan.outputs.sarif }} + category: grype - name: docker / build & push uses: docker/build-push-action@67a2d409c0a876cbe6b11854e3e25193efe4e62d @@ -171,6 +184,7 @@ jobs: APP_GID=${{ env.IMAGE_GID }} APP_VERSION_PREFIX=${{ env.IMAGE_SEMVER_PREFIX }} APP_VERSION_SUFFIX=${{ env.IMAGE_SEMVER_SUFFIX }} + APP_VERSION_RC=${{ env.IMAGE_VERSION_RC }} APP_NO_CACHE=$(date +%s) tags: | ${{ env.IMAGE_TAGS }} diff --git a/README.md b/README.md index 6e544ac..af795bd 100644 --- a/README.md +++ b/README.md @@ -17,6 +17,7 @@ These are the main tags for the image. There is also a tag for each commit and i * [stable-unraid](https://hub.docker.com/r/11notes/kms-gui/tags?name=stable-unraid) * [latest-unraid](https://hub.docker.com/r/11notes/kms-gui/tags?name=latest-unraid) + # SYNOPSIS 📖 **What can I do with this?** This image will run a web GUI for your [11notes/kms](https://hub.docker.com/r/11notes/kms) server. @@ -67,6 +68,7 @@ volumes: # GENERAL TIPS 📌 * Use a reverse proxy like Traefik, Nginx, HAproxy to terminate TLS and to protect your endpoints * Use Let’s Encrypt DNS-01 challenge to obtain valid SSL certificates for your services - + + # ElevenNotes™️ This image is provided to you at your own risk. Always make backups before updating an image to a different version. Check the [releases](https://github.com/11notes/docker-kms-gui/releases) for breaking changes. If you have any problems with using this image simply raise an [issue](https://github.com/11notes/docker-kms-gui/issues), thanks. If you have a question or inputs please create a new [discussion](https://github.com/11notes/docker-kms-gui/discussions) instead of an issue. You can find all my other repositories on [github](https://github.com/11notes?tab=repositories). \ No newline at end of file