chore(deps): update github actions major to v4 (#183) #398
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Publish insights-trivy image | |
| on: | |
| schedule: | |
| - cron: "1 0 * * *" | |
| push: | |
| branches: | |
| - 'main' | |
| - 'build-image' | |
| paths: | |
| - 'insights-trivy/**' | |
| - '.github/workflows/insights-trivy-image.yaml' | |
| tags: | |
| - 'insights-trivy-v*.*.*' | |
| pull_request: | |
| branches: | |
| - 'main' | |
| paths: | |
| - 'insights-trivy/**' | |
| - '.github/workflows/insights-trivy-image.yaml' | |
| jobs: | |
| docker: | |
| permissions: | |
| attestations: write | |
| contents: write | |
| id-token: write | |
| packages: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - | |
| name: Checkout PR | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: ${{ github.event_name == 'pull_request' }} | |
| with: | |
| fetch-depth: "0" | |
| ref: ${{ github.event.pull_request.head.sha }} | |
| - | |
| name: Checkout Branch or Tag | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| fetch-depth: "0" | |
| - | |
| name: Create SERVICE_TAG variable | |
| id: service_tag_var | |
| run: | | |
| RAW_TAG=$(git describe --abbrev=0 --tags --match 'insights-trivy-*') | |
| SERVICE_TAG=${RAW_TAG#"insights-trivy-"} | |
| echo "using insights-trivy tag $SERVICE_TAG" | |
| echo "SERVICE_TAG=$SERVICE_TAG" >> "$GITHUB_ENV" | |
| - | |
| name: Set version for non-tag build | |
| if: "!startsWith(github.ref, 'refs/tags/insights-trivy')" | |
| id: version_non-tag_build | |
| run: | | |
| DOCKER_TAG="${{ env.SERVICE_TAG }}-$(git rev-parse --short=8 HEAD)" | |
| echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV" | |
| echo "insights-trivy version $DOCKER_TAG" | |
| - | |
| name: Set version for tag build | |
| if: "startsWith(github.ref, 'refs/tags/insights-trivy')" | |
| id: version_tag_build | |
| run: | | |
| DOCKER_TAG=${{ env.SERVICE_TAG }} | |
| echo "DOCKER_TAG=$DOCKER_TAG" >> "$GITHUB_ENV" | |
| echo "insights-trivy version $DOCKER_TAG" | |
| - | |
| name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 | |
| with: | |
| # list of Docker images to use as base name for tags | |
| images: | | |
| ${{ github.repository_owner }}/insights-trivy | |
| ghcr.io/${{ github.repository_owner }}/insights-trivy | |
| tags: | | |
| # set edge tag for default branch | |
| type=edge,enable={{is_default_branch}} | |
| # set latest tag for main branch - this is required for the scheduled builds | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| # set tag+build for default branch | |
| type=raw,value=${{ env.DOCKER_TAG}},enable={{is_default_branch}} | |
| # tag event | |
| type=raw,value=${{ env.DOCKER_TAG}},enable=${{ startsWith(github.ref, 'refs/tags/insights-trivy') }} | |
| type=raw,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/insights-trivy') }} | |
| # pull request event | |
| type=ref,event=pr | |
| # pull request event | |
| type=ref,event=branch | |
| #schedule event tags - gives us a tag per day | |
| type=schedule,pattern={{date 'YYYYMMDD'}} | |
| type=schedule,value=latest | |
| - | |
| name: Set up QEMU | |
| uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 | |
| - | |
| name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 | |
| - | |
| name: Login to DockerHub | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - | |
| name: Login to GHCR | |
| uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - | |
| name: Build and push | |
| uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 | |
| id: build-and-push | |
| with: | |
| context: insights-trivy | |
| platforms: linux/amd64,linux/arm64 | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| - name: Attest dockerhub image | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-digest: ${{steps.build-and-push.outputs.digest}} | |
| subject-name: index.docker.io/${{ github.repository_owner }}/insights-trivy | |
| push-to-registry: true | |
| - name: Attest ghcr image | |
| uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0 | |
| with: | |
| subject-digest: ${{steps.build-and-push.outputs.digest}} | |
| subject-name: ghcr.io/${{ github.repository_owner }}/insights-trivy | |
| push-to-registry: true | |
| - uses: anchore/sbom-action@17ae1740179002c89186b61233e0f892c3118b11 # v0.23.0 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| image: ghcr.io/${{ github.repository_owner }}/insights-trivy@${{steps.build-and-push.outputs.digest}} | |
| output-file: sbom.spdx.json | |
| upload-artifact: false | |
| upload-release-assets: false | |
| - name: Release | |
| uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0 | |
| if: startsWith(github.ref, 'refs/tags/') | |
| with: | |
| files: | | |
| sbom.spdx.json |