chore: add nightly job and move security scan, upload results to github security (#692)

* chore: add nightly job and move security scan, upload results to github security

Signed-off-by: Markus Maga <[email protected]>

* chore: only trigger branch trigger for master branch

Signed-off-by: Markus Maga <[email protected]>

Author: Flydiverny

.github/workflows/build-container.yaml

@@ -3,7 +3,7 @@ name: docker
 on:
   push:
     branches:
-      - '**'
+      - 'master'
     tags:
       - '*.*.*'
   pull_request:
@@ -45,14 +45,17 @@ jobs:
 
       - name: Docker meta
         id: docker_meta
-        uses: crazy-max/ghaction-docker-meta@v1
+        uses: crazy-max/ghaction-docker-meta@v2
         with:
           images: ${{ steps.image_name.outputs.image }}
-          tag-sha: github.ref != 'refs/heads/master'
+          tags: |
+            type=ref,event=tag
+            type=ref,event=pr
+            type=edge,enable=${{ endsWith(github.ref, github.event.repository.default_branch) }},latest=false
 
       - name: Login to Docker
         uses: docker/login-action@v1
-        if: env.GHCR_USERNAME != ''
+        if: env.GHCR_USERNAME != '' && steps.docker_meta.outputs.version != ''
         with:
           registry: ghcr.io
           username: ${{ secrets.GHCR_USERNAME }}
@@ -63,25 +66,6 @@ jobs:
         with:
           context: .
           platforms: linux/amd64,linux/arm64,linux/arm/v7
-          push: ${{ env.GHCR_USERNAME != '' }}
+          push: ${{ env.GHCR_USERNAME != '' && steps.docker_meta.outputs.version != ''}}
           tags: ${{ steps.docker_meta.outputs.tags }}
           labels: ${{ steps.docker_meta.outputs.labels }}
-
-      # cant load multi arch, so we build the same arch again (everything should cache hit)
-      - name: Load for scan
-        uses: docker/build-push-action@v2
-        id: docker_load
-        with:
-          context: .
-          platforms: linux/amd64
-          load: true
-          tags: kes-scan:scan
-          labels: ${{ steps.docker_meta.outputs.labels }}
-
-      - name: Trivy Scan - High and Critical Severity
-        uses: aquasecurity/[email protected]
-        with:
-          image-ref: kes-scan:scan
-          exit-code: 1
-          ignore-unfixed: true
-          severity: HIGH,CRITICAL

.github/workflows/nightly.yaml

@@ -0,0 +1,70 @@
+name: nightly
+
+on:
+  schedule:
+    # At 03:07
+    - cron: '7 3 * * *'
+
+env:
+  # We can't run a step 'if secrets.GHCR_USERNAME != ""' but we can run a step
+  # 'if env.GHCR_USERNAME' != ""', so we copy these to test whether credentials
+  # are available before trying to run steps that need them. Like PRs from forks!
+  GHCR_USERNAME: ${{ secrets.GHCR_USERNAME }}
+  IMAGE_NAME: ghcr.io/external-secrets/kubernetes-external-secrets
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v1
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v1
+
+      - name: Docker meta
+        id: docker_meta
+        uses: crazy-max/ghaction-docker-meta@v2
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          tags: |
+            type=schedule,pattern=nightly
+
+      - name: Login to Docker
+        uses: docker/login-action@v1
+        if: env.GHCR_USERNAME != ''
+        with:
+          registry: ghcr.io
+          username: ${{ secrets.GHCR_USERNAME }}
+          password: ${{ secrets.GHCR_TOKEN }}
+
+      - name: Build nightly
+        uses: docker/build-push-action@v2
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64,linux/arm/v7
+          push: ${{ env.GHCR_USERNAME != '' }}
+          tags: ${{ steps.docker_meta.outputs.tags }}
+          labels: ${{ steps.docker_meta.outputs.labels }}
+
+  scan:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/trivy-action@master
+        with:
+          image-ref: ${{ env.IMAGE_NAME }}:${{ steps.docker_meta.outputs.version }}
+          format: 'template'
+          ignore-unfixed: true
+          severity: HIGH,CRITICAL
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v1
+        with:
+          sarif_file: 'trivy-results.sarif'