generate sbom and upload+inline #954
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: test, docker build & push | |
| on: [push] | |
| jobs: | |
| hadolint: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - run: docker run --rm -i hadolint/hadolint < Dockerfile | |
| ruby: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ruby/setup-ruby@v1 | |
| with: | |
| bundler-cache: true | |
| - run: bundle exec rubocop -F | |
| - run: bundle exec yard doc --fail-on-warning --no-output | |
| rspec: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ruby/setup-ruby@v1 | |
| with: | |
| bundler-cache: true | |
| - run: bundle exec rspec | |
| docker-test: | |
| needs: hadolint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: ruby/setup-ruby@v1 | |
| with: | |
| bundler-cache: true | |
| - run: | | |
| bundle exec rake | |
| docker-push: | |
| # if: ${{ github.ref == 'refs/heads/master' }} | |
| needs: | |
| - docker-test | |
| - hadolint | |
| - ruby | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| env: | |
| IMAGE_NAME: gilcreator/html2rss-web | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| # - name: Log in to DockerHub | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # - name: Log in to GitHub Container Registry (GHCR) | |
| # uses: docker/login-action@v3 | |
| # with: | |
| # registry: ghcr.io | |
| # username: ${{ github.actor }} | |
| # password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Cache Docker layers | |
| uses: actions/cache@v4 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Generate SBOM | |
| uses: anchore/[email protected] | |
| with: | |
| image: gilcreator/html2rss-web:latest | |
| output-file: sbom.spdx.json | |
| - name: Upload SBOM Artifact | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: sbom | |
| path: sbom.spdx.json | |
| # - name: Publish SBOM to Docker Hub Description | |
| # env: | |
| # DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| # DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
| # run: | | |
| # curl -s -X PATCH "https://hub.docker.com/v2/repositories/${IMAGE_NAME}/" \ | |
| # -H "Content-Type: application/json" \ | |
| # -u "$DOCKERHUB_USERNAME:$DOCKERHUB_TOKEN" \ | |
| # -d '{"full_description": "Auto-generated SBOM: https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts"}' | |
| - name: Build and push Docker image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| push: false | |
| tags: | | |
| gilcreator/html2rss-web:latest | |
| ghcr.io/${{ github.repository_owner }}/html2rss-web:latest | |
| platforms: linux/amd64,linux/arm64 | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache-new | |
| provenance: true | |
| labels: | | |
| org.opencontainers.image.source=https://github.com/${{ github.repository }} | |
| org.opencontainers.image.created=${{ github.event.head_commit.timestamp }} | |
| org.opencontainers.image.revision=${{ github.sha }} | |
| org.opencontainers.image.title=html2rss-web | |
| org.opencontainers.image.description=Generates RSS feeds of any website & serves to the web! | |
| org.opencontainers.image.sbom=https://github.com/${{ github.repository }}/actions/runs/${{ github.run_id }}/artifacts | |
| - name: Scan Docker image for vulnerabilities (Trivy) | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: gilcreator/html2rss-web:latest | |
| format: table | |
| exit-code: 1 | |
| ignore-unfixed: true | |
| vuln-type: os,library | |
| severity: CRITICAL,HIGH | |
| - name: Move updated cache into place | |
| run: | | |
| rm -rf /tmp/.buildx-cache | |
| mv /tmp/.buildx-cache-new /tmp/.buildx-cache |