1+ name : CI
2+
3+ on :
4+ push :
5+ branches : ["master"]
6+ # Publish semver tags as releases.
7+ tags : ["v*.*.*"]
8+ pull_request :
9+ branches : ["master"]
10+
11+ env :
12+ REGISTRY : docker.io
13+ DOCKER_USERNAME : mcqueide
14+ IMAGE_NAME : mcqueide/people-api
15+ SHA : ${{ github.event.pull_request.head.sha || github.event.after }}
16+ CLOUD_BUILDER_NAME : test-ci
17+ jobs :
18+ ci :
19+ runs-on : ubuntu-latest
20+ permissions :
21+ contents : read # Ler o conteúdo do repositório
22+ packages : write # Permitir publicar pacotes no GitHub Packages
23+ pull-requests : write # Permitir criar e atualizar pull requests
24+ security-events : write # Enviar eventos de segurança para o Github Security
25+ id-token : write # Permitir emitir tokens OIDC para autenticação com provedores externos
26+
27+ steps :
28+ - name : Checkout repository
29+ uses : actions/checkout@v4
30+
31+ - name : Log into registry ${{ env.REGISTRY }}
32+ uses : docker/login-action@v3
33+ with :
34+ registry : ${{ env.REGISTRY }}
35+ username : ${{ env.DOCKER_USERNAME }}
36+ password : ${{ secrets.DOCKER_TOKEN }}
37+
38+ - name : Set up Docker Buildx
39+ uses : docker/setup-buildx-action@v3
40+ with :
41+ driver : cloud
42+ endpoint : " ${{ env.DOCKER_USERNAME }}/${{ env.CLOUD_BUILDER_NAME }}"
43+
44+ - name : Build for CI
45+ id : build-ci
46+ 47+ with :
48+ context : .
49+ file : ./Dockerfile
50+ push : false
51+ load : true # driver docker-container
52+ target : ci
53+ tags : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:ci
54+
55+ - name : Build for analysis
56+ id : build-for-analysis
57+ 58+ with :
59+ context : .
60+ file : ./Dockerfile
61+ push : false
62+ load : true
63+ tags : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
64+
65+ - name : Analyze for critical and high CVEs
66+ id : docker-scout-cves
67+ uses : docker/scout-action@v1
68+ with :
69+ command : cves
70+ image : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
71+ only-severities : critical,high
72+ only-fixed : true
73+ summary : true # publicar github actions e pull request
74+ exit-code : true
75+
76+ - name : Analyze for all CVEs
77+ id : docker-scout-all-cves
78+ uses : docker/scout-action@v1
79+ with :
80+ command : cves
81+ image : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.SHA }}
82+ summary : true
83+ sarif-file : sarif.output.json
84+
85+ # Se o repositório for público, é possível testar este recurso, caso contrário somente com organização ativa
86+ - name : Upload SARIF result
87+ id : upload-sarif
88+ if : ${{ github.event_name != 'pull_request' }}
89+ uses : github/codeql-action/upload-sarif@v3
90+ with :
91+ sarif_file : sarif.output.json
92+
93+ - name : Extract Docker metadata
94+ id : meta
95+ if : github.event_name != 'pull_request'
96+ 97+ with :
98+ images : ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
99+ labels : |
100+ org.opencontainers.image.revision=${{ env.SHA }}
101+ tags : |
102+ type=edge,branch=$repo.default_branch
103+ type=semver,pattern=v{{version}}
104+ type=sha,prefix=,suffix=,format=short
105+
106+ name : Build final
107+ id : build-final
108+ if : github.event_name != 'pull_request'
109+ 110+ with :
111+ context : .
112+ file : ./Dockerfile
113+ push : true
114+ tags : ${{ steps.meta.outputs.tags }}
115+ labels : ${{ steps.meta.outputs.labels }}
116+ provenance : mode=max
117+ outputs : type=cacheonly
118+ sbom : true
119+
120+ - name : Install cosign
121+ if : github.event_name != 'pull_request'
122+ 123+ with :
124+ cosign-release : " v2.2.4"
125+
126+ - name : Sign the published Docker image
127+ if : github.event_name != 'pull_request'
128+ env :
129+ TAGS : ${{ steps.meta.outputs.tags }}
130+ DIGEST : ${{ steps.build-final.outputs.digest }}
131+ run : echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST}
0 commit comments