2222permissions :
2323 contents : write
2424 packages : write
25+ security-events : write
2526
2627jobs :
28+ scan-codeql :
29+ runs-on : ubuntu-latest
30+ steps :
31+ - name : Check out code
32+ uses : actions/checkout@v5
33+
34+ - uses : actions/dependency-review-action@v4
35+
36+ - uses : github/codeql-action/init@v3
37+ with :
38+ languages : actions,go
39+ - uses : github/codeql-action/analyze@v3
40+
41+ scan-go :
42+ runs-on : ubuntu-latest
43+ steps :
44+ - name : Check out code
45+ uses : actions/checkout@v5
46+
47+ - name : Install Go
48+ uses : actions/setup-go@v5
49+ with :
50+ go-version-file : go.mod
51+
52+ - name : Check Go dependencies
53+ uses : golang/govulncheck-action@v1
54+ with :
55+ go-package : ./...
56+ output-format : sarif
57+ output-file : govulncheck.sarif
58+ - name : Upload SARIF file
59+ uses : github/codeql-action/upload-sarif@v3
60+ with :
61+ sarif_file : govulncheck.sarif
62+
63+ - name : Check Go source code
64+ uses : securego/gosec@master
65+ with :
66+ args : ' -no-fail -fmt sarif -out gosec.sarif ./...'
67+ - name : Upload SARIF file
68+ uses : github/codeql-action/upload-sarif@v3
69+ with :
70+ sarif_file : gosec.sarif
71+
72+ scan-nix :
73+ runs-on : ubuntu-latest
74+ steps :
75+ - name : Check out code
76+ uses : actions/checkout@v5
77+
78+ - name : Check Nix flake inputs
79+ uses : DeterminateSystems/flake-checker-action@main
80+ with :
81+ send-statistics : false
82+
2783 build-go :
84+ needs : [ scan-codeql, scan-go, scan-nix ]
2885 runs-on : ubuntu-latest
2986 strategy :
3087 matrix :
@@ -68,8 +125,10 @@ jobs:
68125 with :
69126 name : multigres-operator-${{matrix.arch}}
70127 path : dist/*
128+ if-no-files-found : error
129+ retention-days : 7
71130
72- build-push- container :
131+ build-container :
73132 needs : [ build-go ]
74133 runs-on : ubuntu-latest
75134 steps :
@@ -82,46 +141,99 @@ jobs:
82141 - name : Setup Docker buildx
83142 uses : docker/setup-buildx-action@v3
84143
85- - name : Log into registry
86- uses : docker/login-action@v3
87- with :
88- registry : ghcr.io
89- username : ${{ github.actor }}
90- password : ${{ secrets.GITHUB_TOKEN }}
91-
92- - name : Extract container metadata
93- id : meta
94- uses : docker/metadata-action@v5
95- with :
96- github-token : ${{ secrets.GITHUB_TOKEN }}
97- images : ghcr.io/${{ github.repository }}
98- tags : |
99- type=ref,event=branch,prefix=
100- type=ref,event=tag,prefix=
101- type=sha,format=short,prefix=
102- type=sha,format=long,prefix=
103-
104144 - uses : actions/download-artifact@v5
105145 with :
106146 pattern : multigres-operator-*
107147 path : dist/
108148
109- - name : Build and push container image
110- id : build-and-push
149+ - name : Build container image
111150 uses : docker/build-push-action@v5
112151 with :
113152 context : .
114153 file : Containerfile
115154 platforms : linux/${{ join(fromJson(inputs.architectures), ',linux/') }}
116- push : ${{ inputs.push-container-image }}
117- tags : ${{ steps.meta.outputs.tags }}
118- labels : ${{ steps.meta.outputs.labels }}
155+ push : false
156+ tags : " ghcr.io/${{ github.repository }}:${{ github.sha }}"
119157 provenance : false
120158 cache-from : type=gha
121159 cache-to : type=gha,mode=max
160+ outputs : type=oci,dest=container-image.tar
161+
162+ - name : Scan image with grype
163+ # requires that the container image be built already
164+ # simplify steps by running this in the same job as build
165+ uses : anchore/scan-action@v6
166+ with :
167+ image : " ghcr.io/${{ github.repository }}:${{ github.sha }}"
168+
169+ - name : Push to registry
170+ run : |
171+ IMAGE="ghcr.io/${{ github.repository }}"
172+ docker load --input container-image.tar
173+ docker push "$IMAGE:${{ github.sha }}"
174+ if [ "${{ github.ref }}" = "refs/heads/main" ]; then
175+ docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:latest"
176+ docker push "$IMAGE:latest"
177+ fi
178+ if [ "${{ github.ref_type }}" = "tag" ]; then
179+ docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:${{ github.ref_name }}"
180+ docker push "$IMAGE:${{ github.ref_name }}"
181+ fi
182+ # - name: Upload image artifact
183+ # uses: actions/upload-artifact@v4
184+ # with:
185+ # name: container-image-tar
186+ # path: container-image.tar
187+ # if-no-files-found: error
188+ # retention-days: 7
189+
190+ # scan-container:
191+ # # requires that the container image be built already
192+ # needs: [ build-container ]
193+ # runs-on: ubuntu-latest
194+ # steps:
195+ # - name: Scan image with grype
196+ # uses: anchore/scan-action@v6
197+ # with:
198+ # image: "ghcr.io/${{ github.repository }}:${{ github.sha }}"
199+
200+ # push-container:
201+ # needs: [ scan-container ]
202+ # runs-on: ubuntu-latest
203+ # if: ${{ inputs.push-container-image }}
204+ # steps:
205+ # - name: Download image artifact
206+ # uses: actions/download-artifact@v4
207+ # with:
208+ # name: container-image-tar
209+ # path: .
210+
211+ # - name: Install skopeo
212+ # uses: redhat-actions/skopeo-tool@v1
213+
214+ # # - name: Log into registry
215+ # # uses: docker/login-action@v3
216+ # # with:
217+ # # registry: ghcr.io
218+ # # username: ${{ github.actor }}
219+ # # password: ${{ secrets.GITHUB_TOKEN }}
220+
221+ # - name: Push to registry
222+ # run: |
223+ # IMAGE="ghcr.io/${{ github.repository }}"
224+ # docker load --input container-image.tar
225+ # docker push "$IMAGE:${{ github.sha }}"
226+ # if [ "${{ github.ref }}" = "refs/heads/main" ]; then
227+ # docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:latest"
228+ # docker push "$IMAGE:latest"
229+ # fi
230+ # if [ "${{ github.ref_type }}" = "tag" ]; then
231+ # docker tag "$IMAGE:${{ github.sha }}" "$IMAGE:${{ github.ref_name }}"
232+ # docker push "$IMAGE:${{ github.ref_name }}"
233+ # fi
122234
123235 create-release :
124- needs : [ build-go ]
236+ needs : [ scan-container ]
125237 runs-on : ubuntu-latest
126238 if : ${{ inputs.create-release }}
127239 steps :
0 commit comments