Skip to content

Bump anchore/scan-action from 4 to 5 #692

Bump anchore/scan-action from 4 to 5

Bump anchore/scan-action from 4 to 5 #692

Workflow file for this run

# SPDX-License-Identifier: MIT
name: CI
on:
push:
branches:
- main
- feature/**
paths-ignore:
- '**.md'
- '.gitignore'
pull_request:
branches:
- main
env:
GORELEASER_VERSION: 2.0.1
TASK_VERSION: 3.x
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
local-build:
name: Local build
runs-on: ubuntu-22.04
permissions: {}
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: './go.mod'
- name: Setup Task
uses: arduino/setup-task@v2
with:
version: ${{ env.TASK_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup GoReleaser
uses: goreleaser/goreleaser-action@v6
with:
install-only: true
- name: Setup container-structure-test
run: |
set -euo pipefail
curl -fsSLo /usr/local/bin/container-structure-test https://storage.googleapis.com/container-structure-test/latest/container-structure-test-linux-amd64
chmod +x /usr/local/bin/container-structure-test
container-structure-test version
- name: Check release config
run: |
task goreleaser:check
- name: Build with GoReleaser
run: |
task goreleaser:build
- name: Create snapshot release
run: |
task goreleaser:snapshot
- name: Build
run: |
task build
- name: Test
run: |
task test
release-dry-run:
name: GoReleaser release (dry run)
runs-on: ubuntu-22.04
permissions:
actions: read
checks: write
contents: read
security-events: write
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version-file: './go.mod'
- name: Set environment variables
run: |
set -euo pipefail
echo "SNAPSHOT_VERSION=$(./scripts/version)" >>"${GITHUB_ENV}"
IMAGE_BASE_NAME_DISTROLESS="$(sed -n "s/^FROM \(.*\)/\1/p" build/package/Dockerfile | tail -n 1)"
echo "IMAGE_BASE_NAME_DISTROLESS=${IMAGE_BASE_NAME_DISTROLESS}" >>"${GITHUB_ENV}"
echo "IMAGE_BASE_DIGEST_DISTROLESS=$(docker pull "${IMAGE_BASE_NAME_DISTROLESS}" | sed -n "s/^Digest: \(.*\)$/\1/p")" >>"${GITHUB_ENV}"
- name: Check release config
uses: goreleaser/goreleaser-action@v6
with:
version: v${{ env.GORELEASER_VERSION }}
args: check --config build/package/.goreleaser.yaml
- name: Create snapshot release
uses: goreleaser/goreleaser-action@v6
with:
version: v${{ env.GORELEASER_VERSION }}
args: release --config build/package/.goreleaser.yaml --snapshot --skip=publish --clean
- name: Container structure test (distroless)
uses: docker://gcr.io/gcp-runtimes/container-structure-test:latest
with:
args: 'test --image ghcr.io/ffurrer2/semver:latest --config test/semver_container_test.yml'
- name: Run Trivy vulnerability scanner (distroless)
uses: aquasecurity/trivy-action@master
with:
image-ref: 'ghcr.io/ffurrer2/semver:latest'
exit-code: '1'
vuln-type: 'os,library'
severity: 'HIGH,CRITICAL'
format: 'sarif'
output: 'trivy-results-distroless.sarif'
github-pat: '${{ secrets.GITHUB_TOKEN }}'
- name: Inspect Trivy SARIF report (distroless)
run: |
cat trivy-results-distroless.sarif
if: ${{ !cancelled() }}
- name: Upload Trivy scan results to GitHub Security tab (distroless)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results-distroless.sarif'
category: trivy-results-distroless
if: ${{ !cancelled() }}
- name: Run Anchore image scanner (distroless)
uses: anchore/scan-action@v5
id: anchore-distroless
with:
image: 'ghcr.io/ffurrer2/semver:latest'
fail-build: true
severity-cutoff: high
if: ${{ !cancelled() }}
- name: Inspect Anchore SARIF report (distroless)
run: |
cat ${{ steps.anchore-distroless.outputs.sarif }}
if: ${{ !cancelled() }}
- name: Upload Anchore scan results to GitHub Security tab (distroless)
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.anchore-distroless.outputs.sarif }}
if: ${{ !cancelled() }}