Docker Scout #9
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Docker Scout | |
| on: | |
| workflow_run: | |
| workflows: ["CI🚦"] | |
| types: | |
| - completed | |
| jobs: | |
| setup-matrix: | |
| runs-on: ubuntu-latest | |
| outputs: | |
| matrix: ${{ steps.set-matrix.outputs.matrix }} | |
| steps: | |
| - name: Source checkout | |
| uses: actions/checkout@v4 | |
| - id: set-matrix | |
| run: echo "matrix=$(jq -c . build_versions.json)" >> $GITHUB_OUTPUT | |
| build_test_container: | |
| name: 'Build test container' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| pull-requests: write | |
| needs: setup-matrix | |
| strategy: | |
| matrix: ${{ fromJson(needs.setup-matrix.outputs.matrix) }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Build local container | |
| id: build_test_container | |
| uses: docker/build-push-action@v6 | |
| with: | |
| tags: 'ci/test:${{ matrix.puppet_release }}' | |
| push: false | |
| build-args: | | |
| BASE_IMAGE=${{ matrix.base_image }} | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@v3 | |
| with: | |
| username: voxpupulibot | |
| password: ${{ secrets.DOCKERHUB_BOT_PASSWORD }} | |
| - name: Analyze container image for CVEs | |
| id: analyze-image-cves | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: cves | |
| image: 'local://ci/test:${{ matrix.puppet_release }}' | |
| sarif-file: sarif.output.${{ matrix.puppet_release }}.${{ github.sha }}.json | |
| write-comment: false | |
| - name: Compare container image to latest from Registry | |
| id: compare-image | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: compare | |
| image: 'local://ci/test:${{ matrix.puppet_release }}' | |
| to: 'ghcr.io/voxpupuli/test:${{ matrix.puppet_release }}-main' | |
| summary: true | |
| download: | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: 'Download artifact' | |
| uses: actions/github-script@v6 | |
| with: | |
| script: | | |
| let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| run_id: context.payload.workflow_run.id, | |
| }); | |
| let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => { | |
| return artifact.name == "pr_number" | |
| })[0]; | |
| let download = await github.rest.actions.downloadArtifact({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| artifact_id: matchArtifact.id, | |
| archive_format: 'zip', | |
| }); | |
| let fs = require('fs'); | |
| fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/pr_number.zip`, Buffer.from(download.data)); | |
| - name: 'Unzip artifact' | |
| run: unzip pr_number.zip | |
| - name: 'Comment on PR' | |
| uses: actions/github-script@v6 | |
| with: | |
| github-token: ${{ secrets.GITHUB_TOKEN }} | |
| script: | | |
| let fs = require('fs'); | |
| let issue_number = Number(fs.readFileSync('./pr_number')); | |
| await github.rest.issues.createComment({ | |
| owner: context.repo.owner, | |
| repo: context.repo.repo, | |
| issue_number: issue_number, | |
| body: 'See Docker Scout results [here](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}).' | |
| }); |