feat(SEC-1265): process to sync OCI artifacts from upstream to Kong ECR #550
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: SCA Docker Test | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - '*' | |
| workflow_dispatch: {} | |
| jobs: | |
| test-scan-docker-image: | |
| permissions: | |
| contents: write # publish sbom to GH releases/tag assets | |
| issues: read | |
| checks: write | |
| pull-requests: write | |
| if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| name: Test Scan Docker Image | |
| runs-on: ubuntu-22.04 | |
| env: | |
| IMAGE: kong/kong-gateway-dev:latest #particular reason for the choice of image: test multi arch image sbom | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Install regctl | |
| uses: regclient/actions/regctl-installer@main | |
| - name: Login to DockerHub | |
| if: success() | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.GHA_DOCKERHUB_PULL_USER }} | |
| password: ${{ secrets.GHA_KONG_ORG_DOCKERHUB_PUBLIC_TOKEN }} | |
| - name: Parse Architecture Specific Image Manifest Digests | |
| id: image_manifest_metadata | |
| run: | | |
| manifest_list_exists="$( | |
| if regctl manifest get "${IMAGE}" --format raw-body --require-list -v panic &> /dev/null; then | |
| echo true | |
| else | |
| echo false | |
| fi | |
| )" | |
| echo "manifest_list_exists=$manifest_list_exists" | |
| echo "manifest_list_exists=$manifest_list_exists" >> $GITHUB_OUTPUT | |
| amd64_sha="$(regctl image digest "${IMAGE}" --platform linux/amd64 || echo '')" | |
| arm64_sha="$(regctl image digest "${IMAGE}" --platform linux/arm64 || echo '')" | |
| echo "amd64_sha=$amd64_sha" | |
| echo "amd64_sha=$amd64_sha" >> $GITHUB_OUTPUT | |
| echo "arm64_sha=$arm64_sha" | |
| echo "arm64_sha=$arm64_sha" >> $GITHUB_OUTPUT | |
| - name: Scan AMD64 Image digest | |
| id: sbom_action_amd64 | |
| if: steps.image_manifest_metadata.outputs.amd64_sha != '' | |
| uses: ./security-actions/scan-docker-image | |
| with: | |
| asset_prefix: kong-gateway-dev-linux-amd64 | |
| image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.amd64_sha }} | |
| skip_cis_scan: true | |
| - name: Scan ARM64 Image digest | |
| if: steps.image_manifest_metadata.outputs.manifest_list_exists == 'true' && steps.image_manifest_metadata.outputs.arm64_sha != '' | |
| id: sbom_action_arm64 | |
| uses: ./security-actions/scan-docker-image | |
| with: | |
| asset_prefix: test.kong-gateway-dev-linux-arm64 | |
| image: ${{env.IMAGE}}@${{ steps.image_manifest_metadata.outputs.arm64_sha }} | |
| upload-sbom-release-assets: true | |
| skip_cis_scan: true | |
| test-download-sbom: | |
| if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }} | |
| name: Download SBOM | |
| runs-on: ubuntu-22.04 | |
| needs: [test-scan-docker-image] | |
| env: | |
| SBOM_DOWNLOAD_PATH: ${{ github.workspace }}/security-assets/sboms | |
| SPDX_SBOM_PATTERN: "*sbom.spdx.json" | |
| CYCLONEDX_SBOM_PATTERN: "*sbom.cyclonedx.json" | |
| GH_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| steps: | |
| - name: "Download all SBOM assets" | |
| id: collect_sbom | |
| if: ${{ needs.test-scan-docker-image.result == 'success' }} | |
| run: |- | |
| gh run download ${{ github.run_id }} -D ${{ env.SBOM_DOWNLOAD_PATH }} -p '${{ env.CYCLONEDX_SBOM_PATTERN }}' -p '${{ env.SPDX_SBOM_PATTERN }}' --repo ${{ github.repository }} | |
| - name: Inspect download assets | |
| run: | | |
| ls -alR ${{ github.workspace }}/security-assets/sboms |