feat(deps): bump actions/checkout from 3.3.0 to 4.2.2 #160
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| on: pull_request | |
| name: pull request checks | |
| jobs: | |
| dockerfilelint: | |
| name: dockerfile lint | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: hadolint | |
| uses: burdzwastaken/[email protected] | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| HADOLINT_ACTION_DOCKERFILE_FOLDER: . | |
| dockerbuild: | |
| name: docker build | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: extract tag | |
| id: vars | |
| run: echo ::set-output name=alpine_version::$(grep '^FROM alpine' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2) | |
| - name: docker build | |
| run: docker build . --file Dockerfile --tag image:${{ steps.vars.outputs.alpine_version }} | |
| - name: save docker image for cache | |
| run: mkdir -p image/ && docker save -o image/image.tar image:${{ steps.vars.outputs.alpine_version }} | |
| - name: cache docker image | |
| uses: actions/[email protected] | |
| with: | |
| path: image/ | |
| key: ${{ runner.os }}-docker-${{ github.sha }} | |
| dockerscan: | |
| name: docker security scan | |
| runs-on: ubuntu-latest | |
| needs: dockerbuild | |
| steps: | |
| - uses: actions/[email protected] | |
| - name: extract tag | |
| id: vars | |
| run: echo ::set-output name=alpine_version::$(grep '^FROM alpine' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2) | |
| - name: load cached docker image | |
| uses: actions/[email protected] | |
| with: | |
| path: image/ | |
| key: ${{ runner.os }}-docker-${{ github.sha }} | |
| - name: load cached docker container | |
| run: docker load -i image/image.tar | |
| - name: cached scan db | |
| uses: actions/[email protected] | |
| with: | |
| path: vulndb/ | |
| key: trivy-vulndb | |
| - name: Install Trivy | |
| run: | | |
| trivyRelease="$(curl -s "https://api.github.com/repos/aquasecurity/trivy/releases/latest" | grep '"tag_name":' | sed -E 's/.*"([^"]+)".*/\1/' | cut -d 'v' -f 2)" | |
| wget https://github.com/aquasecurity/trivy/releases/download/v${trivyRelease}/trivy_${trivyRelease}_Linux-64bit.tar.gz | |
| tar zxvf trivy_${trivyRelease}_Linux-64bit.tar.gz | |
| - name: Scan | |
| run: ./trivy --exit-code 1 --no-progress --severity HIGH,CRITICAL,MEDIUM --cache-dir vulndb/ image:${{ steps.vars.outputs.alpine_version }} | |