build(deps): bump google.golang.org/grpc from 1.66.1 to 1.66.2 #7109
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: build | |
on: | |
push: | |
branches: | |
- main | |
release: | |
types: [published] | |
pull_request: | |
env: | |
GO_VERSION: '1.23' | |
NIX_VERSION: '2.18.1' | |
BOM_VERSION: v0.5.1 | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
permissions: {} | |
jobs: | |
macos: | |
runs-on: macos-12 | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- run: make test-unit | |
- run: make verify-go-lint | |
nix: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27 | |
with: | |
install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install | |
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 | |
with: | |
name: security-profiles-operator | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
pushFilter: security-profiles-operator | |
- run: make nix | |
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: build | |
path: build.tar.gz | |
nix-spoc: | |
if: github.ref == 'refs/heads/main' || contains(github.ref, 'refs/tags') | |
runs-on: ubuntu-22.04 | |
permissions: | |
contents: write # required for updating the release | |
id-token: write # required for sigstore signing | |
steps: | |
- uses: sigstore/cosign-installer@4959ce089c160fddf62f7b42464195ba1a56d382 # v3.6.0 | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27 | |
with: | |
install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install | |
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 | |
with: | |
name: security-profiles-operator | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
pushFilter: security-profiles-operator | |
- run: | | |
sudo curl -sSfL --retry 5 --retry-delay 3 -o /usr/bin/bom \ | |
https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux | |
sudo chmod +x /usr/bin/bom | |
- run: make nix-spoc | |
- uses: actions/upload-artifact@50769540e7f4bd5e21e526ee35c689e35e0d6874 # v4.4.0 | |
with: | |
name: spoc | |
path: | | |
build/* | |
- uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 | |
if: startsWith(github.ref, 'refs/tags/') | |
with: | |
files: | | |
build/* | |
bpf: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
with: | |
go-version: ${{ env.GO_VERSION }} | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27 | |
with: | |
install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install | |
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 | |
with: | |
name: security-profiles-operator | |
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' | |
pushFilter: security-profiles-operator | |
- run: make verify-bpf | |
build-image: | |
runs-on: ubuntu-22.04 | |
steps: | |
- name: Remove unnecessary files | |
run: | | |
sudo rm -rf /usr/share/dotnet | |
sudo rm -rf "$AGENT_TOOLSDIRECTORY" | |
sudo rm -rf /opt/ghc | |
sudo rm -rf /usr/local/share/boost | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Login to Quay | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: quay.io/security-profiles-operator | |
username: security-profiles-operator+github | |
password: ${{ secrets.QUAY_TOKEN }} | |
if: github.ref == 'refs/heads/main' | |
- name: Image metadata | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: | | |
quay.io/security-profiles-operator/build | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=ref,event=tag | |
type=sha,format=long | |
- name: Build (and push if needed) | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
with: | |
context: . | |
file: Dockerfile.build-image | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
push: ${{ github.ref == 'refs/heads/main' }} | |
# Only load on PR builds | |
load: ${{ github.ref != 'refs/heads/main' }} | |
- name: Run container image vulnerability scanner | |
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 | |
with: | |
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
format: 'table' | |
exit-code: '0' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
timeout: 30m | |
operator-image: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Login to Quay | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: quay.io/security-profiles-operator | |
username: security-profiles-operator+github | |
password: ${{ secrets.QUAY_TOKEN }} | |
if: github.ref == 'refs/heads/main' | |
- name: Image metadata | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: | | |
quay.io/security-profiles-operator/spo | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=ref,event=tag | |
type=sha,format=long | |
- name: Build | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
with: | |
context: . | |
file: Dockerfile | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
load: true | |
- name: Run container image vulnerability scanner | |
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 | |
with: | |
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
ubi-image: | |
runs-on: ubuntu-22.04 | |
steps: | |
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
- name: Set up Docker Buildx | |
id: buildx | |
uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db # v3.6.1 | |
- name: Login to Quay | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: quay.io/security-profiles-operator | |
username: security-profiles-operator+github | |
password: ${{ secrets.QUAY_TOKEN }} | |
if: github.ref == 'refs/heads/main' | |
- name: Image metadata | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
with: | |
images: | | |
quay.io/security-profiles-operator/build | |
flavor: | | |
suffix=-ubi | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=ref,event=tag | |
type=sha,format=long | |
# TODO(jaosorior): Push UBI image too | |
- name: Build | |
uses: docker/build-push-action@5cd11c3a4ced054e52742c5fd54dca954e0edd85 # v6.7.0 | |
with: | |
context: . | |
file: Dockerfile.ubi | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
load: true | |
- name: Run container image vulnerability scanner | |
uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0 | |
with: | |
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' |