Skip to content

Update anchore/sbom-action action to v0.17.9 #2730

Update anchore/sbom-action action to v0.17.9

Update anchore/sbom-action action to v0.17.9 #2730

Workflow file for this run

name: CI
on:
push:
branches:
- main
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
pull_request:
branches:
- main
env:
DOCKER_PLATFORMS: "linux/arm/v5,linux/arm/v6,linux/arm/v7,linux/arm64,linux/amd64,linux/ppc64le,linux/s390x,linux/mips64le,linux/386,linux/riscv64"
concurrency:
group: ${{ github.ref_name }}-ci
cancel-in-progress: true
permissions:
contents: read
jobs:
unit-tests:
name: Unit Tests
runs-on: ubuntu-24.04
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
- name: Setup Golang Environment
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: stable
- name: Run Tests
run: make test
- name: Upload coverage reports to Codecov
uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # v5.1.1
with:
token: ${{ secrets.CODECOV_TOKEN }}
build-docker:
name: Build Docker Image
runs-on: ubuntu-24.04
permissions:
contents: write # for lucacome/draft-release to create/update release draft
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
id-token: write # for OIDC login to AWS ECR and goreleaser/goreleaser-action to sign artifacts
packages: write # for docker/build-push-action to push to GHCR
issues: write # for goreleaser/goreleaser-action to close milestones
needs: unit-tests
services:
registry:
image: registry:2
ports:
- 5000:5000
steps:
- name: Checkout Repository
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
fetch-depth: 0
- name: Setup Golang Environment
uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0
with:
go-version: stable
- name: Setup QEMU
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0
- name: Docker Buildx
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1
with:
version: latest
driver-opts: network=host
- name: DockerHub Login
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
- name: Login to GitHub Container Registry
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@e3dd6a429d7300a6a4c196c26e071d42e0343502 # v4.0.2
with:
aws-region: us-east-1
role-to-assume: ${{ secrets.AWS_ROLE_PUBLIC_ECR }}
if: github.event_name != 'pull_request'
- name: Login to Public ECR
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: public.ecr.aws
if: github.event_name != 'pull_request'
- name: Login to Quay.io
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0
with:
registry: quay.io
username: ${{ secrets.QUAY_USERNAME }}
password: ${{ secrets.QUAY_ROBOT_TOKEN }}
if: github.event_name != 'pull_request'
- name: Docker meta
id: meta
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1
with:
images: |
name=nginx/nginx-prometheus-exporter,enable=${{ github.event_name != 'pull_request' }}
name=ghcr.io/nginxinc/nginx-prometheus-exporter,enable=${{ github.event_name != 'pull_request' }}
name=public.ecr.aws/nginx/nginx-prometheus-exporter,enable=${{ github.event_name != 'pull_request' }}
name=quay.io/nginx/nginx-prometheus-exporter,enable=${{ github.event_name != 'pull_request' }}
name=localhost:5000/nginx/nginx-prometheus-exporter
tags: |
type=edge
type=ref,event=pr
type=schedule
type=semver,pattern={{version}}
type=semver,pattern={{major}}
type=semver,pattern={{major}}.{{minor}}
labels: |
org.opencontainers.image.vendor=NGINX Inc <[email protected]>
env:
DOCKER_METADATA_ANNOTATIONS_LEVELS: manifest,index
- name: Create/Update Draft
uses: lucacome/draft-release@5d29432a46bff6c122cd4b07a1fb94e1bb158d34 # v1.1.1
with:
minor-label: "enhancement"
major-label: "change"
publish: ${{ github.ref_type == 'tag' }}
collapse-after: 30
notes-footer: |
## Upgrade
- Use the {{version}} image from our [DockerHub](https://hub.docker.com/r/nginx/nginx-prometheus-exporter/tags?page=1&ordering=last_updated&name={{version-number}}), [GitHub Container](https://github.com/nginxinc/nginx-prometheus-exporter/pkgs/container/nginx-prometheus-exporter), [Amazon ECR Public Gallery](https://gallery.ecr.aws/nginx/nginx-prometheus-exporter) or [Quay.io](https://quay.io/repository/nginx/nginx-prometheus-exporter/tag/{{version-number}}?tab=tags).
- Download the latest binaries from the [GitHub releases page](https://github.com/nginxinc/nginx-prometheus-exporter/releases/tag/{{version}}).
- Update to the latest version with `brew upgrade nginx-prometheus-exporter`, `snap refresh nginx-prometheus-exporter` or `scoop update nginx-prometheus-exporter`.
## Compatibility
- NGINX 0.1.18 or newer.
- NGINX Plus R19 or newer.
if: github.event_name != 'pull_request'
- name: Download Syft
uses: anchore/sbom-action/download-syft@df80a981bc6edbc4e220a492d3cbe9f5547a6e75 # v0.17.9
if: github.ref_type == 'tag'
- name: Install Cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0
if: github.ref_type == 'tag'
- name: Setup Snapcraft
run: |
sudo snap install snapcraft --classic
mkdir -p $HOME/.cache/snapcraft/download
mkdir -p $HOME/.cache/snapcraft/stage-packages
if: github.ref_type == 'tag'
- name: Install Nix
uses: cachix/install-nix-action@08dcb3a5e62fa31e2da3d490afc4176ef55ecd72 # v30
with:
github_access_token: ${{ secrets.GITHUB_TOKEN }}
if: github.ref_type == 'tag'
- name: Run GoReleaser
uses: goreleaser/goreleaser-action@9ed2f89a662bf1735a48bc8557fd212fa902bebf # v6.1.0
with:
version: v2.4.8 # renovate: datasource=github-tags depName=goreleaser/goreleaser
args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} --clean
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
NGINX_GITHUB_TOKEN: ${{ secrets.NGINX_PAT }}
SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_COMMUNITY }}
SNAPCRAFT_STORE_CREDENTIALS: ${{ secrets.SNAPCRAFT_LOGIN }}
- name: Print NGINX Prometheus Exporter info
run: ./dist/nginx-prometheus-exporter_linux_amd64_v1/nginx-prometheus-exporter --version
continue-on-error: true
- name: Build and Push Docker Image
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0
with:
file: build/Dockerfile
context: "."
target: goreleaser
platforms: ${{ env.DOCKER_PLATFORMS }}
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
annotations: ${{ steps.meta.outputs.annotations }}
push: true
cache-from: type=gha,scope=exporter
cache-to: type=gha,scope=exporter,mode=max
no-cache: ${{ github.event_name != 'pull_request' }}
provenance: mode=max
sbom: true
- name: Scan image
uses: anchore/scan-action@abae793926ec39a78ab18002bc7fc45bbbd94342 # v6.0.0
id: scan
continue-on-error: true
with:
image: localhost:5000/nginx/nginx-prometheus-exporter:${{ steps.meta.outputs.version }}
only-fixed: true
add-cpes-if-none: true
- name: Upload scan result to GitHub Security tab
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9
continue-on-error: true
with:
sarif_file: ${{ steps.scan.outputs.sarif }}