semgrep dockerfile #112

Workflow file for this run

.github/workflows/mirroring.yml at d6faf20

	name: Mirroring

	on:
	push:
	branches:
	- 'dockerfile-semgrep'
	workflow_dispatch:

	permissions:
	contents: read
	discussions: read
	issues: read
	pull-requests: read
	id-token: write

	jobs:
	metadata:
	name: Metadata
	runs-on: ubuntu-latest
	outputs:
	assets: ${{ steps.config.outputs.assets }}
	steps:
	- uses: actions/checkout@v3
	- name: Construct tooling matrix
	id: config
	run: \|
	matrix_file=".github/dependencies.yml"
	assets=$(yq eval -o=json '.assets' $matrix_file)
	single_line_assets=$(echo "$assets" \| jq -rc 'map({
	name: .name,
	tag: .tag,
	build_args: (
	.build_args \|
	to_entries \|
	map("\(.key)=\(.value)") \|
	join(" ")
	)
	})')
	echo "assets=$single_line_assets" >> $GITHUB_OUTPUT

	build-publish-assets:
	runs-on: ubuntu-latest
	needs: metadata
	name: Build Asset - ${{ matrix.asset.name }}
	permissions:
	id-token: write
	contents: write

	strategy:
	fail-fast: false
	matrix:
	asset: ${{ fromJSON(needs.metadata.outputs.assets) }}

	if: ${{ github.event_name == 'schedule' \|\| github.event_name == 'workflow_dispatch' \|\| github.event_name == 'push' }}

	steps:
	- uses: actions/checkout@v4

	- name: Configure AWS Credentials
	uses: aws-actions/configure-aws-credentials@v4
	with:
	role-to-assume: arn:aws:iam::${{ vars.AWS_ACCOUNT_ID }}:role/ecr-private-role-to-pull
	role-session-name: GitHub_to_AWS_via_FederatedOIDC
	aws-region: ${{ vars.REGION }}

	- name: Verify AWS Identity
	run: aws sts get-caller-identity

	- name: Login to Amazon ECR
	id: login-ecr
	uses: aws-actions/amazon-ecr-login@v2

	- name: Docker Metadata
	id: meta
	uses: docker/metadata-action@v5
	with:
	images: ${{ vars.AWS_ACCOUNT_ID }}.dkr.ecr.${{ vars.REGION }}.amazonaws.com/${{ matrix.asset.name }}
	sep-tags: ","
	tags: \|
	type=raw,${{ matrix.asset.tag }}
	labels: \|
	org.opencontainers.image.source=${{ github.repository }}

	- name: Set Docker Build Arguments
	id: format_build_args
	run: \|
	build_args="${{ matrix.asset.build_args }}"
	formatted_build_args=$(echo "$build_args" \| tr ' ' '\n' \| sed 's/$[^=]$=$[^ ]$/\1=\2/')
	echo "build_args=$formatted_build_args" >> $GITHUB_OUTPUT

	- name: Build and Push Docker Image
	uses: docker/build-push-action@v5
	with:
	context: .
	file: security-actions/dockerfiles/${{ matrix.asset.name }}.Dockerfile
	push: true
	pull: true
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	build-args: ${{ steps.format_build_args.outputs.build_args }}
	provenance: false
	outputs: type=image,oci-mediatypes=true

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

semgrep dockerfile #112

Workflow file

semgrep dockerfile #112

Jobs

Run details

Workflow file for this run