Skip to content

Update frogbot-scan-and-fix.yml #14

Update frogbot-scan-and-fix.yml

Update frogbot-scan-and-fix.yml #14

Workflow file for this run

name: build-publish-scan
on:
push:
branches:
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
contents: read
jobs:
build-publish-python:
runs-on: ubuntu-latest
env:
# DOCKER_REPO: 'codeninjas-proj-docker-local'
DOCKER_REPO: 'optum-app1-sunil-docker-local'
IMAGE_NAME: 'my-very-cool-image:${{ github.run_number }}'
JF_URL: https://${{ vars.JF_URL }}/
DOCKER_CLI_EXPERIMENTAL: enabled
steps:
# Use the specific setup-cli branch
- name: Setup JFrog CLI
uses: jfrog/setup-jfrog-cli@v4
id: setup-cli
env:
JF_URL: https://${{ vars.JF_URL }}/
JF_PROJECT: ${{ vars.JF_PROJECT }}
with:
oidc-provider-name: github-bidirect
oidc-audience: github-jfrog-aud
- name: Checkout the repository
uses: actions/checkout@v4
- name: Cache Primes
id: cache-primes
uses: actions/cache@v4
with:
path: /usr/lib/python3/dist-packages
key: python_requirements1
- name: configure jfrog environment
run: |
# Use a curated repository for python dependencies resolution
jf pip-config --repo-resolve=optum-app1-sunil-py-virtual
- name: configure environment
run: |
pip install --upgrade pip
python3 -m pip install --upgrade pip setuptools wheel sigstore
wheel -h
pip show setuptools
echo $VIRTUAL_ENV
- name: build project
run: |
jf pip install -r requirements.txt --module=jfrog-python-example
python setup.py sdist bdist_wheel
cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
- name: publish python package
run: |
jf rt u dist/ optum-app1-sunil-py-virtual/example-projects/ --module=jfrog-python-example
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Authenticate Docker
uses: docker/login-action@v3
with:
registry: ${{ vars.JF_URL }}
username: ${{ steps.setup-cli.outputs.oidc-user }}
password: ${{ steps.setup-cli.outputs.oidc-token }}
- name: Setup buildx instance
uses: docker/setup-buildx-action@v3
with:
use: true
platforms: linux/amd64,linux/arm64
install: true
- name: docker build through
run: |
docker buildx ls
jf docker --version
jf docker build --tag ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} --platform linux/amd64,linux/arm64 --metadata-file metadata.json --push .
- name: docker scan
run: |
jf docker pull ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
jf docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
#- name: docker build
# run: |
# jf docker build --tag ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-amd64 --platform linux/amd64 --load .
# #docker images
# jf docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-amd64
# jf docker push ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-amd64
# jf docker build --tag ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-arm64 --platform linux/arm64 --load .
# #docker images
# jf docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-arm64
# jf docker push ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-arm64
# #echo "docker images scanned, now lets push a fat manifest and the images"
# #docker manifest create ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }} ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-amd64 ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}-arm64
# #echo "docker manifest created"
# #docker manifest push ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
# #echo "docker manifest pushed"
# #docker image save -o myimage.tar localhost:5000/myimage:latest
- name: add docker package to build
run: |
echo "----------------"
cat metadata.json
echo "----------------"
digest=$(cat metadata.json | jq '.["containerimage.digest"]')
echo "digest=$digest"
echo "${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}@$digest" > metadata.json
jf rt build-docker-create ${{ env.DOCKER_REPO }} --image-file metadata.json
- name: publish build info
run: |
jf rt build-collect-env
jf rt build-add-dependencies .
jf rt build-add-git
jf rt build-publish
- name: build scan
run: |
jf build-scan build-publish-scan