Fixes https://github.com/52North/read2burn/security/dependabot/17... #17
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: docker build publish read2burn | |
| concurrency: | |
| group: "read2burn" | |
| cancel-in-progress: true | |
| env: | |
| BUILD_CONTEXT: . | |
| IMAGE_AUTHORS: Jürrens, Eike Hinderk <[email protected]> | |
| IMAGE_DESCRIPTION: transport passwords more secure by email | |
| IMAGE_LICENSES: Apache-2.0 | |
| IMAGE_TAG: 52north/read2burn | |
| IMAGE_TITLE: read2burn by wemove forked by 52n | |
| IMAGE_VENDOR: 52°North Spatial Information Research GmbH | |
| IMAGE_URL: https://github.com/52north/read2burn | |
| METADATA_TAG_PATTERN: v(.*) | |
| on: | |
| workflow_dispatch: | |
| inputs: | |
| tags: | |
| description: "Please provide a git tag value, e.g. v1.0b3. It should be the same version as the read2burn app with added build id." | |
| required: true | |
| type: string | |
| default: "v1.0b3" | |
| push: | |
| tags: | |
| - "v*" | |
| jobs: | |
| build_and_publish: | |
| name: docker build publish image | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| language: [ 'javascript' ] | |
| steps: | |
| - | |
| name: Declare some variables | |
| id: vars | |
| shell: bash | |
| run: | | |
| echo "build_date=$(date -u +"%Y-%m-%dT%H:%M:%SZ")" >> $GITHUB_OUTPUT | |
| echo "build_id=$(echo ${{ github.event.inputs.tags }} | awk -F 'b' '{print $(NF)}')" >> $GITHUB_OUTPUT | |
| - | |
| name: Checkout Repository | |
| uses: actions/checkout@v4 | |
| - | |
| name: Initialize CodeQL | |
| uses: github/codeql-action/init@v3 | |
| with: | |
| languages: ${{ matrix.language }} | |
| - | |
| name: Perform CodeQL Analysis | |
| uses: github/codeql-action/analyze@v3 | |
| with: | |
| category: "/language:${{matrix.language}}" | |
| - | |
| name: Set up Docker Buildkit env | |
| uses: docker/setup-buildx-action@v3 | |
| - | |
| name: Extract metadata (tags, labels) for tagging Docker Image | |
| id: meta | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: "${{ env.IMAGE_TAG }}" | |
| labels: | | |
| "org.opencontainers.image.authors=${{ env.IMAGE_AUTHORS }}" | |
| "org.opencontainers.image.description=${{ env.IMAGE_DESCRIPTION }}" | |
| "org.opencontainers.image.licenses=${{ env.IMAGE_LICENSES }}" | |
| "org.opencontainers.image.title=${{ env.IMAGE_TITLE }}" | |
| "org.opencontainers.image.url=${{ env.IMAGE_URL }}" | |
| "org.opencontainers.image.vendor=${{ env.IMAGE_VENDOR }}" | |
| tags: | | |
| type=match,pattern=${{ env.METADATA_TAG_PATTERN }},group=1,value=${{ github.event.inputs.tags }} | |
| - | |
| name: Log in to Docker Hub | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_TOKEN }} | |
| - | |
| name: Build and push Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: "${{ env.BUILD_CONTEXT }}" | |
| cache-from: type=gha | |
| cache-to: type=gha | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| build-args: | | |
| GIT_COMMIT=${{ github.sha }} | |
| BUILD_DATE=${{ steps.vars.outputs.build_date }} | |
| BUILD_ID=${{ steps.vars.outputs.build_id }} | |
| - | |
| name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| env: | |
| # | |
| # Using AWS repository to circumvent TOOMANYREQUEST error from github repository | |
| # | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2 | |
| TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1 | |
| # | |
| # Original GitHub repository | |
| # | |
| # TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db:2 | |
| # TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db:1 | |
| # | |
| # | |
| # Disable VEX notice | |
| # | |
| TRIVY_DISABLE_VEX_NOTICE: disable_vex_notice | |
| with: | |
| image-ref: "${{ env.IMAGE_TAG }}" | |
| format: 'table' | |
| output: 'trivy-results.txt' | |
| exit-code: '0' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - | |
| name: Trigger redeployment | |
| uses: actions/github-script@v7 | |
| with: | |
| github-token: ${{ secrets.GHA_WORKFLOW_TRIGGER }} | |
| script: | | |
| const result = await github.rest.actions.createWorkflowDispatch({ | |
| owner: '${{ secrets.TRIGGER_ORGA }}', | |
| repo: '${{ secrets.TRIGGER_REPO }}', | |
| workflow_id: '${{ secrets.TRIGGER_WORKFLOW_1 }}', | |
| ref: '${{ secrets.TRIGGER_REF }}' | |
| }) | |
| console.log(result) |