chore(deps): update aquasecurity/trivy-action action to v0.29.0 #136
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Rust | |
on: | |
push: | |
branches: ["main"] | |
pull_request: | |
branches: ["main"] | |
workflow_dispatch: | |
# Automatically cancel in-progress actions on the same branch | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.event_name == 'pull_request_target' && github.head_ref || github.ref }} | |
cancel-in-progress: true | |
env: | |
DOCKER_CONTAINER_IMAGE_BASE: lhr.ocir.io/lrdyqp2xtoja/argocd-appset-checked-pr-generator | |
# get correct commit sha for pull requests as well | |
COMMIT_SHA: ${{ github.event.pull_request.head.sha || github.sha }} | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
target: | |
- rust: aarch64-unknown-linux-musl | |
docker: linux/arm64 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: rui314/setup-mold@b015f7e3f2938ad3a5ed6e5111a8c6c7c1d6db6e # v1 | |
- uses: dtolnay/rust-toolchain@stable | |
with: | |
targets: ${{ matrix.target.rust }} | |
- uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab # v2.7.5 | |
with: | |
cache-all-crates: "true" | |
cache-on-failure: "true" | |
- uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
# nix dev shell setup | |
- uses: DeterminateSystems/nix-installer-action@b92f66560d6f97d6576405a7bae901ab57e72b6a # v15 | |
- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15 | |
with: { name: "nix-community" } | |
- uses: DeterminateSystems/magic-nix-cache-action@87b14cf437d03d37989d87f0fa5ce4f5dc1a330b # v8 | |
- name: test | |
run: nix develop -c cargo test | |
- name: build | |
env: | |
TARGET_CC: clang | |
run: nix develop .#${{ matrix.target.rust }} -c cargo build --target ${{ matrix.target.rust }} --release | |
- name: Login to Docker registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3.3.0 | |
with: | |
registry: lhr.ocir.io | |
username: ${{ secrets.OCIR_USERNAME }} | |
password: ${{ secrets.OCIR_TOKEN }} | |
- name: Docker meta tags generator | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
# use correct sha for pr commits | |
env: | |
DOCKER_METADATA_PR_HEAD_SHA: true | |
with: | |
images: | | |
${{ env.DOCKER_CONTAINER_IMAGE_BASE }} | |
tags: | | |
type=ref,event=branch | |
type=ref,event=pr | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
type=edge | |
type=sha,format=long | |
- name: Build Dockerfile | |
id: build-and-push-action-1 | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6.9.0 | |
with: | |
context: . | |
file: Dockerfile | |
load: true | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
cache-from: type=gha | |
cache-to: type=gha | |
platforms: ${{ matrix.target.docker }} | |
build-args: | | |
RUST_TARGET_DIR=target/${{ matrix.target.rust }}/release | |
- run: docker push --all-tags $DOCKER_CONTAINER_IMAGE_BASE | |
- name: get image digest | |
id: docker-image-digest | |
run: | | |
# get digest of pushed image, and get rid of everything up to the actual digest (i.e. remove the repo and name) | |
DOCKER_IMAGE_DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${DOCKER_CONTAINER_IMAGE_BASE}:sha-${COMMIT_SHA} | sed 's/.*@//') | |
echo docker_image_digest=$DOCKER_IMAGE_DIGEST >> $GITHUB_OUTPUT | |
echo "image digest: \`${DOCKER_IMAGE_DIGEST}\`" >> $GITHUB_STEP_SUMMARY | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | |
with: | |
image-ref: ${{ env.DOCKER_CONTAINER_IMAGE_BASE }}:sha-${{ env.COMMIT_SHA }} | |
format: "table" | |
exit-code: "1" | |
ignore-unfixed: true | |
severity: "CRITICAL" | |
outputs: | |
pushed-image-digest: ${{ steps.docker-image-digest.outputs.docker_image_digest }} | |
deploy: | |
if: ${{ github.event_name == 'push' && github.ref == 'refs/heads/main' }} | |
runs-on: ubuntu-latest | |
needs: build | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
with: | |
token: ${{ secrets.WRITE_BACK_TO_REPO_TOKEN }} | |
- name: install kustomize | |
id: kustomize-installation | |
run: | | |
curl -sfLo kustomize.tar.gz https://github.com/kubernetes-sigs/kustomize/releases/download/kustomize%2Fv4.5.7/kustomize_v4.5.7_linux_amd64.tar.gz | |
tar xzf ./kustomize.tar.gz | |
echo "KUSTOMIZE_COMMAND=$PWD/kustomize" >> $GITHUB_OUTPUT | |
- name: Update kustomization for new image | |
# in 'prod' folder | |
env: | |
KUSTOMIZE_COMMAND: ${{ steps.kustomize-installation.outputs.KUSTOMIZE_COMMAND }} | |
run: | | |
cd k8s/overlays/prod | |
# update image digest | |
$KUSTOMIZE_COMMAND edit set image \ | |
${DOCKER_CONTAINER_IMAGE_BASE}=${DOCKER_CONTAINER_IMAGE_BASE}:sha-${COMMIT_SHA}@${{ needs.build.outputs.pushed-image-digest }} | |
- name: Update version label | |
uses: mikefarah/yq@9adde1ac14bb283b8955d2b0d567bcaf3c69e639 # v4.42.1 | |
with: | |
cmd: yq -i '.labels[].pairs."app.kubernetes.io/version" = strenv(COMMIT_SHA)' k8s/overlays/prod/kustomization.yaml | |
- name: Commit to git | |
run: | | |
git config user.name github-actions | |
git config user.email [email protected] | |
git add k8s/overlays/prod | |
git commit -m "update: image to version $COMMIT_SHA | |
[no ci]" | |
git pull --rebase | |
git push | |
echo "Committed to infra" >> $GITHUB_STEP_SUMMARY |