fix: FROM scratch #45

Workflow file for this run

.github/workflows/build-docker.yml at 9edfbef

	name: "Build Pipeline (Docker)"

	on:
	push:
	branches:
	- jesse/pipeline-deploy
	- main

	env:
	IMAGE_NAME: "${{ vars.GAR_LOCATION }}-docker.pkg.dev/${{ vars.PROJECT_ID }}/${{ secrets.DOCKER_REPOSITORY }}/polygon-cli"

	ATTESTOR_PROJECT_ID: ${{ vars.PROJECT_ID }}
	KEY_RING: "jesse-artifacts-ring"
	KEY: "jesse-artifacts-binary-auth-key"
	ATTESTOR: "jesse-artifacts-attestor"

	jobs:
	build-pipeline-docker:
	name: "Build, push, scan, and sign Docker image"
	permissions:
	contents: "write"
	id-token: "write"

	runs-on: ubuntu-latest

	steps:
	- name: Checkout
	uses: actions/checkout@v4

	- name: Google Auth
	id: auth
	uses: google-github-actions/auth@v2
	with:
	token_format: "access_token"
	workload_identity_provider: "${{ secrets.WIF_PROVIDER }}" # this was hard to find: WIP --> Expand pool --> Click pencil icon"
	service_account: "${{ secrets.WIF_SERVICE_ACCOUNT }}"

	- name: Docker Auth
	id: docker-auth
	uses: docker/login-action@v1
	with:
	username: "oauth2accesstoken"
	password: "${{ steps.auth.outputs.access_token }}"
	registry: "${{ vars.GAR_LOCATION }}-docker.pkg.dev"

	- name: Build and Push Docker Image to GCP Artifact Registry
	run: \|-
	docker build -t "${{ env.IMAGE_NAME }}:${{ github.sha }}" .
	docker push "${{ env.IMAGE_NAME }}:${{ github.sha }}"

	- name: "Set up Cloud SDK"
	uses: "google-github-actions/setup-gcloud@v1"

	- name: Scan Vulnerabilities
	run: \|
	(gcloud artifacts docker images scan "${{ env.IMAGE_NAME }}:${{ github.sha }}" --format="value(response.scan)" --remote --quiet) > ./scan_id.txt

	- name: Checking Critical Vulnerabilities
	run: \|-
	#!/bin/bash
	# Check if the scan_id.txt file exists
	if [ ! -f ./scan_id.txt ]; then
	echo "Error: scan_id.txt not found."
	exit 1
	fi
	# Use gcloud to list vulnerabilities and check for CRITICAL severity
	severity=$(gcloud artifacts docker images list-vulnerabilities \
	"$(cat ./scan_id.txt)" \
	--format="value(vulnerability.effectiveSeverity)")
	# Check if CRITICAL vulnerability is found
	if [ $(echo "$severity" \| grep -c "CRITICAL") -gt 5 ]; then
	echo "Failed vulnerability check for CRITICAL level"
	exit 1
	else
	echo "No CRITICAL vulnerability found. Congratulations."
	exit 0
	fi

	- name: Sign the docker image
	run: \|-
	export CLOUDSDK_CORE_DISABLE_PROMPTS=1
	gcloud components install beta --quiet

	DIGEST=$(gcloud container images describe ${{ env.IMAGE_NAME }}:${{ github.sha }} --format='get(image_summary.digest)')

	gcloud beta container binauthz attestations sign-and-create \
	--artifact-url="${{ env.IMAGE_NAME }}@${DIGEST}" \
	--attestor="${{ env.ATTESTOR }}" \
	--attestor-project="${{ env.ATTESTOR_PROJECT_ID }}" \
	--keyversion-project="${{ env.ATTESTOR_PROJECT_ID }}" \
	--keyversion-location="${{ vars.GAR_LOCATION }}" \
	--keyversion-keyring="${{ env.KEY_RING }}" \
	--keyversion-key="${{ env.KEY }}" \
	--keyversion="1"

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: FROM scratch #45

Workflow file

fix: FROM scratch #45

Jobs

Run details

Workflow file for this run