-
Notifications
You must be signed in to change notification settings - Fork 95
77 lines (73 loc) · 2.83 KB
/
patch-images.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
name: "Patch"
on:
schedule:
- cron: "0 0 * * *" # nightly
permissions:
contents: read
packages: write
jobs:
patch:
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
images: ['ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64', 'ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64']
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Login to ghcr.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54 # v0.11.2
with:
scan-type: 'image'
format: 'json'
output: 'report.json'
ignore-unfixed: true
vuln-type: 'os'
image-ref: ${{ matrix.images }}
- name: Check Vuln Count
id: vuln_cout
run: |
report_file="report.json"
vuln_count=$(jq '.Results[0].Vulnerabilities | length' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Copa Action
if: steps.vuln_cout.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/copa-action@1eb86b0907bce48225b66dc9488c7d329c2d48a0 # v1.0.0
with:
image: ${{ matrix.images }}
image-report: 'report.json'
patched-tag: 'patched'
buildkit-version: 'v0.12.1'
- name: Push patched image
if: steps.copa.conclusion == 'success'
run: |
docker tag ghcr.io/azure/azure-workload-identity/proxy-init:patched ${{ matrix.images }}
docker push ${{ matrix.images }}
create-updated-manifest:
needs: patch
runs-on: ubuntu-latest
steps:
- name: Harden Runner
uses: step-security/harden-runner@eb238b55efaa70779f274895e782ed17c84f2895 # v2.6.1
with:
egress-policy: audit
- name: Login to ghcr.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a # v2.2.0
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Docker manifest create
run: |
export DOCKER_CLI_EXPERIMENTAL=enabled
docker manifest create ghcr.io/azure/azure-workload-identity/proxy-init:latest --amend ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64 --amend ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64
docker manifest push ghcr.io/azure/azure-workload-identity/proxy-init:latest