feat: add image push to GitHub registry#27
Conversation
|
|
||
| - | ||
| name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2|
|
||
| - | ||
| name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
scottgerring
left a comment
There was a problem hiding this comment.
I think the job name is wrong now (user management tests?)
Also, now that we can see that it's working, I reckon we should modify it so that we only push images on push to main, not on PR.
Also also, are you plugging the commit SHAs into the docker container env so they are discoverable for datadog's source code integration?
|
|
||
| - | ||
| name: Set up Docker Buildx | ||
| uses: docker/setup-buildx-action@v3 |
There was a problem hiding this comment.
🟠 Code Vulnerability
Workflow depends on a GitHub actions pinned by tag instead of a hash. (...read more)
Pin GitHub Actions by commit hash to ensure supply chain security.
Using a branch (@main) or tag (@v1) allows for implicit updates, which can introduce unexpected or malicious changes. Instead, always pin actions to a full length commit SHA. You can find the commit SHA for the latest tag from the action’s repository and ensure frequent updates via auto-updaters such as dependabot. Include a comment with the corresponding full-length SemVer tag for clarity:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2| @@ -1,4 +1,4 @@ | |||
| name: User Management Tests | |||
| name: User Management | |||
|
|
|||
There was a problem hiding this comment.
🟠 Code Vulnerability
No explicit permissions set for at the workflow level (...read more)
Default permissions for the GITHUB_TOKEN are expected to be restricted (contents:read, metadata:read, and packages:read).
Your repository may require a different setup, so consider defining permissions for each job following the least privilege principle to restrict the impact of a possible compromise.
You can find the list of all possible permissions in Workflow syntax for GitHub Actions - GitHub Docs. They can be defined at the job or the workflow level.
|
Re-staged into and merged with #29 |
No description provided.