Skip to content

Commit e6065fc

Browse files
authored
Merge pull request #1227 from c0rydoras/chore/add-container-scanning
chore(ci): use container-scanning-action
2 parents bf98d9b + 27aced3 commit e6065fc

File tree

2 files changed

+47
-0
lines changed

2 files changed

+47
-0
lines changed

.github/workflows/release.yaml

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -79,9 +79,18 @@ jobs:
7979
8080
- name: build and push ${{ steps.parse-tagname.outputs.service }} image
8181
uses: docker/build-push-action@v6
82+
id: docker
8283
with:
8384
context: ./${{ steps.parse-tagname.outputs.service }}/
8485
push: true
8586
tags: ${{ steps.meta.outputs.tags }}
8687
labels: |
8788
${{ steps.meta.outputs.labels }}
89+
90+
- name: sign ${{ steps.parse-tagname.outputs.service }} image and attach SBOM attestation
91+
uses: adfinis/container-scanning-action@v0.2.12
92+
with:
93+
image-ref: ghcr.io/${{ steps.repo.outputs.lower }}/${{ steps.parse-tagname.outputs.service }}
94+
token: ${{ secrets.GITHUB_TOKEN }}
95+
digest: ${{ steps.docker.outputs.digest }}
96+
attest: true

.github/workflows/schedule.yaml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
---
2+
name: Schedule
3+
4+
on:
5+
schedule:
6+
- cron: 4 4 * * *
7+
workflow_dispatch:
8+
9+
jobs:
10+
scan:
11+
strategy:
12+
matrix:
13+
service: [api, caluma, ember]
14+
15+
name: scan ${{ matrix.image }} image
16+
runs-on: ubuntu-latest
17+
permissions:
18+
actions: none
19+
checks: none
20+
contents: none
21+
deployments: none
22+
issues: none
23+
packages: write
24+
pull-requests: none
25+
repository-projects: none
26+
security-events: write
27+
statuses: none
28+
# needed for `cosign attest`
29+
id-token: write
30+
steps:
31+
- id: repo
32+
run: |
33+
echo "lower=$(echo '${{ github.repository }}' | tr '[:upper:]' '[:lower:]')" >> "$GITHUB_OUTPUT"
34+
- uses: adfinis/container-scanning-action@v0.2.12
35+
with:
36+
image-ref: ghcr.io/${{ steps.repo.outputs.lower }}/${{ matrix.service }}
37+
attest: true
38+
token: ${{ secrets.GITHUB_TOKEN }}

0 commit comments

Comments
 (0)