chore(deps): update oryd/oathkeeper-maester docker tag to v0.1.13 #358
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: ci | |
| on: | |
| push: | |
| branches: | |
| - main | |
| tags: | |
| - v* | |
| pull_request: | |
| branches: | |
| - main | |
| env: | |
| ANSIBLE_FORCE_COLOR: "1" | |
| PY_COLORS: "1" | |
| permissions: read-all | |
| jobs: | |
| checkov: | |
| if: | | |
| contains(fromJson('["schedule", "pull_request", "push"]'), github.event_name) | |
| permissions: | |
| contents: read | |
| security-events: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Checkov GitHub Action | |
| uses: bridgecrewio/checkov-action@v12 | |
| with: | |
| config_file: .checkov_config.yaml | |
| output_format: cli,sarif | |
| output_file_path: console,results.sarif | |
| trivy: | |
| if: github.event_name == 'push' || github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| security-events: write | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| scan-type: | |
| - fs | |
| - config | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Cache trivy db | |
| uses: actions/cache@v4 | |
| with: | |
| path: | | |
| ~/.cache/trivy | |
| ~/work/temp | |
| key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }} | |
| - name: Run Trivy vulnerability scanner in fs mode | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| format: sarif | |
| ignore-unfixed: true | |
| output: trivy-results.sarif | |
| scan-ref: . | |
| scan-type: ${{ matrix.scan-type }} | |
| severity: CRITICAL,HIGH | |
| trivy-config: trivy.yaml | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: trivy-results.sarif | |
| ansible-lint: | |
| if: github.event_name == 'push' || github.event_name == 'pull_request' | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v4 | |
| - name: Run ansible-lint | |
| uses: ansible/ansible-lint@main | |
| release-edge: | |
| needs: | |
| - checkov | |
| - ansible-lint | |
| - trivy | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| permissions: | |
| packages: write | |
| id-token: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Setup Cosign CLI | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Setup Notation CLI | |
| uses: notaryproject/notation-action/setup@v1 | |
| with: | |
| version: "1.1.0" | |
| - name: Setup Notation signing keys | |
| run: | | |
| mkdir -p ~/.config/notation/localkeys/ | |
| cp ./.notation/signingkeys.json ~/.config/notation/ | |
| cp ./.notation/notation.crt ~/.config/notation/localkeys/ | |
| echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key | |
| env: | |
| NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }} | |
| - name: Setup Flux CLI | |
| uses: fluxcd/flux2/action@main | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - id: push | |
| name: Push to ghcr OCI registry | |
| run: | | |
| digest_url=$(flux push artifact oci://ghcr.io/${{ github.repository }}:${{ github.run_id }} \ | |
| --path=. \ | |
| --source=${{ github.server_url }}/${{ github.repository }} \ | |
| --revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \ | |
| --annotations="org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \ | |
| --annotations="org.opencontainers.image.description=OCI artifact containing Kustomizations" \ | |
| --annotations="org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \ | |
| --annotations="org.opencontainers.image.licenses=Apache-2.0" \ | |
| --annotations="org.opencontainers.image.revision=$(git rev-parse HEAD)" \ | |
| --annotations="org.opencontainers.image.title=Kustomizations" \ | |
| --annotations="org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}" \ | |
| --annotations="org.opencontainers.image.version=$(git tag --points-at HEAD)" \ | |
| --output json | jq -r '. | .repository + "@" + .digest') | |
| flux tag artifact oci://ghcr.io/${{ github.repository }}:${{ github.run_id }} --tag latest | |
| echo "digest-url=$digest_url" >> "$GITHUB_OUTPUT" | |
| - name: Sign artifacts with cosign | |
| run: | | |
| cosign sign --yes ${{ steps.push.outputs.digest-url }} | |
| - name: Sign artifacts with Notation | |
| run: | | |
| notation sign --signature-format cose ghcr.io/${{ github.repository }}:${{ github.run_id }} | |
| notation sign --signature-format cose ghcr.io/${{ github.repository }}:latest | |
| semantic-release: | |
| if: github.event_name == 'push' && github.ref == 'refs/heads/main' | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: write | |
| packages: write | |
| issues: write | |
| pull-requests: write | |
| id-token: write | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup bun | |
| uses: oven-sh/setup-bun@v2 | |
| with: | |
| bun-version: latest | |
| - name: Install bun deps | |
| run: bun install | |
| - name: Setup Cosign CLI | |
| uses: sigstore/cosign-installer@v3 | |
| - name: Setup Notation CLI | |
| uses: notaryproject/notation-action/setup@v1 | |
| with: | |
| version: "1.1.0" | |
| - name: Setup Notation signing keys | |
| run: | | |
| mkdir -p ~/.config/notation/localkeys/ | |
| cp ./.notation/signingkeys.json ~/.config/notation/ | |
| cp ./.notation/notation.crt ~/.config/notation/localkeys/ | |
| echo "$NOTATION_KEY" > ~/.config/notation/localkeys/notation.key | |
| env: | |
| NOTATION_KEY: ${{ secrets.NOTATION_SIGNING_KEY }} | |
| - name: Setup Flux CLI | |
| uses: fluxcd/flux2/action@main | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - id: semantic-release | |
| name: Release | |
| env: | |
| GITHUB_TOKEN: ${{ github.token }} | |
| run: bunx semantic-release@v24 | |
| - if: steps.semantic-release.outputs.version != '' | |
| id: push | |
| name: Push to ghcr OCI registry | |
| run: | | |
| digest_url=$(flux push artifact oci://ghcr.io/${{ github.repository }}:${{ steps.semantic-release.outputs.version }} \ | |
| --path=. \ | |
| --source=${{ github.server_url }}/${{ github.repository }} \ | |
| --revision="$(git tag --points-at HEAD)@sha1:$(git rev-parse HEAD)" \ | |
| --annotations="org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" \ | |
| --annotations="org.opencontainers.image.description=OCI artifact containing Kustomizations" \ | |
| --annotations="org.opencontainers.image.documentation=${{ github.server_url }}/${{ github.repository }}" \ | |
| --annotations="org.opencontainers.image.licenses=Apache-2.0" \ | |
| --annotations="org.opencontainers.image.revision=$(git rev-parse HEAD)" \ | |
| --annotations="org.opencontainers.image.title=Kustomizations" \ | |
| --annotations="org.opencontainers.image.url=${{ github.server_url }}/${{ github.repository }}" \ | |
| --annotations="org.opencontainers.image.version=$(git tag --points-at HEAD)" \ | |
| --output json | jq -r '. | .repository + "@" + .digest') | |
| echo "digest-url=$digest_url" >> "$GITHUB_OUTPUT" | |
| - if: steps.semantic-release.outputs.version != '' | |
| name: Sign artifacts with cosign | |
| run: | | |
| cosign sign --yes ${{ steps.push.outputs.digest-url }} | |
| - if: steps.semantic-release.outputs.version != '' | |
| name: Sign artifacts with Notation | |
| run: | | |
| notation sign --signature-format cose ghcr.io/${{ github.repository }}:${{ steps.semantic-release.outputs.version }} |