pangolin_mirror/newt
1
0
Fork 0
mirror of https://github.com/fosrl/newt.git synced 2026-03-03 01:06:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update cicd

Browse Source
This commit is contained in:
Owen
2025-12-11 16:40:50 -05:00
parent bd86abe8d5
commit 533e0b9ca7
2 changed files with 4313 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
.github/workflows/cicd.yml vendored
View File

@@ -334,7 +334,7 @@ jobs:
with: with:
context: . context: .
push: true push: true
platforms: linux/amd64,linux/arm64 platforms: linux/amd64,linux/arm64,linux/arm/v7
tags: ${{ steps.meta.outputs.tags }} tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }} labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=${{ github.repository }} cache-from: type=gha,scope=${{ github.repository }}
@@ -392,6 +392,8 @@ jobs:
set -euo pipefail set -euo pipefail
echo "Signing ${GHCR_REF} (digest) recursively with provided key" echo "Signing ${GHCR_REF} (digest) recursively with provided key"
cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${GHCR_REF}" cosign sign --key env://COSIGN_PRIVATE_KEY --recursive "${GHCR_REF}"
echo "Waiting 30 seconds for signatures to propagate..."
sleep 30
shell: bash shell: bash
- name: Generate SBOM (SPDX JSON) - name: Generate SBOM (SPDX JSON)
@@ -556,24 +558,24 @@ jobs:
cosign verify --key env://COSIGN_PUBLIC_KEY "$DOCKERHUB_IMAGE:$TAG" -o text cosign verify --key env://COSIGN_PUBLIC_KEY "$DOCKERHUB_IMAGE:$TAG" -o text
shell: bash shell: bash
- name: Trivy scan (GHCR image) # - name: Trivy scan (GHCR image)
id: trivy # id: trivy
uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 # uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
with: # with:
image-ref: ${{ env.GHCR_IMAGE }}@${{ steps.build.outputs.digest }} # image-ref: ${{ env.GHCR_IMAGE }}@${{ steps.build.outputs.digest }}
format: sarif # format: sarif
output: trivy-ghcr.sarif # output: trivy-ghcr.sarif
ignore-unfixed: true # ignore-unfixed: true
vuln-type: os,library # vuln-type: os,library
severity: CRITICAL,HIGH # severity: CRITICAL,HIGH
exit-code: ${{ (vars.TRIVY_FAIL || '0') }} # exit-code: ${{ (vars.TRIVY_FAIL || '0') }}
- name: Upload SARIF # - name: Upload SARIF,trivy
if: ${{ always() && hashFiles('trivy-ghcr.sarif') != '' }} # if: ${{ always() && hashFiles('trivy-ghcr.sarif') != '' }}
uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5 # uses: github/codeql-action/upload-sarif@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
with: # with:
sarif_file: trivy-ghcr.sarif # sarif_file: trivy-ghcr.sarif
category: Image Vulnerability Scan # category: Image Vulnerability Scan
- name: Build binaries - name: Build binaries
env: env:

4293
log.log Normal file
View File

File diff suppressed because it is too large Load Diff