chore(deps): bump the gh-actions-packages group with 5 updates #552
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Build" | |
| on: | |
| push: | |
| branches: | |
| - master | |
| pull_request: | |
| branches: | |
| - master | |
| schedule: | |
| - cron: '0 0 * * 0' | |
| workflow_dispatch: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: ${{ github.ref != 'refs/heads/master' }} | |
| jobs: | |
| build_amd64: | |
| name: Build amd64 images (push by digest) | |
| permissions: | |
| contents: read | |
| packages: write | |
| runs-on: ubuntu-24.04 | |
| environment: | |
| name: ci-build | |
| outputs: | |
| latest_image_tag: ${{ steps.build.outputs.LATEST_IMAGE_TAG }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # 4.1.0 | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # 4.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Free Disk Space (Ubuntu) # Reclaim disk space for build | |
| uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 | |
| with: | |
| docker-images: false # Do not remove locally built images (including trivy scanner) | |
| - name: Build images | |
| id: build | |
| env: | |
| ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }} | |
| run: ./build | |
| - name: Test images | |
| run: ./build --test | |
| - name: Describe images | |
| run: ./build --describe >> $GITHUB_STEP_SUMMARY | |
| - name: Push images by digest | |
| env: | |
| ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }} | |
| run: ./build --push | |
| - name: Upload digest metadata | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: digests-amd64 | |
| path: digests/amd64-*.json | |
| if-no-files-found: error | |
| retention-days: 1 | |
| build_arm64: | |
| name: Build arm64 images (push by digest) | |
| permissions: | |
| contents: read | |
| packages: write | |
| runs-on: ubuntu-24.04-arm | |
| environment: | |
| name: ci-build | |
| outputs: | |
| latest_image_tag: ${{ steps.build.outputs.LATEST_IMAGE_TAG }} | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # 4.1.0 | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # 4.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Free Disk Space (Ubuntu) | |
| uses: jlumbroso/free-disk-space@54081f138730dfa15788a46383842cd2f914a1be # v1.3.1 | |
| with: | |
| docker-images: false | |
| - name: Build arm64 images | |
| id: build | |
| env: | |
| ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }} | |
| PLATFORM: linux/arm64 | |
| run: ./build | |
| - name: Test arm64 images | |
| env: | |
| PLATFORM: linux/arm64 | |
| run: ./build --test | |
| - name: Describe arm64 images | |
| env: | |
| PLATFORM: linux/arm64 | |
| run: ./build --describe >> $GITHUB_STEP_SUMMARY | |
| - name: Push arm64 images by digest | |
| env: | |
| ORACLE_JAVA8_TOKEN: ${{ secrets.ORACLE_JAVA8_TOKEN }} | |
| PLATFORM: linux/arm64 | |
| run: ./build --push | |
| - name: Upload digest metadata | |
| uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1 | |
| with: | |
| name: digests-arm64 | |
| path: digests/arm64-*.json | |
| if-no-files-found: error | |
| retention-days: 1 | |
| merge_manifests: | |
| name: Merge per-arch digests into multi-arch manifests | |
| needs: [build_amd64, build_arm64] | |
| permissions: | |
| contents: read | |
| security-events: write | |
| packages: write | |
| runs-on: ubuntu-24.04 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # 6.0.2 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # 4.1.0 | |
| - name: Login to ghcr.io | |
| uses: docker/login-action@650006c6eb7dba73a995cc03b0b2d7f5ca915bee # 4.2.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Download amd64 digests | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: digests-amd64 | |
| path: digests | |
| - name: Download arm64 digests | |
| uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 | |
| with: | |
| name: digests-arm64 | |
| path: digests | |
| - name: Create multi-arch manifests | |
| run: ./build --merge | |
| - name: Run Trivy vulnerability scanner (amd64) | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| image-ref: '${{ needs.build_amd64.outputs.latest_image_tag }}' | |
| format: 'sarif' | |
| output: 'trivy-results-amd64.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| limit-severities-for-sarif: true | |
| env: | |
| TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
| TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
| TRIVY_PLATFORM: linux/amd64 | |
| - name: Upload amd64 Trivy results | |
| uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 | |
| with: | |
| sarif_file: 'trivy-results-amd64.sarif' | |
| category: trivy-amd64 | |
| - name: Run Trivy vulnerability scanner (arm64) | |
| uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 | |
| with: | |
| image-ref: '${{ needs.build_arm64.outputs.latest_image_tag }}' | |
| format: 'sarif' | |
| output: 'trivy-results-arm64.sarif' | |
| severity: 'CRITICAL,HIGH' | |
| limit-severities-for-sarif: true | |
| env: | |
| TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db | |
| TRIVY_JAVA_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-java-db,public.ecr.aws/aquasecurity/trivy-java-db | |
| TRIVY_PLATFORM: linux/arm64 | |
| - name: Upload arm64 Trivy results | |
| uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0 | |
| with: | |
| sarif_file: 'trivy-results-arm64.sarif' | |
| category: trivy-arm64 |