File tree Expand file tree Collapse file tree
Expand file tree Collapse file tree Original file line number Diff line number Diff line change 6565jobs :
6666 build-and-push-image :
6767 permissions :
68+ artifact-metadata : write
6869 attestations : write
6970 contents : read
7071 id-token : write
@@ -81,24 +82,18 @@ jobs:
8182 disable-sudo : ${{ inputs.disable-sudo }}
8283 egress-policy : block
8384 allowed-endpoints : >
85+ *.docker.io:443
8486 *.githubapp.com:443
87+ *.githubusercontent.com:443
88+ *.sigstore.dev:443
8589 *.trivy.dev:443
8690 api.github.com:443
87- auth. docker.io :443
91+ docker-images-prod.*.r2.cloudflarestorage.com :443
8892 download.docker.com:443
89- fulcio.sigstore.dev:443
9093 ghcr.io:443
9194 github.com:443
92- index.docker.io:443
9395 mirror.gcr.io:443
94- objects.githubusercontent.com:443
95- pkg-containers.githubusercontent.com:443
9696 production.cloudflare.docker.com:443
97- raw.githubusercontent.com:443
98- registry-1.docker.io:443
99- rekor.sigstore.dev:443
100- release-assets.githubusercontent.com:443
101- tuf-repo-cdn.sigstore.dev:443
10297 ${{ inputs.egress-policy-allowlist }}
10398 - uses : actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
10499 with :
@@ -157,6 +152,7 @@ jobs:
157152 subject-name : ${{ inputs.registry }}/${{ inputs.image }}
158153 subject-digest : ${{ steps.build.outputs.digest }}
159154 push-to-registry : true
155+ create-storage-record : ${{ startsWith(inputs.registry, 'ghcr.io') }}
160156 - name : Run Trivy Scan
161157 uses : aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1
162158 if : inputs.scan-image
Original file line number Diff line number Diff line change 88jobs :
99 build-push-docker-image :
1010 permissions :
11+ artifact-metadata : write
1112 attestations : write
1213 contents : read
1314 id-token : write
You can’t perform that action at this time.
0 commit comments