Skip to content
Commit Stage

Use multi-arch Java Buildpacks #26

Sign in to view logs

Use multi-arch Java Buildpacks

Use multi-arch Java Buildpacks #26

Workflow file for this run

.github/workflows/commit-stage.yml at 13b99d6
name: Commit Stage
on: push
env:
REGISTRY: ghcr.io
IMAGE_NAME: thomasvitale/policy-demo
VERSION: ${{ github.sha }}
jobs:
build:
name: Build
runs-on: ubuntu-22.04
permissions:
attestations: write
contents: read
id-token: write
packages: write
security-events: write
outputs:
image-digest: ${{ steps.image-info.outputs.digest }}
image-name: ${{ steps.image-info.outputs.name }}
steps:
- name: Check out source code
uses: actions/checkout@v4
- name: Install Cosign
uses: sigstore/cosign-installer@v3
- name: Set up Java
uses: actions/setup-java@v4
with:
java-version: 21
distribution: liberica
cache: gradle
- name: Compile and test
run: |
cd policies/gradle
./gradlew clean build
- name: Upload SBOM
uses: actions/upload-artifact@v4
with:
name: sbom.json
path: policies/gradle/build/reports/application.cdx.json
- name: SBOM vulnerability scanning
uses: aquasecurity/trivy-action@master
with:
scan-type: 'sbom'
scan-ref: 'policies/gradle/build/reports/application.cdx.json'
format: 'sarif'
output: 'trivy-results-source-code.sarif'
- name: Upload SBOM vulnerability report
uses: actions/upload-artifact@v4
with:
name: trivy-results-source-code.sarif
path: trivy-results-source-code.sarif
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v3
if: success() || failure()
with:
sarif_file: 'trivy-results-source-code.sarif'
category: "source-code"
- name: Package as OCI image
run: |
cd policies/gradle
./gradlew bootBuildImage --imageName ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
- name: OCI image vulnerability scanning
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
format: 'sarif'
output: 'trivy-results-oci-image.sarif'
- name: Upload vulnerability report
uses: github/codeql-action/upload-sarif@v3
if: success() || failure()
with:
sarif_file: 'trivy-results-oci-image.sarif'
category: "oci-image"
- name: Authenticate with the container registry
uses: docker/login-action@v3
with:
username: ${{ github.actor }}
password: ${{ secrets.IMAGE_PUSH_TOKEN }}
registry: ${{ env.REGISTRY }}
- name: Publish OCI image
run: |
docker tag ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }} ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.VERSION }}
docker push ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest
- name: Get OCI image info
id: image-info
run: |
image_reference=$(docker inspect --format='{{index .RepoDigests 0}}' ${REGISTRY}/${IMAGE_NAME}:${VERSION})
echo $image_reference
image_digest=$(echo "$image_reference" | awk -F '@' '{print $2}')
echo $image_digest
echo "IMAGE_DIGEST=${image_digest}" >> $GITHUB_ENV
echo "digest=${image_digest}" >> $GITHUB_OUTPUT
echo "name=${REGISTRY}/${IMAGE_NAME}" >> $GITHUB_OUTPUT
- name: Sign image
run: |
cosign sign --yes "${REGISTRY}/${IMAGE_NAME}@${IMAGE_DIGEST}"
provenance:
needs: [build]
permissions:
actions: read
id-token: write
packages: write
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v2.0.0
with:
image: ${{ needs.build.outputs.image-name }}
digest: ${{ needs.build.outputs.image-digest }}
registry-username: ${{ github.actor }}
secrets:
registry-password: ${{ secrets.IMAGE_PUSH_TOKEN }}