chore(ci): bump docker/setup-buildx-action from 3.0.0 to 3.2.0 (#5) #34
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ci | |
| on: | |
| merge_group: | |
| push: | |
| branches: | |
| - main | |
| - master | |
| paths-ignore: | |
| - '**/*.md' | |
| pull_request: | |
| branches: | |
| - "**" | |
| paths-ignore: | |
| - '**/*.md' | |
| env: | |
| GOLANG_VERSION: '1.22.x' | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| jobs: | |
| build: | |
| name: Build Binary and Docker Image | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| packages: write # to upload docker image(s) to ghcr.io | |
| id-token: write # identity challenge with sigstore/fulcio | |
| env: | |
| GOFLAGS: -trimpath | |
| GOOS: linux | |
| GOARCH: amd64 | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: ${{ env.GOLANG_VERSION }} | |
| - name: Build Go Binary | |
| run: go build -o .build/${GOOS}-${GOARCH}/node_exporter | |
| - name: Generate Go Binary hashes | |
| shell: bash | |
| id: binhash | |
| run: | | |
| # single-line base64 encoded checksum(s) | |
| echo "hashes=$(cd .build/${GOOS}-${GOARCH} >/dev/null 2>&1 && sha256sum node_exporter | tee node_exporter.sha256sum | base64 -w0)" >>"$GITHUB_OUTPUT" | |
| - name: Upload Go Binary | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: node_exporter | |
| path: .build/${GOOS}-${GOARCH}/node_exporter | |
| retention-days: 14 # 90 is the default | |
| - name: Upload Go Binary Checksum | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: node_exporter.sha256sum | |
| path: .build/${GOOS}-${GOARCH}/node_exporter.sha256sum | |
| retention-days: 14 # 90 is the default | |
| - name: Setup Docker | |
| uses: docker/setup-buildx-action@2b51285047da1547ffb1b2203d8be4c0af6b1f20 # v3.2.0 | |
| id: buildx | |
| - name: Extract GitHub Metadata for Docker | |
| id: meta | |
| uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1 | |
| with: | |
| images: ghcr.io/${{ github.repository }} | |
| - name: Login to GitHub Container Registry | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build Docker Image (and push if not PR) | |
| id: build-and-push | |
| uses: docker/build-push-action@2cdde995de11925a030ce8070c3d77a52ffcf1c0 # v5.3.0 | |
| with: | |
| context: . | |
| file: Dockerfile | |
| load: true | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: | | |
| type=gha,scope=${{ github.workflow }} | |
| cache-to: | | |
| type=gha,scope=${{ github.workflow }},mode=max | |
| - name: Install cosign (if signing) | |
| if: github.event_name != 'pull_request' | |
| uses: sigstore/cosign-installer@e1523de7571e31dbe865fd2e80c5c7c23ae71eb4 # v3.4.0 | |
| - name: Sign the published Docker image | |
| if: ${{ github.event_name != 'pull_request' }} | |
| env: | |
| # https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable | |
| TAGS: ${{ steps.meta.outputs.tags }} | |
| DIGEST: ${{ steps.build-and-push.outputs.digest }} | |
| # This step uses the identity token to provision an ephemeral certificate | |
| # against the sigstore community Fulcio instance. | |
| run: echo "${TAGS}" | xargs -I {} cosign sign --yes {}@${DIGEST} | |
| - name: Generate SBOM with Trivy | |
| uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0 | |
| with: | |
| image-ref: ${{ steps.meta.outputs.tags }} | |
| scan-type: image | |
| format: cyclonedx | |
| output: trivy-sbom.json | |
| - name: Scan Image with Trivy | |
| uses: aquasecurity/trivy-action@062f2592684a31eb3aa050cc61e7ca1451cecd3d # v0.18.0 | |
| with: | |
| scan-ref: trivy-sbom.json | |
| scan-type: sbom | |
| ignore-unfixed: true | |
| format: sarif | |
| output: trivy-image-vuln-report.sarif | |
| - name: Upload Trivy SBOM | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: trivy-sbom | |
| path: trivy-sbom.json | |
| retention-days: 14 # 90 is the default | |
| - name: Upload Trivy Vulnerability Report | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: trivy-image-vuln-report | |
| path: trivy-image-vuln-report.sarif | |
| retention-days: 14 # 90 is the default | |
| - name: Generate Trivy hashes | |
| shell: bash | |
| id: trivyhash | |
| run: | | |
| # single-line base64 encoded checksum(s) | |
| echo "hashes=$(sha256sum trivy-sbom.json trivy-image-vuln-report.sarif | base64 -w0)" >>"$GITHUB_OUTPUT" | |
| outputs: | |
| binhashes: ${{ steps.binhash.outputs.hashes }} | |
| trivyhashes: ${{ steps.trivyhash.outputs.hashes }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| image-digest: ${{ steps.build-and-push.outputs.digest }} | |
| test: | |
| name: Unit Testing | |
| runs-on: ubuntu-latest | |
| env: | |
| GOFLAGS: -trimpath -tags=nobtrfs | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: ${{ env.GOLANG_VERSION }} | |
| - name: Test (Unit) | |
| run: | | |
| make collector/fixtures/sys/.unpacked collector/fixtures/udev/.unpacked | |
| go install gotest.tools/gotestsum@latest | |
| gotestsum --format github-actions --jsonfile test-results/unittests.json --junitfile test-results/unittests.xml -- -coverprofile=coverage.out ./... | |
| - name: Upload code coverage | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: code-coverage | |
| path: coverage.out | |
| - name: Generate test results | |
| uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1 | |
| with: | |
| name: test-results | |
| path: test-results/ | |
| lint: | |
| name: Linting with Go ${{ matrix.go-version }} | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| pull-requests: read # for golangci/golangci-lint-action to fetch pull requests | |
| steps: | |
| - name: Checkout Repo | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| persist-credentials: false | |
| - name: Setup Go | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| cache: false # golangci-lint-action has its own cache | |
| go-version: ${{ env.GOLANG_VERSION }} | |
| - name: golangci-lint | |
| env: | |
| GOFLAGS: -trimpath | |
| uses: golangci/golangci-lint-action@3cfe3a4abbb849e10058ce4af15d205b6da42804 # v4.0.0 | |
| with: | |
| version: v1.56.2 | |
| publish-binary-provenance: | |
| name: Publish Binary Provenance | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - build | |
| permissions: | |
| contents: write # for SLSA to upload attestations as build assets | |
| actions: read # for SLSA to read the environment | |
| id-token: write # for SLSA to create OIDC tokens for signing | |
| # Note: SLSA action must be referenced by a tag rather than by a digest | |
| # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 | |
| with: | |
| base64-subjects: "${{ needs.build.outputs.binhashes }}" | |
| publish-image-provenance: | |
| name: Publish Image Provenance | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - build | |
| permissions: | |
| contents: write # for SLSA to upload attestations as build assets | |
| actions: read # for SLSA to read the environment | |
| id-token: write # for SLSA to create OIDC tokens for signing | |
| packages: write # for SLSA to upload attestations to registry | |
| # Note: SLSA action must be referenced by a tag rather than by a digest | |
| # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0 | |
| with: | |
| image: ${{ needs.build.outputs.tags }} | |
| digest: ${{ needs.build.outputs.image-digest }} | |
| registry-username: ${{ github.actor }} | |
| secrets: | |
| registry-password: ${{ secrets.GITHUB_TOKEN }} | |
| publish-sbom-provenance: | |
| name: Publish SBOM Provenance | |
| if: ${{ github.event_name != 'pull_request' }} | |
| needs: | |
| - build | |
| permissions: | |
| contents: write # for SLSA to upload attestations as build assets | |
| actions: read # for SLSA to read the environment | |
| id-token: write # for SLSA to create OIDC tokens for signing | |
| # Note: SLSA action must be referenced by a tag rather than by a digest | |
| # https://github.com/slsa-framework/slsa-github-generator/blob/main/internal/builders/container/README.md#referencing-the-slsa-generator | |
| uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0 | |
| with: | |
| base64-subjects: "${{ needs.build.outputs.trivyhashes }}" |