-
Notifications
You must be signed in to change notification settings - Fork 8
/
action.yaml
76 lines (70 loc) · 2.02 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
---
name: 'build-and-publish-secdb'
description: |
Build and push security DB.
inputs:
workload_identity_provider:
description: |
GCO Workload Identity.
required: true
default: ''
service_account:
description: |
GCP service account.
required: false
default: ''
gcp_project_id:
description: |
GCP project id.
required: true
default: ''
wolfictl_args:
description: |
Wolfictl args to run the advisory secdb.
required: true
default: ''
gcs_apk_bucket_name:
description: |
GCS bucket to store the security.json.
required: true
default: ''
gcs_apk_directory_name:
description: |
Directory to store the security.json.
required: false
default: ''
enable_acl_public_read:
description: |
Enable acl public read (set '--canned-acl=publicRead').
required: false
default: ''
runs:
using: "composite"
steps:
- id: auth
name: 'Authenticate to Google Cloud'
uses: google-github-actions/auth@v2
with:
workload_identity_provider: ${{ inputs.workload_identity_provider }}
service_account: ${{ inputs.service_account }}
- uses: google-github-actions/setup-gcloud@v2
with:
project_id: ${{ inputs.gcp_project_id }}
- name: 'Check that GCloud is properly configured'
run: |
gcloud info
gcloud --quiet alpha storage ls 1> /dev/null
shell: bash
- name: Build the security database
uses: docker://ghcr.io/wolfi-dev/sdk:latest@sha256:03f19181c654d30c23627c3f20911ff08261d631f7b5ef0dbd29efdeb30e0055
with:
entrypoint: wolfictl
args: ${{ inputs.wolfictl_args }}
- name: 'Upload the security database to a bucket'
run: |
# Don't cache the security.json.
gcloud --quiet alpha storage cp \
${{ inputs.enable_acl_public_read }} --cache-control=no-store \
./security.json \
gs://${{ inputs.gcs_apk_bucket_name }}/${{ inputs.gcs_apk_directory_name}}/
shell: bash