|
1 | | -# This workflow uses actions that are not certified by GitHub. |
2 | | -# They are provided by a third-party and are governed by |
3 | | -# separate terms of service, privacy policy, and support |
4 | | -# documentation. |
5 | | - |
6 | | -name: Kubesec |
| 1 | +name: Build with kaniko |
7 | 2 |
|
8 | 3 | on: |
9 | 4 | push: |
10 | | - branches: [ "master" ] |
11 | | - pull_request: |
12 | | - # The branches below must be a subset of the branches above |
13 | | - branches: [ "master" ] |
14 | | - schedule: |
15 | | - - cron: '27 14 * * 5' |
| 5 | + branches: [ "*" ] |
| 6 | + paths: |
| 7 | + - "app/**" |
| 8 | + - ".github/workflows/build-with-kaniko.yml" |
| 9 | + |
| 10 | + # Allows you to run this workflow manually from the Actions tab |
| 11 | + workflow_dispatch: |
| 12 | + |
| 13 | +env: |
| 14 | + KANIKO_CACHE_ARGS: "--cache=true --cache-copy-layers=true --cache-ttl=24h" |
16 | 15 |
|
17 | 16 | jobs: |
18 | | - lint: |
19 | | - name: Kubesec |
20 | | - runs-on: amg-runner-set |
| 17 | + build-to-ghcr: |
| 18 | + runs-on: arc-runner-set # uses self-hosted runner scale set |
| 19 | + container: |
| 20 | + image: gcr.io/kaniko-project/executor:v1.20.0-debug # the kaniko image |
21 | 21 | permissions: |
22 | | - actions: read |
23 | | - contents: read |
24 | | - security-events: write |
| 22 | + contents: read # read the repository |
| 23 | + packages: write # to push to GHCR, omit for other container registry. https://docs.github.com/en/packages/managing-github-packages-using-github-actions-workflows/publishing-and-installing-a-package-with-github-actions#publishing-a-package-using-an-action |
| 24 | + |
25 | 25 | steps: |
26 | | - - name: Checkout code |
27 | | - uses: actions/checkout@v4 |
| 26 | + - name: Build and Push Image to GHCR with kaniko |
| 27 | + run: | |
| 28 | + cat <<EOF > /kaniko/.docker/config.json |
| 29 | + { |
| 30 | + "auths": { |
| 31 | + "ghcr.io": { |
| 32 | + "auth": "$(echo -n "$GIT_USERNAME:$GIT_PASSWORD" | base64 -w0)" |
| 33 | + } |
| 34 | + } |
| 35 | + } |
| 36 | + EOF |
28 | 37 |
|
29 | | - - name: Run kubesec scanner |
30 | | - uses: controlplaneio/kubesec-action@43d0ddff5ffee89a6bb9f29b64cd865411137b14 |
31 | | - with: |
32 | | - input: file.yaml # specify configuration file to scan here |
33 | | - format: template |
34 | | - template: template/sarif.tpl |
35 | | - output: kubesec-results.sarif |
36 | | - exit-code: "0" |
| 38 | + /kaniko/executor --dockerfile="./app/Dockerfile" \ |
| 39 | + --context="${{ github.repositoryUrl }}#${{ github.ref }}#${{ github.sha }}" \ |
| 40 | + --destination="$GH_REGISTRY/$IMAGE_NAME:$(echo ${GITHUB_SHA} | head -c 7)" \ |
| 41 | + ${{ env.KANIKO_CACHE_ARGS }} \ |
| 42 | + --push-retry 5 |
| 43 | + env: # needed to authenticate to github and download the repo |
| 44 | + GIT_USERNAME: ${{ github.actor }} |
| 45 | + GIT_PASSWORD: ${{ secrets.GITHUB_TOKEN }} |
| 46 | + GH_REGISTRY: "ghcr.io" |
| 47 | + IMAGE_NAME: "${{ github.repository }}/nginx" |
37 | 48 |
|
38 | | - - name: Upload Kubesec scan results to GitHub Security tab |
39 | | - uses: github/codeql-action/upload-sarif@v3 |
40 | | - with: |
41 | | - sarif_file: kubesec-results.sarif |
| 49 | + |
0 commit comments