Skip to content
build and scan PR container

Bump anothrNick/github-tag-action from 1.70.0 to 1.71.0 #117

Sign in to view logs

Bump anothrNick/github-tag-action from 1.70.0 to 1.71.0

Bump anothrNick/github-tag-action from 1.70.0 to 1.71.0 #117

Workflow file for this run

.github/workflows/build-and-scan-PR-container.yml at 544e833
name: build and scan PR container
on:
pull_request:
jobs:
build:
name: Build PR image
runs-on: ubuntu-22.04
permissions:
contents: read
packages: write
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: create maven settings.xml
uses: s4u/[email protected]
with:
servers: |
[{
"id":"github-clearinghouse",
"username": "${{github.actor}}",
"password": "${{ secrets.GITHUB_TOKEN }}"
},
{
"id":"github-crypt4gh",
"username": "${{github.actor}}",
"password": "${{ secrets.GITHUB_TOKEN }}"
}]
- name: Copy settings.xml to project root
shell: bash
run: cp /home/runner/.m2/settings.xml ./settings.xml
- name: Log in to the Github Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build container
uses: docker/build-push-action@v6
with:
context: .
file: ./Dockerfile
push: true
tags: |
ghcr.io/${{ github.repository }}:PR${{ github.event.number }}
ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
labels: |
org.opencontainers.image.source=${{ github.event.repository.clone_url }}
org.opencontainers.image.created=$(date -u +'%Y-%m-%dT%H:%M:%SZ')
org.opencontainers.image.revision=${{ github.sha }}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8
with:
image-ref: ghcr.io/${{ github.repository }}:sha-${{ github.sha }}
format: "sarif"
hide-progress: true
ignore-unfixed: true
output: 'trivy-results.sarif'
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'