name: Artifacts on: push: branches: - master tags: - v[0-9]+.[0-9]+.[0-9]+ pull_request: jobs: container-images: name: Container images runs-on: ubuntu-latest strategy: matrix: platform: - linux/amd64 - linux/arm/v7 - linux/arm64 variant: - alpine - distroless outputs: version: ${{ steps.details.outputs.version }} steps: - name: Checkout uses: actions/checkout@v3 - name: Calculate container image details id: details env: CONTAINER_IMAGES: "ghcr.io/dexidp/dex dexidp/dex" run: | case $GITHUB_REF in refs/tags/*) VERSION=${GITHUB_REF#refs/tags/};; refs/heads/*) VERSION=$(echo ${GITHUB_REF#refs/heads/} | sed -r 's#/+#-#g');; refs/pull/*) VERSION=pr-${{ github.event.number }};; *) VERSION=sha-${GITHUB_SHA::8};; esac VERSION_SUFFIX="" if [[ "${{ matrix.variant }}" != "alpine" ]]; then VERSION_SUFFIX="-${{ matrix.variant }}" fi TAGS=() for image in $CONTAINER_IMAGES; do TAGS+=("${image}:${VERSION}${VERSION_SUFFIX}") if [[ "${{ github.event.repository.default_branch }}" == "$VERSION" ]]; then TAGS+=("${image}:latest${VERSION_SUFFIX}") fi done echo ::set-output name=version::${VERSION} echo ::set-output name=tags::$(IFS=,; echo "${TAGS[*]}") echo ::set-output name=commit_hash::${GITHUB_SHA::8} echo ::set-output name=build_date::$(git show -s --format=%cI) - name: Set up QEMU uses: docker/setup-qemu-action@v1 with: platforms: all - name: Set up Docker Buildx uses: docker/setup-buildx-action@v1 - name: Login to GitHub Container Registry uses: docker/login-action@v1 with: registry: ghcr.io username: ${{ github.repository_owner }} password: ${{ github.token }} if: github.event_name == 'push' - name: Login to Docker Hub uses: docker/login-action@v1 with: username: ${{ secrets.DOCKER_USERNAME }} password: ${{ secrets.DOCKER_PASSWORD }} if: github.event_name == 'push' - name: Build and push uses: docker/build-push-action@v2 with: context: . platforms: ${{ matrix.platform }} cache-from: type=gha cache-to: type=gha,mode=max push: ${{ github.event_name == 'push' }} tags: ${{ steps.details.outputs.tags }} build-args: | BASE_IMAGE=${{ matrix.variant }} VERSION=${{ steps.details.outputs.version }} COMMIT_HASH=${{ steps.details.outputs.commit_hash }} BUILD_DATE=${{ steps.details.outputs.build_date }} labels: | org.opencontainers.image.title=${{ github.event.repository.name }} org.opencontainers.image.description=${{ github.event.repository.description }} org.opencontainers.image.url=${{ github.event.repository.html_url }} org.opencontainers.image.source=${{ github.event.repository.clone_url }} org.opencontainers.image.version=${{ steps.details.outputs.version }} org.opencontainers.image.created=${{ steps.details.outputs.build_date }} org.opencontainers.image.revision=${{ github.sha }} org.opencontainers.image.licenses=${{ github.event.repository.license.spdx_id }} org.opencontainers.image.documentation=https://dexidp.io/docs/ container-scan: name: Container scan runs-on: ubuntu-latest needs: container-images if: github.event_name == 'push' strategy: matrix: variant: - alpine - distroless steps: # Workaround for lack of matrix output support - name: Calculate container image details id: details run: | VERSION="${{ needs.container-images.outputs.version }}" if [[ "${{ matrix.variant }}" != "alpine" ]]; then VERSION="${VERSION}-${{ matrix.variant }}" fi echo ::set-output name=version::${VERSION} - name: Run Trivy vulnerability scanner uses: aquasecurity/trivy-action@0.2.4 with: image-ref: "ghcr.io/dexidp/dex:${{ steps.details.outputs.version }}" format: "sarif" output: "trivy-results.sarif" - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v1 with: sarif_file: "trivy-results.sarif"