Skip to content
Docker

Update github/codeql-action action to v3.30.6 #558

Sign in to view logs

Update github/codeql-action action to v3.30.6

Update github/codeql-action action to v3.30.6 #558

Workflow file for this run

.github/workflows/docker.yml at 2272d24
name: Docker
on:
push:
branches:
- main
tags:
- "v[0-9]+.[0-9]+.[0-9]+"
paths-ignore:
- "**.yml"
- "**.yaml"
- "**.md"
pull_request:
branches:
- main
repository_dispatch:
types: [update]
workflow_dispatch:
concurrency:
group: ${{ github.ref_name }}-ci
cancel-in-progress: true
permissions:
contents: read
jobs:
build-docker:
name: Build Docker Image
runs-on: ubuntu-24.04
permissions:
contents: read
security-events: write
packages: write
services:
registry:
image: registry:3
ports:
- 5000:5000
steps:
- name: Checkout Repository
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
- name: Output Variables
id: var
run: |
nginx_v=$(grep -m1 'FROM nginx:' <Dockerfile | awk -F'[: ]' '{print $3}')
docker pull nginx:$nginx_v || exit 1
njs=$(docker run nginx:$nginx_v env | grep NJS_VERSION | cut -d= -f2)
echo "NJS_VERSION=$njs"
echo "nginx_version=${nginx_v}" >> $GITHUB_OUTPUT
echo "njs_version=${njs}" >> $GITHUB_OUTPUT
- name: Setup QEMU
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
- name: Docker Buildx
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
with:
buildkitd-flags: --debug
driver-opts: network=host
- name: DockerHub Login
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }}
if: github.event_name != 'pull_request'
- name: Login to GitHub Container Registry
uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
if: github.event_name != 'pull_request'
- name: Docker meta
id: meta
uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
with:
images: |
name=nginxcontrib/nginx-ubi,enable=${{ github.event_name != 'pull_request' }}
name=ghcr.io/lucacome/nginx-ubi,enable=${{ github.event_name != 'pull_request' }}
name=localhost:5000/nginx-ubi/local-ubi
tags: |
type=raw,value=${{ steps.var.outputs.nginx_version }}
- name: Build from source
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
id: build
with:
pull: true
push: true
platforms: "linux/ppc64le, linux/s390x"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=source
cache-to: type=gha,scope=source,mode=max
target: final
provenance: mode=max
sbom: true
build-args: |
NGINX=${{ steps.var.outputs.nginx_version }}
NJS=${{ steps.var.outputs.njs_version }}
- name: Build prebuilt
uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0
id: build-prebuilt
with:
pull: true
push: true
platforms: "linux/amd64, linux/arm64"
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=prebuilt
cache-to: type=gha,scope=prebuilt,mode=max
target: final
file: Dockerfile.prebuilt
provenance: mode=max
sbom: true
build-args: |
NGINX=${{ steps.var.outputs.nginx_version }}
NJS=${{ steps.var.outputs.njs_version }}
- name: Combine images
run: |
docker buildx imagetools create nginxcontrib/nginx-ubi@${{ steps.build.outputs.digest }} ${{ steps.build-prebuilt.outputs.digest }} --tag nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }}
docker buildx imagetools create nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }} --tag nginxcontrib/nginx-ubi:latest
docker buildx imagetools create nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }} --tag nginxcontrib/nginx:latest-ubi
docker buildx imagetools create nginxcontrib/nginx-ubi:${{ steps.meta.outputs.version }} --tag nginxcontrib/nginx:${{ steps.meta.outputs.version }}-ubi
docker buildx imagetools create ghcr.io/lucacome/nginx-ubi@${{ steps.build.outputs.digest }} ${{ steps.build-prebuilt.outputs.digest }} --tag ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }}
docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx-ubi:latest
docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx:latest-ubi
docker buildx imagetools create ghcr.io/lucacome/nginx-ubi:${{ steps.meta.outputs.version }} --tag ghcr.io/lucacome/nginx:${{ steps.meta.outputs.version }}-ubi
if: github.event_name != 'pull_request'
- name: Inspect SBOM and output manifest
run: |
docker buildx imagetools inspect localhost:5000/nginx-ubi/local-ubi:${{ steps.meta.outputs.version }} --format '{{ json (index .SBOM "linux/amd64").SPDX }}' > sbom.json
docker buildx imagetools inspect localhost:5000/nginx-ubi/local-ubi:${{ steps.meta.outputs.version }} --raw
- name: Scan SBOM
id: scan
uses: anchore/scan-action@f6601287cdb1efc985d6b765bbf99cb4c0ac29d8 # v7.0.0
with:
sbom: "sbom.json"
only-fixed: true
add-cpes-if-none: true
fail-build: false
- name: Upload scan result to GitHub Security tab
uses: github/codeql-action/upload-sarif@64d10c13136e1c5bce3e5fbde8d4906eeaafc885 # v3.30.6
continue-on-error: true
with:
sarif_file: ${{ steps.scan.outputs.sarif }}
if: always()
- name: Upload Scan Results
uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
continue-on-error: true
with:
name: scan-results
path: |
${{ steps.scan.outputs.sarif }}
*.json
if: always()