Merge remote-tracking branch 'origin/main' into removing-explicit-tokens

Staffbase · Jun 6, 2023 · a453a79 · a453a79
2 parents 20a4adb + c05de46
commit a453a79
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 2 deletions.
diff --git a/.github/workflows/template_gitops.yml b/.github/workflows/template_gitops.yml
@@ -9,6 +9,10 @@ on:
       docker-build-target:
         required: false
         type: string
+      docker-build-provenance:
+        required: false
+        type: string
+        default: 'false'
       docker-file:
         required: false
         type: string
@@ -52,11 +56,12 @@ jobs:
         uses: actions/checkout@v3
 
       - name: GitOps (build, push and deploy a new Docker image)
-        uses: Staffbase/gitops-github-action@v5.1
+        uses: Staffbase/gitops-github-action@v5.2
         with:
           docker-username: ${{ secrets.docker-username }}
           docker-password: ${{ secrets.docker-password }}
           docker-build-args: ${{ inputs.docker-build-args }}
+          docker-build-provenance: ${{ inputs.docker-build-provenance }}
           docker-build-target: ${{ inputs.docker-build-target }}
           docker-build-secrets: ${{ secrets.docker-build-secrets }}
           docker-build-secret-files: ${{ secrets.docker-build-secret-files }}

diff --git a/.github/workflows/template_secret_scan.yml b/.github/workflows/template_secret_scan.yml
@@ -16,7 +16,7 @@ jobs:
           fetch-depth: 0
 
       - name: TruffleHog OSS
-        uses: trufflesecurity/trufflehog@v3.36.0
+        uses: trufflesecurity/trufflehog@v3.39.0
         with:
           path: ./
           base: ${{ github.event.repository.default_branch }}

diff --git a/README.md b/README.md
@@ -79,6 +79,8 @@ jobs:
       # optional: list of build-time variables
       docker-build-args: |
         "any important args"
+      # optional: generate provenance attestation for the build, default: false
+      docker-build-provenance: "mode=min,inline-only=true"
       # optional: set the target stage to build
       docker-build-target: "any target"
       # optional: path to the Dockerfile, default: ./Dockerfile