From c8732fcd575fddfe0a8243a2a1f50393f71a1282 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 5 Jun 2023 07:58:29 +0000 Subject: [PATCH 1/2] :arrow_up: Bump trufflesecurity/trufflehog from 3.36.0 to 3.39.0 Bumps [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) from 3.36.0 to 3.39.0. - [Release notes](https://github.com/trufflesecurity/trufflehog/releases) - [Changelog](https://github.com/trufflesecurity/trufflehog/blob/main/.goreleaser.yml) - [Commits](https://github.com/trufflesecurity/trufflehog/compare/v3.36.0...v3.39.0) --- updated-dependencies: - dependency-name: trufflesecurity/trufflehog dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] --- .github/workflows/template_secret_scan.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/template_secret_scan.yml b/.github/workflows/template_secret_scan.yml index 5d68f122..e8367e6b 100644 --- a/.github/workflows/template_secret_scan.yml +++ b/.github/workflows/template_secret_scan.yml @@ -16,7 +16,7 @@ jobs: fetch-depth: 0 - name: TruffleHog OSS - uses: trufflesecurity/trufflehog@v3.36.0 + uses: trufflesecurity/trufflehog@v3.39.0 with: path: ./ base: ${{ github.event.repository.default_branch }} From c05de4654a6deb81e6acf9ce83641d5dae8435f8 Mon Sep 17 00:00:00 2001 From: Falk Puschner Date: Tue, 6 Jun 2023 09:58:59 +0200 Subject: [PATCH 2/2] :art: Add provenance option (#124) * :art: Add provenance option * :arrow_up: Bump gitops --------- Co-authored-by: Tim Dittler <93928360+timdittler@users.noreply.github.com> --- .github/workflows/template_gitops.yml | 11 ++++++++--- README.md | 2 ++ 2 files changed, 10 insertions(+), 3 deletions(-) diff --git a/.github/workflows/template_gitops.yml b/.github/workflows/template_gitops.yml index be47a91b..f7e647e6 100644 --- a/.github/workflows/template_gitops.yml +++ b/.github/workflows/template_gitops.yml @@ -9,6 +9,10 @@ on: docker-build-target: required: false type: string + docker-build-provenance: + required: false + type: string + default: 'false' docker-file: required: false type: string @@ -57,7 +61,7 @@ jobs: uses: actions/checkout@v3 - name: GitOps (build, push and deploy a new Docker image) - uses: Staffbase/gitops-github-action@v5.1 + uses: Staffbase/gitops-github-action@v5.2 with: docker-username: ${{ secrets.docker-username }} docker-password: ${{ secrets.docker-password }} @@ -67,6 +71,9 @@ jobs: NPM_TOKEN=${{ secrets.npm-token }} GOPROXY=${{ secrets.goproxy }} GONOSUMDB=${{ secrets.gonosumdb }} + docker-build-provenance: ${{ inputs.docker-build-provenance }} + docker-build-secrets: ${{ secrets.docker-build-secrets }} + docker-build-secret-files: ${{ secrets.docker-build-secret-files }} docker-build-target: ${{ inputs.docker-build-target }} docker-file: ${{ inputs.docker-file }} docker-image: ${{ inputs.docker-image }} @@ -74,5 +81,3 @@ jobs: gitops-dev: ${{ inputs.gitops-dev }} gitops-stage: ${{ inputs.gitops-stage }} gitops-prod: ${{ inputs.gitops-prod }} - docker-build-secrets: ${{ secrets.docker-build-secrets }} - docker-build-secret-files: ${{ secrets.docker-build-secret-files }} diff --git a/README.md b/README.md index 8cd39e2d..8d3ec9eb 100644 --- a/README.md +++ b/README.md @@ -79,6 +79,8 @@ jobs: # optional: list of build-time variables docker-build-args: | "any important args" + # optional: generate provenance attestation for the build, default: false + docker-build-provenance: "mode=min,inline-only=true" # optional: set the target stage to build docker-build-target: "any target" # optional: path to the Dockerfile, default: ./Dockerfile