ci: add validation with yamllint (#951) #36
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Docker image for Goss | |
on: | |
push: | |
branches: | |
- master | |
tags: | |
- "v*" | |
workflow_dispatch: | |
env: | |
PLATFORMS: "linux/amd64,linux/arm64" | |
jobs: | |
goss: | |
name: Build and push Docker image | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
contents: read | |
security-events: write # To upload Trivy sarif files | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to GHCR | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Extract metadata (tags, labels) for Docker | |
id: meta | |
uses: docker/metadata-action@v5 | |
with: | |
images: | | |
ghcr.io/${{ github.repository_owner }}/goss | |
- name: Get latest git tag | |
if: github.ref_name == 'master' | |
id: get-latest-tag | |
run: | | |
# source: https://github.com/actions-ecosystem/action-get-latest-tag/blob/main/entrypoint.sh | |
set -e | |
git config --global --add safe.directory /github/workspace | |
git fetch --tags --force | |
# This suppress an error occurred when the repository is a complete one. | |
git fetch --prune --unshallow 2>/dev/null || true | |
latest_tag=$(git describe --abbrev=0 --tags || true) | |
echo "tag=${latest_tag}" >> "$GITHUB_OUTPUT" | |
echo "Latest tag: $latest_tag" | |
- name: Set short git commit SHA | |
if: github.ref_name == 'master' | |
run: | | |
calculatedSha=$(git rev-parse --short ${{ github.sha }}) | |
echo "COMMIT_SHORT_SHA=$calculatedSha" >> $GITHUB_ENV | |
echo "COMMIT_SHORT_SHA: $calculatedSha" | |
- name: Get the current version of Go from project. | |
run: echo "GO_VERSION_FROM_PROJECT=$(go mod edit -json | jq -r .Go)" >> $GITHUB_ENV | |
- name: Build master goss image | |
if: github.ref_name == 'master' | |
uses: docker/build-push-action@v6 | |
with: | |
build-args: | | |
GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }} | |
GOSS_VERSION=${{ steps.get-latest-tag.outputs.tag }}-${{ github.ref_name }}+${{ env.COMMIT_SHORT_SHA }} | |
context: . | |
push: true | |
tags: | | |
ghcr.io/${{ github.repository_owner }}/goss:master | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: ${{ env.PLATFORMS }} | |
- name: Build release goss image | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags/') | |
uses: docker/build-push-action@v6 | |
with: | |
build-args: | | |
GO_VERSION=${{ env.GO_VERSION_FROM_PROJECT }} | |
GOSS_VERSION=${{ github.ref_name }} | |
context: . | |
push: true | |
tags: | | |
ghcr.io/${{ github.repository_owner }}/goss:latest | |
ghcr.io/${{ github.repository_owner }}/goss:${{ github.ref_name }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: ${{ env.PLATFORMS }} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: ghcr.io/${{ github.repository_owner }}/goss:master | |
format: "sarif" | |
output: "trivy-results.sarif" | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "trivy-results.sarif" |