feat: add nightly copa scan and patch workflow #1065
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1065 +/- ##
=======================================
Coverage 53.71% 53.71%
=======================================
Files 36 36
Lines 2290 2290
=======================================
Hits 1230 1230
Misses 1014 1014
Partials 46 46 |
|
@ashnamehrotra can you make sure to test this in your fork? |
.github/workflows/patch-images.yaml
Outdated
| pull_request: | ||
| branches: | ||
| - main |
There was a problem hiding this comment.
why do we need this to be run as part of every PR?
There was a problem hiding this comment.
we don't, removed!
| fail-fast: false | ||
| matrix: | ||
| images: ['ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64', 'ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64'] | ||
| steps: |
There was a problem hiding this comment.
Could you add the Harden runner step
azure-workload-identity/.github/workflows/publish-images.yaml
Lines 38 to 41 in eb7cef3
| @@ -0,0 +1,69 @@ | |||
| on: | |||
| run: | | ||
| docker tag ghcr.io/azure/azure-workload-identity/proxy-init:patched ${{ matrix.images }} | ||
| docker push ${{ matrix.images }} | ||
| create-updated-manifest: |
There was a problem hiding this comment.
| create-updated-manifest: | |
| create-updated-manifest: |
| needs: patch | ||
| runs-on: ubuntu-latest | ||
| steps: | ||
| - name: Login to ghcr.io |
There was a problem hiding this comment.
Could you add the Harden runner step here too?
azure-workload-identity/.github/workflows/publish-images.yaml
Lines 38 to 41 in eb7cef3
Reason for Change:
Adds a patch workflow to run nightly using the Copa Github Action to patch ghcr.io/azure/azure-workload-identity/proxy-init:latest if there are vulnerabilities.
Requirements
Issue Fixed:
Please answer the following questions with yes/no:
Does this change contain code from or inspired by another project? If so, did you notify the maintainers and provide attribution?
Notes for Reviewers: