Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add nightly copa scan and patch workflow #1065

Merged
merged 17 commits into from
Aug 22, 2023
Merged

feat: add nightly copa scan and patch workflow #1065

Changes from 2 commits
Commits
Show all changes
17 commits
Select commit Hold shift + click to select a range
89219f3
add nightly copa scan and patch workflow
ashnamehrotra Aug 10, 2023
d4b4620
handle arm/amd by creating updated manifest
ashnamehrotra Aug 14, 2023
ee3e8a7
modify and move to workflows
ashnamehrotra Aug 15, 2023
6334924
create-updated-manifest needs patch
ashnamehrotra Aug 15, 2023
ed178e4
add hash and versions
ashnamehrotra Aug 15, 2023
e8c0571
add permissions
ashnamehrotra Aug 15, 2023
f4373dd
change to .Results[0].Vulnerabilities
ashnamehrotra Aug 15, 2023
db4dcff
remove docker buildx
ashnamehrotra Aug 15, 2023
a46b082
cleanup
ashnamehrotra Aug 15, 2023
9cb1e6f
add login to ghcr for both jobs
ashnamehrotra Aug 15, 2023
e260aad
only push if patched image
ashnamehrotra Aug 15, 2023
4c8f320
cleanup and add comments
ashnamehrotra Aug 16, 2023
08a44e8
add name to workflow
ashnamehrotra Aug 21, 2023
372d153
add harden runner step
ashnamehrotra Aug 21, 2023
90be92f
remove run as PR
ashnamehrotra Aug 21, 2023
2610878
add harden runner step to create-updated-manifest
ashnamehrotra Aug 21, 2023
d62b655
Merge branch 'main' of github.com:Azure/azure-workload-identity into …
ashnamehrotra Aug 22, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
61 changes: 61 additions & 0 deletions .pipelines/templates/patch-images.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,61 @@
pr: none
sozercan marked this conversation as resolved.
Show resolved Hide resolved

schedules:
- cron: "0 0 * * *" # nightly
always: true
displayName: "Copa Patch"
branches:
include:
- main

pool: staging-pool-amd64-mariner-2

jobs:
- job: patch
strategy:
fail-fast: false
matrix:
images: ['ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64', 'ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64']
steps:
- name: Generate Trivy Report
uses: aquasecurity/trivy-action@465a07811f14bebb1938fbed4728c6a1ff8901fc
with:
scan-type: 'image'
format: 'json'
output: 'report.json'
ignore-unfixed: true
vuln-type: 'os'
image-ref: ${{ matrix.images }}
- name: Check Vuln Count
id: vuln_cout
run: |
report_file="report.json"
vuln_count=$(jq '.Results | length' "$report_file")
echo "vuln_count=$vuln_count" >> $GITHUB_OUTPUT
- name: Copa Action
if: steps.vuln_cout.outputs.vuln_count != '0'
id: copa
uses: project-copacetic/[email protected]
with:
image: ${{ matrix.images }}
image-report: 'report.json'
patched-tag: 'patched'
buildkit-version: 'v0.12.1'
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@ecf95283f03858871ff00b787d79c419715afc34
- name: Login to ghcr.io
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push patched image
run: |
docker tag ghcr.io/azure/azure-workload-identity/proxy-init:patched ${{ matrix.images }}
docker push ${{ matrix.images }}
- job: create and push updated manifest
steps:
- name: docker manifest create
run: |
docker manifest create ghcr.io/azure/azure-workload-identity/proxy-init:latest ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-arm64 ghcr.io/azure/azure-workload-identity/proxy-init:latest-linux-amd64
docker manifest push ghcr.io/azure/azure-workload-identity/proxy-init:latest
Loading