-
Notifications
You must be signed in to change notification settings - Fork 416
142 lines (141 loc) · 5 KB
/
release-snapshot.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
#
# On cron schedule or on demand: Release snapshot
#
# This workflow ensures that the main branch is ready for release and that all
# build configuration files are valid. Also scans tracee container images for
# vulnerabilities, and publishes to DockerHub as aquasec/tracee:dev.
#
name: Release Snapshot
on:
workflow_dispatch: {}
schedule:
# Daily at 05:00
- cron: "0 5 * * *"
jobs:
release-snapshot-x86_64:
name: Release Snapshot (x86_64)
runs-on:
- graas_ami-0cdf7ad6d9627da45_${{ github.event.number }}${{ github.run_attempt }}-${{ github.run_id }}
- EXECUTION_TYPE=LONG
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout Code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: true
fetch-depth: 0
# - name: Install Cosign
# uses: sigstore/cosign-installer@main
# with:
# cosign-release: 'v2.2.4'
- name: Login to docker.io registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build
run: |
make -f builder/Makefile.release SNAPSHOT=1
- name: Scan Docker Image for Vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: "tracee:dev"
severity: "CRITICAL"
exit-code: "1"
- name: Publish to docker.io registry
run: |
docker image tag tracee:dev aquasec/tracee:x86_64-dev
docker image push aquasec/tracee:x86_64-dev
shell: bash
# Disabled to avoid generating too many sigstore cosign signatures
# - name: Sign Docker image
# run: |
# cosign sign -y $(docker inspect --format='{{index .RepoDigests 0}}' aquasec/tracee:x86_64-dev)
# shell: bash
release-snapshot-aarch64:
name: Release Snapshot (aarch64)
runs-on:
- graas_ami-07740487fa433aa54_${{ github.event.number }}${{ github.run_attempt }}-${{ github.run_id }}
- EXECUTION_TYPE=LONG
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout Code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: true
fetch-depth: 0
# - name: Install Cosign
# uses: sigstore/cosign-installer@main
# with:
# cosign-release: 'v2.2.4'
- name: Login to docker.io registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Build
run: |
make -f builder/Makefile.release SNAPSHOT=1
- name: Scan Docker Image for Vulnerabilities
uses: aquasecurity/trivy-action@master
with:
image-ref: "tracee:dev"
severity: "CRITICAL"
exit-code: "1"
- name: Publish to docker.io registry
run: |
docker image tag tracee:dev aquasec/tracee:aarch64-dev
docker image push aquasec/tracee:aarch64-dev
shell: bash
# Disabled to avoid generating too many sigstore cosign signatures
# - name: Sign Docker image
# run: |
# cosign sign -y $(docker inspect --format='{{index .RepoDigests 0}}' aquasec/tracee:aarch64-dev)
# shell: bash
release-snapshot:
name: Release Snapshot
needs: [release-snapshot-x86_64, release-snapshot-aarch64]
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
id-token: write
steps:
- name: Checkout Code
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
with:
submodules: true
fetch-depth: 0
# - name: Install Cosign
# uses: sigstore/cosign-installer@main
# with:
# cosign-release: 'v2.2.4'
- name: Login to docker.io registry
uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3.1.0
with:
username: ${{ secrets.DOCKERHUB_USER }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Publish to docker.io registry
run: |
export DOCKER_CLI_EXPERIMENTAL=enabled
docker manifest create aquasec/tracee:dev \
aquasec/tracee:x86_64-dev \
aquasec/tracee:aarch64-dev
docker manifest push aquasec/tracee:dev
timestamp=$(date +%Y%m%d-%H%M%S%Z)
docker manifest create aquasec/tracee:dev-$timestamp \
aquasec/tracee:x86_64-dev \
aquasec/tracee:aarch64-dev
docker manifest push aquasec/tracee:dev-$timestamp
shell: bash
# Disabled to avoid generating too many sigstore cosign signatures
# - name: Sign Docker image
# run: |
# cosign sign -y aquasec/tracee:dev
# shell: bash