chore: create reusable workflow for security scans #1188
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Images | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| push: | |
| branches: | |
| - main | |
| schedule: | |
| - cron: "0 */12 * * *" | |
| workflow_dispatch: | |
| env: | |
| IMAGE_REGISTRY: ghcr.io/${{ github.repository_owner }} | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build-base: | |
| runs-on: ubuntu-latest | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| fedora-version: [39, 40, stable] | |
| fedora-edition: [base, silverblue, kinoite] | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| env: | |
| IMAGE_NAME: eternal-linux/main/${{ matrix.fedora-edition }} | |
| FEDORA_VERSION: ${{ matrix.fedora-version }} | |
| COREOS_KERNEL: "N/A" | |
| outputs: | |
| base-image-tag: ${{ steps.generate-image-tags.outputs.primary-tag }} | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 | |
| - name: Optimize GHA Storage | |
| uses: ./.github/actions/optimise-gha-storage | |
| - name: Generate Image Tags | |
| uses: ./.github/actions/generate-image-tags | |
| id: generate-image-tags | |
| with: | |
| image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }} | |
| major-version: ${{ env.FEDORA_VERSION }} | |
| is-release: ${{ github.event_name != 'pull_request' }} | |
| - name: Get CoreOS Kernel Information | |
| if: ${{ env.FEDORA_VERSION == 'stable' || env.FEDORA_VERSION == 'testing' }} | |
| uses: ./.github/actions/get-coreos-kernel | |
| id: get-coreos-kernel | |
| with: | |
| coreos-stream: ${{ env.FEDORA_VERSION }} | |
| - name: Set CoreOS Environment Variables | |
| if: ${{ env.FEDORA_VERSION == 'stable' || env.FEDORA_VERSION == 'testing' }} | |
| run: | | |
| echo "COREOS_KERNEL=${{ steps.get-coreos-kernel.outputs.coreos-kernel-release }}" >> $GITHUB_ENV | |
| echo "FEDORA_VERSION=${{ steps.get-coreos-kernel.outputs.coreos-repo-version }}" >> $GITHUB_ENV | |
| - name: Build Image | |
| id: build | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 | |
| with: | |
| context: . | |
| containerfiles: | | |
| Containerfile | |
| image: ${{ env.IMAGE_NAME }} | |
| tags: | | |
| ${{ steps.generate-image-tags.outputs.tags }} | |
| build-args: | | |
| FEDORA_VERSION=${{ env.FEDORA_VERSION }} | |
| FEDORA_EDITION=${{ matrix.fedora-edition }} | |
| COREOS_KERNEL=${{ env.COREOS_KERNEL }} | |
| - name: Push Image | |
| id: push | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | |
| with: | |
| image: ${{ steps.build.outputs.image }} | |
| tags: ${{ steps.build.outputs.tags }} | |
| registry: ${{ env.IMAGE_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to GHCR | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: Sign Image | |
| uses: ./.github/actions/sign-image | |
| if: github.event_name != 'pull_request' | |
| with: | |
| registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | |
| digest: ${{ steps.push.outputs.digest }} | |
| private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }} | |
| private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }} | |
| - name: Generate SBOM | |
| id: generate-sbom | |
| if: github.event_name != 'pull_request' | |
| uses: ./.github/actions/generate-sbom | |
| with: | |
| image-ref: ${{ steps.push.outputs.registry-path }} | |
| artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-sbom | |
| - name: Scan SBOM | |
| uses: ./.github/actions/scan-sbom | |
| if: github.event_name != 'pull_request' | |
| with: | |
| sbom-file: ${{ steps.generate-sbom.outputs.output-file }} | |
| artifact-name: ${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-scan | |
| build-nvidia: | |
| runs-on: ubuntu-latest | |
| needs: build-base | |
| if: ${{ !cancelled() }} | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| fedora-version: [39, 40, stable] | |
| fedora-edition: [base, silverblue, kinoite] | |
| nvidia-version: [550] | |
| include: | |
| - nvidia-version: 550 | |
| nvidia-is-stable: true | |
| permissions: | |
| contents: read | |
| packages: write | |
| id-token: write | |
| outputs: | |
| images: ${{ steps.generate-outputs.outputs.images }} | |
| env: | |
| IMAGE_NAME: eternal-linux/main/${{ matrix.fedora-edition }} | |
| FEDORA_VERSION: ${{ matrix.fedora-version }} | |
| COREOS_KERNEL: "N/A" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 | |
| - name: Optimize GHA Storage | |
| uses: ./.github/actions/optimise-gha-storage | |
| - name: Generate Image Tags | |
| uses: ./.github/actions/generate-image-tags | |
| id: generate-image-tags | |
| with: | |
| image-name: ${{ env.IMAGE_REGISTRY}}/${{ env.IMAGE_NAME }} | |
| major-version: ${{ env.FEDORA_VERSION }} | |
| is-release: ${{ github.event_name != 'pull_request' }} | |
| nvidia-driver-version: ${{ matrix.nvidia-version }} | |
| nvidia-driver-is-stable: ${{ matrix.nvidia-is-stable }} | |
| - name: Get CoreOS Kernel Information | |
| if: ${{ env.FEDORA_VERSION == 'stable' || env.FEDORA_VERSION == 'testing' }} | |
| uses: ./.github/actions/get-coreos-kernel | |
| id: get-coreos-kernel | |
| with: | |
| coreos-stream: ${{ env.FEDORA_VERSION }} | |
| - name: Set CoreOS Environment Variables | |
| if: ${{ env.FEDORA_VERSION == 'stable' || env.FEDORA_VERSION == 'testing' }} | |
| run: | | |
| echo "COREOS_KERNEL=${{ steps.get-coreos-kernel.outputs.coreos-kernel-release }}" >> $GITHUB_ENV | |
| echo "FEDORA_VERSION=${{ steps.get-coreos-kernel.outputs.coreos-repo-version }}" >> $GITHUB_ENV | |
| - name: Generate Base Image Tag | |
| id: generate-base-image-tag | |
| env: | |
| BASE_FEDORA_VERSION: ${{ matrix.fedora-version }} | |
| PR_NUMBER: ${{ github.event.number }} | |
| IS_PR: ${{ github.event_name == 'pull_request' }} | |
| run: | | |
| GIT_SHA=$(git rev-parse --short HEAD) | |
| if [ $IS_PR == 'true' ]; then | |
| BASE_TAG="pr${PR_NUMBER}-${GIT_SHA}-${BASE_FEDORA_VERSION}" | |
| else | |
| BASE_TAG="${GIT_SHA}-${BASE_FEDORA_VERSION}" | |
| fi | |
| echo "base-tag=${BASE_TAG}" >> $GITHUB_OUTPUT | |
| - name: Build Image | |
| id: build | |
| uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 | |
| with: | |
| context: . | |
| containerfiles: | | |
| Containerfile.nvidia | |
| image: ${{ env.IMAGE_NAME }} | |
| tags: | | |
| ${{ steps.generate-image-tags.outputs.tags }} | |
| build-args: | | |
| FEDORA_VERSION=${{ env.FEDORA_VERSION }} | |
| FEDORA_EDITION=${{ matrix.fedora-edition }} | |
| NVIDIA_VERSION=${{ matrix.nvidia-version }} | |
| BASE_TAG=${{ steps.generate-base-image-tag.outputs.base-tag }} | |
| NVIDIA_AKMODS_TAG=${{ matrix.fedora-version }}-${{ matrix.nvidia-version }} | |
| - name: Push Image | |
| id: push | |
| uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | |
| with: | |
| image: ${{ steps.build.outputs.image }} | |
| tags: ${{ steps.build.outputs.tags }} | |
| registry: ${{ env.IMAGE_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Login to GHCR | |
| uses: docker/login-action@e92390c5fb421da1463c202d546fed0ec5c39f20 # v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ github.token }} | |
| - name: Sign Image | |
| uses: ./.github/actions/sign-image | |
| if: github.event_name != 'pull_request' | |
| with: | |
| registry: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | |
| digest: ${{ steps.push.outputs.digest }} | |
| private-key: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY }} | |
| private-key-passphrase: ${{ secrets.ETERNAL_LINUX_SIGNING_KEY_PASSPHRASE }} | |
| - name: Generate file containing outputs | |
| env: | |
| DIGEST: ${{ steps.push.outputs.digest }} | |
| IMAGE_REGISTRY: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} | |
| IMAGE_NAME: ${{ env.IMAGE_NAME }} | |
| FEDORA_VERSION: ${{ matrix.fedora-version }} | |
| FEDORA_EDITION: ${{ matrix.fedora-edition }} | |
| run: | |
| echo "${IMAGE_REGISTRY}@${DIGEST}" > "${IMAGE_NAME}-${FEDORA_EDITION}-${FEDORA_VERSION}-nvidia" | |
| - name: Upload outputs | |
| uses: actions/upload-artifact@v4 | |
| with: | |
| name: output-build-nvidia-${{ env.IMAGE_NAME }}-${{ matrix.fedora-edition }}-${{ matrix.fedora-version }} | |
| retention-days: 1 | |
| if-no-files-found: error | |
| path: | | |
| ${{ env.IMAGE_NAME }}-${{ matrix.fedora-edition }}-${{ matrix.fedora-version }}-nvidia.txt | |
| check: | |
| needs: [build-base, build-nvidia] | |
| if: always() | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4 | |
| - name: Download artifacts | |
| id: download-artifacts | |
| uses: actions/download-artifact@v4 | |
| with: | |
| pattern: output-build-* | |
| merge-multiple: true | |
| - name: Create output | |
| id: generate-outputs | |
| env: | |
| JOBS: ${{ toJson(needs) }} | |
| ARTIFACT_PATH: ${{ steps.download-artifacts.outputs.download-path }} | |
| run: | | |
| # Initialize the array | |
| images=() | |
| # Populate the array with each line from each file in the artifacts directory | |
| for file in $ARTIFACT_PATH/*; do | |
| while IFS= read -r line; do | |
| images+=("$line") | |
| done < "$file" | |
| done | |
| # Create the GITHUB_OUTPUT in the format '["image1", "image2", ...]' | |
| echo "images=$(printf '%s\n' "${images[@]}" | jq -R -s -c 'split("\n") | .[:-1]')" >> $GITHUB_OUTPUT | |
| - name: Check Job Status | |
| uses: ./.github/actions/check-jobs-success | |
| with: | |
| jobs: ${{ toJSON(needs) }} |