Update aquasecurity/trivy-action action to v0.34.0 [SECURITY] #195
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build Base Hypervisors | |
| on: | |
| push: | |
| paths: | |
| - '.github/**' | |
| - 'builds/**' | |
| jobs: | |
| build: | |
| name: ${{ matrix.example-dir }} | |
| runs-on: ubuntu-latest | |
| strategy: | |
| matrix: | |
| build-dir: | |
| - "debian-12" | |
| - "rockylinux-9" | |
| - "rockylinux-10" | |
| - "ubuntu-24.04" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3 | |
| - name: Login to the GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Install helper packages | |
| run: | | |
| mkdir -p build | |
| sudo apt-get update | |
| sudo apt-get install -y genisoimage qemu-utils | |
| - name: Set Image Tag | |
| run: | | |
| IMAGE_BASE="ghcr.io/stackers-network/hyp-test/${{ matrix.build-dir }}" | |
| echo "IMAGE_SHA=${IMAGE_BASE}:${{ github.sha }}" >> $GITHUB_ENV | |
| echo "IMAGE_LATEST=${IMAGE_BASE}:latest" >> $GITHUB_ENV | |
| - name: Build Dockerfile | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6 | |
| with: | |
| file: builds/${{ matrix.build-dir }}/Dockerfile | |
| context: builds/${{ matrix.build-dir }} | |
| push: true | |
| tags: | | |
| ${{ env.IMAGE_SHA }} | |
| ${{ env.IMAGE_LATEST }} | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@0.34.0 | |
| with: | |
| image-ref: '${{ env.IMAGE_SHA }}' | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL' | |
| - name: Build iso | |
| run: | | |
| docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v $PWD/build/:/output \ | |
| quay.io/kairos/auroraboot:latest --debug build-iso --output /output/ \ | |
| --override-name kairos-${{ matrix.build-dir }} \ | |
| docker:${{ env.IMAGE_SHA }} | |
| ls -la build | |
| - name: Build cloud image | |
| run: | | |
| docker run --privileged --rm -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v "$PWD"/build:/aurora \ | |
| quay.io/kairos/auroraboot:latest \ | |
| --set container_image=${{ env.IMAGE_SHA }} \ | |
| --set "disable_http_server=true" \ | |
| --set "disable_netboot=true" \ | |
| --set "disk.efi=true" \ | |
| --set "state_dir=/aurora" | |
| pushd build | |
| CLOUD_IMG=`ls *.raw` | |
| qemu-img convert -f raw -O qcow2 $CLOUD_IMG kairos-${{ matrix.build-dir }}.qcow2 | |
| popd | |
| - name: Extract netboot images | |
| run: | | |
| docker run --rm -v /var/run/docker.sock:/var/run/docker.sock \ | |
| -v $PWD/build/:/output \ | |
| quay.io/kairos/auroraboot:latest --debug netboot /output/kairos-${{ matrix.build-dir }}.iso /output kairos-${{ matrix.build-dir }} \ | |
| --name kairos-${{ matrix.build-dir }} \ | |
| docker:${{ env.IMAGE_SHA }} | |
| ls -la build | |
| sudo chmod 644 build/* | |
| # - name: Extract iPXE images from ISO | |
| # run: | | |
| # mkdir -p build | |
| # export ISO=$(ls $PWD/*.iso) | |
| # isoinfo -x /rootfs.squashfs -R -i ${ISO} > build/kairos.squashfs | |
| # isoinfo -x /boot/kernel -R -i ${ISO} > build/kairos-kernel | |
| # isoinfo -x /boot/initrd -R -i ${ISO} > build/kairos-initrd | |
| - name: Release Files | |
| uses: softprops/action-gh-release@62c96d0c4e8a889135c1f3a25910db8dbe0e85f7 # v2.3.4 | |
| with: | |
| draft: true | |
| files: | | |
| build/*.iso | |
| build/*.iso.sha256 | |
| build/*.kernel | |
| build/*.initrd | |
| build/*.squashfs | |
| build/*.qcow2 |