Skip to content

Merge pull request #18 from GeorgeDavis-Ibexlabs/ci-fixes #30

Merge pull request #18 from GeorgeDavis-Ibexlabs/ci-fixes

Merge pull request #18 from GeorgeDavis-Ibexlabs/ci-fixes #30

Workflow file for this run

# This is the build workflow to help maintain the project
name: Build CI
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the "master" branch
push:
branches: ["main", "dev"]
pull_request:
branches: ["main", "dev"]
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
# These permissions are needed to interact with GitHub's OIDC Token endpoint.
permissions:
id-token: write # This is required for requesting the JWT
contents: read # This is required for actions/checkout
pull-requests: read
security-events: write
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
iac-scan:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Git Checkout
uses: actions/checkout@v4.1.7
- name: Get changed files
id: changed-files
uses: tj-actions/changed-files@v44.5.7
with:
files_ignore: |
.github/**
.dockerignore
.env
.env.example
.gitattributes
.gitignore
config.json.example
**.md
LICENSE
- name: List all changed files
env:
ALL_CHANGED_FILES: ${{ steps.changed-files.outputs.all_changed_files }}
run: |
for file in ${ALL_CHANGED_FILES}; do
echo "$file was changed"
done
- name: Set up Docker Buildx
if: steps.changed-files.outputs.any_changed == 'true'
uses: docker/setup-buildx-action@v3
- name: Log in to Docker Hub
if: steps.changed-files.outputs.any_changed == 'true'
uses: docker/login-action@v3.3.0
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
if: steps.changed-files.outputs.any_changed == 'true'
id: meta
uses: docker/metadata-action@v5.5.1
with:
images: georgedavisibexlabs/publish-sarif-to-jira
- name: Build Docker image
if: steps.changed-files.outputs.any_changed == 'true'
uses: docker/build-push-action@v6.6.1
with:
context: .
file: Dockerfile
push: false
# sbom: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
- name: Run Trivy in GitHub SBOM mode and submit results to Dependency Graph
if: steps.changed-files.outputs.any_changed == 'true'
uses: aquasecurity/trivy-action@0.24.0
with:
scan-type: "fs"
format: "github"
output: "dependency-results.sbom.json"
image-ref: "georgedavisibexlabs/publish-sarif-to-jira:main"
github-pat: ${{ secrets.GITHUB_TOKEN }}
- name: Upload trivy SBOM as a Github artifact
if: steps.changed-files.outputs.any_changed == 'true'
uses: actions/upload-artifact@v4.3.6
with:
name: trivy-sbom-report
path: trivy-dependency-results.sbom.json
retention-days: 30
- name: Run Trivy Image scanner
uses: aquasecurity/trivy-action@0.24.0
with:
scan-type: "image"
image-ref: "georgedavisibexlabs/publish-sarif-to-jira:main"
limit-severities-for-sarif: true
trivy-config: .github/config/trivy-sarif.yaml
- name: Upload Trivy Image scan results
uses: actions/upload-artifact@v4.3.6
with:
name: trivy-image-scan-results
path: trivy-image-scan-results.sarif
retention-days: 30
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-image-scan-results.sarif"