Fix post-release workflow (#1235)

* Fix post-release workflow Signed-off-by: Natalie Arellano <narellano@vmware.com> * Update grype config with non-impactful CVE Signed-off-by: Natalie Arellano <narellano@vmware.com> --------- Signed-off-by: Natalie Arellano <narellano@vmware.com>
buildpacks · Oct 31, 2023 · 73648d2 · 73648d2
1 parent 7c591d1
commit 73648d2
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 0 deletions.
diff --git a/.github/workflows/post-release.yml b/.github/workflows/post-release.yml
@@ -40,6 +40,10 @@ jobs:
           echo "LINUX_ARM64_SHA: $LINUX_ARM64_SHA"
           echo "LINUX_ARM64_SHA=$LINUX_ARM64_SHA" >> $GITHUB_ENV
 
+          LINUX_S390X_SHA=$(cosign verify --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/build.yml" --certificate-oidc-issuer https://token.actions.githubusercontent.com buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-linux-s390x | jq -r .[0].critical.image.\"docker-manifest-digest\")
+          echo "LINUX_S390X_SHA: $LINUX_S390X_SHA"
+          echo "LINUX_S390X_SHA=$LINUX_S390X_SHA" >> $GITHUB_ENV
+
           WINDOWS_AMD64_SHA=$(cosign verify --certificate-identity-regexp "https://github.com/${{ github.repository_owner }}/lifecycle/.github/workflows/build.yml" --certificate-oidc-issuer https://token.actions.githubusercontent.com buildpacksio/lifecycle:${{ env.LIFECYCLE_IMAGE_TAG }}-windows | jq -r .[0].critical.image.\"docker-manifest-digest\")
           echo "WINDOWS_AMD64_SHA: $WINDOWS_AMD64_SHA"
           echo "WINDOWS_AMD64_SHA=$WINDOWS_AMD64_SHA" >> $GITHUB_ENV

diff --git a/.grype.yaml b/.grype.yaml
@@ -1,3 +1,4 @@
 ignore:
   - vulnerability: CVE-2015-5237 # false positive, see https://github.com/anchore/grype/issues/558
   - vulnerability: CVE-2021-22570 # false positive, see https://github.com/anchore/grype/issues/558
+  - vulnerability: GHSA-jq35-85cj-fj4p # non-impactful as the lifecycle doesn't create containers