|
12 | 12 |
|
13 | 13 | jobs: |
14 | 14 | semrel: |
| 15 | + permissions: |
| 16 | + actions: none |
| 17 | + checks: none |
| 18 | + contents: none |
| 19 | + deployments: none |
| 20 | + issues: none |
| 21 | + packages: write |
| 22 | + pull-requests: none |
| 23 | + repository-projects: none |
| 24 | + security-events: none |
| 25 | + statuses: none |
| 26 | + id-token: write # needed for signing the images with GitHub OIDC using cosign |
| 27 | + |
15 | 28 | name: Semantic Release |
16 | 29 | runs-on: ubuntu-latest |
17 | 30 | steps: |
@@ -71,45 +84,28 @@ jobs: |
71 | 84 | uses: aquasecurity/trivy-action@0.18.0 |
72 | 85 | with: |
73 | 86 | image-ref: ghcr.io/${{ github.repository }}/api |
74 | | - format: "json" |
75 | | - output: "api.json" |
76 | | - |
77 | | - - name: Run Trivy vulnerability scanner on ember |
78 | | - uses: aquasecurity/trivy-action@0.18.0 |
79 | | - with: |
80 | | - image-ref: ghcr.io/${{ github.repository }}/ember |
81 | | - format: "json" |
82 | | - output: "ember.json" |
83 | | - |
84 | | - - name: Sign the image with GitHub OIDC Token using cosign |
85 | | - run: cosign sign --yes ${{ github.repository }}/${{ inputs.image-ref }}@latest |
86 | | - if: ${{ inputs.sign }} |
87 | | - |
88 | | - - name: Convert api trivy results to CycloneDX |
89 | | - uses: aquasecurity/trivy-action@0.18.0 |
90 | | - with: |
91 | | - image-ref: api.json |
92 | | - scan-type: "convert" |
93 | 87 | format: "cyclonedx" |
94 | | - # skip --vuln-type arg |
95 | | - vuln-type: "" |
96 | 88 | output: "api.cdx" |
97 | 89 |
|
98 | | - - name: Convert ember trivy results to CycloneDX |
| 90 | + - name: Run Trivy vulnerability scanner on ember |
99 | 91 | uses: aquasecurity/trivy-action@0.18.0 |
100 | 92 | with: |
101 | | - image-ref: ember.json |
102 | | - scan-type: "convert" |
| 93 | + image-ref: ghcr.io/${{ github.repository }}/ember |
103 | 94 | format: "cyclonedx" |
104 | | - # skip --vuln-type arg |
105 | | - vuln-type: "" |
106 | 95 | output: "ember.cdx" |
107 | 96 |
|
108 | | - - name: Attach an SBOM attestation to the signed api image |
109 | | - run: cosign attest --yes --type cyclonedx --predicate api.cdx ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }} |
| 97 | + - name: Install Cosign |
| 98 | + uses: sigstore/cosign-installer@v3.4.0 |
110 | 99 |
|
111 | | - - name: Attach an SBOM attestation to the signed ember image |
112 | | - run: cosign attest --yes --type cyclonedx --predicate ember.cdx ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }} |
| 100 | + - name: Sign the images with GitHub OIDC Token using cosign |
| 101 | + run: | |
| 102 | + cosign sign --yes ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }} |
| 103 | + cosign sign --yes ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }} |
| 104 | +
|
| 105 | + - name: Attach an SBOM attestation to the signed images |
| 106 | + run: | |
| 107 | + cosign attest --yes --type cyclonedx --predicate api.cdx ${{ github.repository }}/api@${{ steps.docker-api.outputs.digest }} |
| 108 | + cosign attest --yes --type cyclonedx --predicate ember.cdx ${{ github.repository }}/ember@${{ steps.docker-ember.outputs.digest }} |
113 | 109 |
|
114 | 110 | - name: Set up Helm |
115 | 111 | if: steps.semrel.outputs.version != '' |
|
0 commit comments