Update docker-scout.yml #22
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker Scout | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| paths-ignore: | |
| - 'README.md' | |
| - 'LICENSE' | |
| env: | |
| REGISTRY: docker.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| SHA: ${{ github.event.pull_request.head.sha || github.event.after }} | |
| # Using `latest` as the tag to compare assuming that it's already pushed | |
| COMPARE_TAG: latest | |
| jobs: | |
| build: | |
| # if: github.actor!= 'dependabot[bot]' # ignore the pull request which comes from user dependabot. | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| pull-requests: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| ref: ${{ env.SHA }} | |
| - name: Set Environment | |
| uses: c-py/action-dotenv-to-setenv@v5 | |
| id: source-env | |
| with: | |
| env-file: env/.env | |
| - name: Echo ZerotierOne Version from env file | |
| run: | | |
| echo ${{ steps.source-env.outputs.zerotierone_version }} >> "$GITHUB_ENV" | |
| - name: Setup Docker buildx | |
| uses: docker/[email protected] | |
| with: | |
| driver-opts: | | |
| image=moby/buildkit:v0.10.6 | |
| # Login against a Docker registry except on PR | |
| - name: Log into registry ${{ env.REGISTRY }} | |
| uses: docker/[email protected] | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Extract Docker metadata | |
| id: meta | |
| uses: docker/[email protected] | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| labels: | | |
| org.opencontainers.image.revision=${{ env.SHA }} | |
| tags: | | |
| type=edge,branch=$repo.default_branch | |
| type=semver,pattern=v{{version}} | |
| type=sha,prefix=,suffix=,format=short | |
| # Build and push Docker image with Buildx (don't push on PR) | |
| - name: Build and push Docker image | |
| id: build-and-push | |
| uses: docker/[email protected] | |
| with: | |
| context: . | |
| build-args: VERSION=${{ env.ZEROTIERONE_VERSION }} | |
| push: false | |
| load: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| cache-from: type=gha | |
| cache-to: type=gha,mode=max | |
| - name: Docker Scout | |
| id: docker-scout | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: docker/scout-action@v1 | |
| with: | |
| command: cves,recommendations,compare | |
| image: ${{ steps.meta.outputs.tags }} | |
| to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.COMPARE_TAG }} | |
| ignore-base: true | |
| ignore-unchanged: true | |
| only-severities: critical,high,medium | |
| only-fixed: true | |
| write-comment: true | |
| github-token: ${{ secrets.GITHUB_TOKEN }} # to be able to write the comment |