mirror of
https://github.com/empayre/fleet.git
synced 2024-11-07 01:15:22 +00:00
2154c13865
## Summary This pull request is created by [Secure Repo](https://app.stepsecurity.io/securerepo) at the request of @zwass. Please merge the Pull Request to incorporate the requested changes. Please tag @zwass on your message if you have any questions related to the PR. You can also engage with the [StepSecurity](https://github.com/step-security) team by tagging @step-security-bot. ## Security Fixes ### Pinned Dependencies GitHub Action tags and Docker tags are mutable. This poses a security risk. GitHub's Security Hardening guide recommends pinning actions to full length commit. - [GitHub Security Guide](https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions) - [The Open Source Security Foundation (OpenSSF) Security Guide](https://github.com/ossf/scorecard/blob/main/docs/checks.md#pinned-dependencies) ## Feedback For bug reports, feature requests, and general feedback; please create an issue in [step-security/secure-repo](https://github.com/step-security/secure-repo). To create such PRs, please visit https://app.stepsecurity.io/securerepo. Signed-off-by: StepSecurity Bot <bot@stepsecurity.io>
66 lines
1.9 KiB
YAML
66 lines
1.9 KiB
YAML
name: Build and push fleetdm/fleetctl Docker image
|
|
|
|
# Manually trigger this workflow for now
|
|
on:
|
|
workflow_dispatch:
|
|
inputs:
|
|
image_tag:
|
|
description: 'Docker image tag'
|
|
required: true
|
|
type: string
|
|
|
|
# This allows a subsequently queued workflow run to interrupt previous runs
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}}
|
|
cancel-in-progress: true
|
|
|
|
defaults:
|
|
run:
|
|
# fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference
|
|
shell: bash
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
docker-push:
|
|
runs-on: ubuntu-latest
|
|
environment: Docker Hub
|
|
permissions:
|
|
contents: write
|
|
steps:
|
|
- name: Checkout
|
|
uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # v2
|
|
|
|
- name: Login to Docker Hub
|
|
uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a
|
|
with:
|
|
username: ${{ secrets.DOCKERHUB_USERNAME }}
|
|
password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }}
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f # v2
|
|
with:
|
|
go-version: 1.19.4
|
|
|
|
- name: Install Go Dependencies
|
|
run: make deps-go
|
|
|
|
- name: Build fleetdm/fleetctl
|
|
run: make fleetctl-docker
|
|
|
|
- name: Push to Docker
|
|
run: |
|
|
docker tag fleetdm/fleetctl fleetdm/fleetctl:${{ inputs.image_tag }}
|
|
docker push fleetdm/fleetctl:${{ inputs.image_tag }}
|
|
|
|
- name: Push To quay.io
|
|
id: push-to-quay
|
|
uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2.7.1
|
|
with:
|
|
image: fleetdm/fleetctl
|
|
tags: ${{ inputs.image_tag }}
|
|
registry: quay.io/
|
|
username: fleetdm+fleetreleaser
|
|
password: ${{ secrets.QUAY_REGISTRY_PASSWORD }}
|