[deps]: Update gh minor #1132
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build | |
| on: | |
| workflow_dispatch: | |
| push: | |
| branches: | |
| - "main" | |
| tags: | |
| - "v*" | |
| pull_request: | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.ref }} | |
| cancel-in-progress: true | |
| jobs: | |
| build-artifacts: | |
| name: Build artifacts | |
| runs-on: ubuntu-24.04 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - name: Set up .NET | |
| uses: actions/setup-dotnet@d4c94342e560b34958eacfc5d055d21461ed1c5d # v5.0.0 | |
| - name: Publish project | |
| working-directory: src/KeyConnector | |
| run: | | |
| dotnet publish -c "Release" -o obj/build-output/publish | |
| cd obj/build-output/publish | |
| zip -r KeyConnector.zip . | |
| mv KeyConnector.zip ../../../ | |
| - name: Upload project artifact | |
| uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2 | |
| with: | |
| name: KeyConnector.zip | |
| path: src/KeyConnector/KeyConnector.zip | |
| if-no-files-found: error | |
| retention-days: 7 | |
| build-docker: | |
| name: Build Docker images | |
| runs-on: ubuntu-24.04 | |
| needs: build-artifacts | |
| permissions: | |
| id-token: write | |
| packages: write | |
| security-events: write | |
| steps: | |
| - name: Check out repo | |
| uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| with: | |
| persist-credentials: false | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Generate Docker image tag | |
| id: tag | |
| run: | | |
| # Tags use the tag name as the image tag (strip leading 'v') | |
| if [[ "$GITHUB_REF" == refs/tags/* ]]; then | |
| IMAGE_TAG="${GITHUB_REF#refs/tags/v}" | |
| # Main branch always uses 'dev' tag | |
| elif [[ "$GITHUB_REF" == "refs/heads/main" ]]; then | |
| IMAGE_TAG=dev | |
| # PRs use 'pr-<number>' format for consistency | |
| elif [[ "$GITHUB_EVENT_NAME" == "pull_request" ]]; then | |
| IMAGE_TAG="pr-${{ github.event.pull_request.number }}" | |
| # Other branches: sanitize name for Docker tag compatibility | |
| else | |
| # Extract branch name from refs | |
| IMAGE_TAG="${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}" | |
| # Lowercase, replace invalid chars with dash, collapse dashes, trim, limit to 128 chars, remove trailing separators | |
| IMAGE_TAG=$(echo "$IMAGE_TAG" | tr '[:upper:]' '[:lower:]' | sed -E 's/[^a-z0-9._-]+/-/g; s/-+/-/g; s/^-+|-+$//g' | cut -c1-128 | sed -E 's/[.-]$//') | |
| fi | |
| echo "image_tag=$IMAGE_TAG" >> "$GITHUB_OUTPUT" | |
| - name: Generate full image name | |
| id: image-name | |
| env: | |
| IMAGE_TAG: ${{ steps.tag.outputs.image_tag }} | |
| run: echo "name=ghcr.io/bitwarden/key-connector:${IMAGE_TAG}" >> "$GITHUB_OUTPUT" | |
| - name: Get build artifact | |
| uses: actions/download-artifact@634f93cb2916e3fdff6788551b99b062d0335ce0 # v5.0.0 | |
| with: | |
| name: KeyConnector.zip | |
| - name: Set up build artifact | |
| run: | | |
| mkdir -p src/KeyConnector/obj/build-output/publish | |
| unzip KeyConnector.zip -d src/KeyConnector/obj/build-output/publish | |
| - name: Build Docker image | |
| id: build-docker | |
| uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 | |
| with: | |
| context: src/KeyConnector | |
| file: src/KeyConnector/Dockerfile | |
| platforms: linux/amd64 | |
| load: ${{ github.event_name == 'pull_request' }} | |
| push: ${{ github.event_name != 'pull_request' }} | |
| tags: ${{ steps.image-name.outputs.name }} | |
| - name: Install Cosign | |
| if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' | |
| uses: sigstore/cosign-installer@faadad0cce49287aee09b3a48701e75088a2c6ad # v4.0.0 | |
| - name: Sign image with Cosign | |
| if: github.event_name != 'pull_request' && github.ref == 'refs/heads/main' | |
| env: | |
| DIGEST: ${{ steps.build-docker.outputs.digest }} | |
| TAGS: ${{ steps.image-name.outputs.name }} | |
| run: | | |
| IFS=',' read -r -a tags_array <<< "${TAGS}" | |
| images=() | |
| for tag in "${tags_array[@]}"; do | |
| images+=("${tag}@${DIGEST}") | |
| done | |
| cosign sign --yes "${images[@]}" | |
| - name: Scan Docker image | |
| id: container-scan | |
| uses: anchore/scan-action@3aaf50d765cfcceafa51d322ccb790e40f6cd8c5 # v7.2.0 | |
| with: | |
| image: ${{ steps.image-name.outputs.name }} | |
| fail-build: false | |
| output-format: sarif | |
| - name: Upload Grype results to GitHub | |
| uses: github/codeql-action/upload-sarif@e12f0178983d466f2f6028f5cc7a6d786fd97f4b # v4.31.4 | |
| with: | |
| sarif_file: ${{ steps.container-scan.outputs.sarif }} | |
| sha: ${{ contains(github.event_name, 'pull_request') && github.event.pull_request.head.sha || github.sha }} | |
| ref: ${{ contains(github.event_name, 'pull_request') && format('refs/pull/{0}/head', github.event.pull_request.number) || github.ref }} | |
| - name: Log out of Docker | |
| run: docker logout ghcr.io |