zeek-build-push-latest-ghcr #169

Workflow file for this run

.github/workflows/zeek-build-push-latest-ghcr.yml at f683dfe

	---
	name: zeek-build-push-latest-ghcr

	on:
	push:
	branches:
	- 'main'
	paths:
	- '**'
	- '!**.md'
	- '!zeek-docker.sh'
	pull_request:
	workflow_dispatch:
	repository_dispatch:
	schedule:
	- cron: '0 12 * * *'

	env:
	REGISTRY: ghcr.io
	IMAGE_NAME: ghcr.io/${{ github.repository_owner }}/zeek
	REPO_CONTEXT: .
	REPO_CONTAINERFILE: ./Dockerfile.clang
	BUILD_FROM_SOURCE: 1
	BUILD_JOBS: 2
	ZEEK_BRANCH: v6.2.1
	SPICY_BRANCH:
	ZEEK_DBG: 0

	jobs:
	buildpushscan:
	runs-on: ubuntu-latest
	permissions:
	actions: write
	packages: write
	contents: read
	security-events: write
	strategy:
	fail-fast: false
	matrix:
	platform:
	- linux/amd64
	steps:
	-
	name: Cancel previous run in progress
	id: cancel-previous-runs
	uses: styfle/[email protected]
	with:
	ignore_sha: true
	all_but_latest: true
	access_token: ${{ secrets.GITHUB_TOKEN }}
	-
	name: Checkout
	id: repo-checkout
	uses: actions/checkout@v4
	-
	name: Generate arch tag suffix
	shell: bash
	run: echo "archtag=$([[ "${{ matrix.platform }}" == 'linux/amd64' ]] && echo '' \|\| ( echo -n '-' ; echo "${{ matrix.platform }}" \| cut -d '/' -f 2) )" >> $GITHUB_OUTPUT
	id: arch_tag_suffix
	-
	name: Set up QEMU
	id: setup-qemu
	uses: docker/setup-qemu-action@v3
	with:
	platforms: ${{ matrix.platform }}
	-
	name: Log in to registry
	id: registry-login
	uses: docker/login-action@v3
	with:
	registry: ${{ env.REGISTRY }}
	username: ${{ github.repository_owner }}
	password: ${{ secrets.GITHUB_TOKEN }}
	-
	name: Build base image
	id: build-base-image
	uses: docker/build-push-action@v5
	with:
	context: ${{ env.REPO_CONTEXT }}
	file: ${{ env.REPO_CONTAINERFILE }}
	push: true
	provenance: false
	platforms: ${{ matrix.platform }}
	target: base
	tags: ${{ env.IMAGE_NAME }}:latest${{ steps.arch_tag_suffix.outputs.archtag }},${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}${{ steps.arch_tag_suffix.outputs.archtag }}
	build-args: \|
	BUILD_FROM_SOURCE=${{ env.BUILD_FROM_SOURCE }}
	BUILD_JOBS=${{ env.BUILD_JOBS }}
	TARGETPLATFORM=${{ matrix.platform }}
	GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
	ZEEK_BRANCH=${{ env.ZEEK_BRANCH }}
	ZEEK_DBG=${{ env.ZEEK_DBG }}
	MAXMIND_GEOIP_DB_LICENSE_KEY=${{ secrets.MAXMIND_GEOIP_DB_LICENSE_KEY }}
	-
	name: Build plus image
	id: build-plus-image
	uses: docker/build-push-action@v3
	with:
	context: ${{ env.REPO_CONTEXT }}
	file: ${{ env.REPO_CONTAINERFILE }}
	push: true
	provenance: false
	platforms: ${{ matrix.platform }}
	target: plus
	tags: ${{ env.IMAGE_NAME }}:plus${{ steps.arch_tag_suffix.outputs.archtag }},${{ env.IMAGE_NAME }}:${{ env.ZEEK_BRANCH }}-plus${{ steps.arch_tag_suffix.outputs.archtag }}
	build-args: \|
	BUILD_FROM_SOURCE=${{ env.BUILD_FROM_SOURCE }}
	BUILD_JOBS=${{ env.BUILD_JOBS }}
	TARGETPLATFORM=${{ matrix.platform }}
	GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
	ZEEK_BRANCH=${{ env.ZEEK_BRANCH }}
	ZEEK_DBG=${{ env.ZEEK_DBG }}
	-
	name: Run Trivy vulnerability scanner
	if: ${{ matrix.platform == 'linux/amd64' }}
	id: trivy-scan
	uses: aquasecurity/trivy-action@master
	with:
	scan-type: 'image'
	scanners: 'vuln'
	image-ref: ${{ env.IMAGE_NAME }}:latest
	format: 'sarif'
	output: 'trivy-results.sarif'
	severity: 'HIGH,CRITICAL'
	vuln-type: 'os,library'
	hide-progress: true
	ignore-unfixed: true
	exit-code: '0'
	-
	name: Upload Trivy scan results to GitHub Security tab
	if: ${{ matrix.platform == 'linux/amd64' }}
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: 'trivy-results.sarif'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

zeek-build-push-latest-ghcr #169

Workflow file

zeek-build-push-latest-ghcr #169

Jobs

Run details

Workflow file for this run