search

step-security / secure-repo

Orchestrate GitHub Actions Security
https://app.stepsecurity.io
GNU Affero General Public License v3.0
256 stars 41 forks source link

Fix jobs that have KBs?/Fix workflows partially? #381

Open arjundashrath opened 2 years ago

arjundashrath commented 2 years ago

eg

name: Release to Docker Hub

on:
  release:
    types: [published]

jobs:
  release:
    name: Release to Docker Hub
    runs-on: ubuntu-20.04
    steps:
    - name: Checkout
      uses: actions/checkout@v2

    - name: Set up QEMU
      uses: docker/setup-qemu-action@v1

    - name: Set up Docker Buildx
      uses: docker/setup-buildx-action@v1

    - name: Cache Docker layers
      uses: actions/cache@v2
      with:
        path: /tmp/.buildx-cache
        key: ${{ runner.os }}-buildx-${{ github.sha }}
        restore-keys: |
          ${{ runner.os }}-buildx-

    - name: Login to DockerHub
      uses: docker/login-action@v1
      with:
        username: ${{ secrets.DOCKERHUB_USERNAME }}
        password: ${{ secrets.DOCKERHUB_TOKEN }}

    - name: Docker meta
      id: docker_meta
      uses: crazy-max/ghaction-docker-meta@v2
      with:
        images: dashpay/dashd
        tags: |
          type=match,pattern=v(\d+.\d+.\d+.\d+),group=1,enable=${{ !contains(github.event.release.tag_name, '-rc') }}
          type=match,pattern=v(\d+.\d+.\d+),group=1,enable=${{ !contains(github.event.release.tag_name, '-rc') }}
          type=match,pattern=v(\d+.\d+),group=1,enable=${{ !contains(github.event.release.tag_name, '-rc') }}
          type=raw,value=latest,enable=${{ !contains(github.event.release.tag_name, '-rc') }}
          type=match,pattern=v(.*),group=1,latest=false,enable=${{ contains(github.event.release.tag_name, '-rc') }}
          type=raw,value=latest-dev,enable=${{ contains(github.event.release.tag_name, '-rc') }}
        flavor: |
          latest=false

    - name: Build and push
      id: docker_build
      uses: docker/build-push-action@v2
      with:
        context: ./docker
        file: ./docker/Dockerfile.GitHubActions
        push: true
        tags: ${{ steps.docker_meta.outputs.tags }}
        labels: ${{ steps.docker_meta.outputs.labels }}
        build-args: TAG=${{ steps.docker_meta.outputs.version }}
        cache-from: type=local,src=/tmp/.buildx-cache
        cache-to: type=local,dest=/tmp/.buildx-cache-new
        platforms: linux/amd64,linux/arm64,linux/arm/v7

    - # Temp fix
      # https://github.com/docker/build-push-action/issues/252
      # https://github.com/moby/buildkit/issues/1896
      name: Move cache
      run: |
        rm -rf /tmp/.buildx-cache
        mv /tmp/.buildx-cache-new /tmp/.buildx-cache

    - name: Image digest
      run: echo ${{ steps.docker_build.outputs.digest }}

some of the jobs can be fixed

varunsh-coder commented 2 years ago

Yes, we can have an option to give partial results.