Skip to content

Commit 6cd931d

Browse files
pdabelf5AlexFenlon
pdabelf5
authored and
AlexFenlon
committed
add permissions for gcr login to base image build (#5860)
1 parent 4143a1f commit 6cd931d

File tree

3 files changed

+10
-15
lines changed

3 files changed

+10
-15
lines changed

.github/workflows/build-base-images.yml

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,6 @@ concurrency:
1616

1717
permissions:
1818
contents: read
19-
id-token: write
2019

2120
jobs:
2221
checks:
@@ -50,6 +49,7 @@ jobs:
5049
permissions:
5150
contents: read
5251
pull-requests: write # for scout report
52+
id-token: write
5353
strategy:
5454
fail-fast: false
5555
matrix: ${{ fromJSON( needs.checks.outputs.image_matrix_oss ) }}
@@ -113,6 +113,7 @@ jobs:
113113
needs: checks
114114
permissions:
115115
contents: read
116+
id-token: write
116117
pull-requests: write # for scout report
117118
strategy:
118119
fail-fast: false
@@ -180,6 +181,7 @@ jobs:
180181
needs: checks
181182
permissions:
182183
contents: read
184+
id-token: write
183185
pull-requests: write # for scout report
184186
strategy:
185187
fail-fast: false

.github/workflows/build-oss.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -112,11 +112,11 @@ jobs:
112112
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
113113
with:
114114
platforms: arm,arm64,ppc64le,s390x
115-
if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
115+
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
116116

117117
- name: Docker Buildx
118118
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
119-
if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
119+
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
120120

121121
- name: Build Base Container
122122
uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
@@ -182,7 +182,7 @@ jobs:
182182
- name: Run Trivy vulnerability scanner
183183
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
184184
with:
185-
image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
185+
image-ref: ${{ steps.meta.outputs.tags }}
186186
format: "sarif"
187187
output: "${{ inputs.image }}-results/trivy.sarif"
188188
ignore-unfixed: "true"

.github/workflows/build-plus.yml

Lines changed: 4 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -117,11 +117,11 @@ jobs:
117117
uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
118118
with:
119119
platforms: arm,arm64,ppc64le,s390x
120-
if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
120+
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
121121

122122
- name: Docker Buildx
123123
uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
124-
if: ${{ steps.images_exist.outputs.target_exists != 'true' }}
124+
if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
125125

126126
- name: Build Base Container
127127
uses: docker/build-push-action@31159d49c0d4756269a0940a750801a1ea5d7003 # v6.1.0
@@ -196,17 +196,10 @@ jobs:
196196
mkdir -p "${{ inputs.image }}-results/"
197197
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
198198

199-
- name: Extract image name for Scans
200-
id: scan-tag
201-
run: |
202-
tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
203-
echo "tag=$tag" >> $GITHUB_OUTPUT
204-
if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
205-
206199
- name: Run Trivy vulnerability scanner
207200
uses: aquasecurity/trivy-action@7c2007bcb556501da015201bcba5aa14069b74e2 # 0.23.0
208201
with:
209-
image-ref: ${{ steps.scan-tag.outputs.tag }}
202+
image-ref: ${{ steps.meta.outputs.tags }}
210203
format: "sarif"
211204
output: "${{ inputs.image }}-results/trivy.sarif"
212205
ignore-unfixed: "true"
@@ -224,7 +217,7 @@ jobs:
224217
uses: docker/scout-action@fc749439af4870e8f6feb592250ab728600d10a6 # v1.10.0
225218
with:
226219
command: cves,recommendations
227-
image: ${{ steps.scan-tag.outputs.tag }}
220+
image: ${{ steps.meta.outputs.tags }}
228221
ignore-base: true
229222
only-fixed: true
230223
sarif-file: "${{ inputs.image }}-results/scout.sarif"

0 commit comments

Comments
 (0)