59 lines
1.4 KiB
YAML
59 lines
1.4 KiB
YAML
---
|
|
name: Secure image build
|
|
on: workflow_dispatch
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
|
|
build-and-push-image:
|
|
name: Build and push image
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
|
|
- name: Checkout code
|
|
uses: actions/checkout@v4
|
|
|
|
- name: Build image
|
|
uses: redhat-actions/buildah-build@v2
|
|
with:
|
|
image: quay.io/rh_ee_jablair/ubi9
|
|
tags: v0.0.1
|
|
containerfiles: |
|
|
./2024-08-28-rhacs-actions-pipeline/Containerfile
|
|
|
|
- name: Push to quay.io
|
|
uses: redhat-actions/push-to-registry@v2
|
|
with:
|
|
image: ubi9
|
|
tags: v0.0.1
|
|
registry: quay.io/rh_ee_jablair
|
|
username: ${{ secrets.QUAY_USERNAME }}
|
|
password: ${{ secrets.QUAY_PASSWORD }}
|
|
|
|
|
|
scan-image:
|
|
runs-on: ubuntu-latest
|
|
needs: build-and-push-image
|
|
permissions:
|
|
id-token: write
|
|
steps:
|
|
|
|
- name: Rhacs login
|
|
uses: stackrox/central-login@v1
|
|
with:
|
|
endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
|
|
skip-tls-verify: true
|
|
|
|
- name: Install roxctl
|
|
uses: stackrox/roxctl-installer-action@v1
|
|
with:
|
|
central-endpoint: ${{ secrets.CENTRAL_ENDPOINT }}
|
|
central-token: ${{ secrets.ROX_API_TOKEN }}
|
|
skip-tls-verify: true
|
|
|
|
- name: Scan image with roxctl
|
|
shell: bash
|
|
run: |
|
|
roxctl image scan --output=table --image="quay.io/rh_ee_jablair/ubi9:v0.0.1"
|