Create fintech-company-strengthens-infrastructure-visibility.md #81258
Workflow file for this run
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Docker publish | |
| on: | |
| push: | |
| branches: | |
| - "main" | |
| - "rc-minor-*" | |
| - "rc-patch-*" | |
| paths-ignore: | |
| - "handbook/**" | |
| - "website/**" | |
| - "mdm-profiles/**" | |
| pull_request: | |
| paths-ignore: | |
| - "handbook/**" | |
| - "website/**" | |
| - "mdm-profiles/**" | |
| workflow_dispatch: # Manual | |
| # This allows a subsequently queued workflow run to interrupt previous runs | |
| concurrency: | |
| group: ${{ github.workflow }}-${{ github.head_ref || github.run_id}} | |
| cancel-in-progress: true | |
| defaults: | |
| run: | |
| # fail-fast using bash -eo pipefail. See https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#exit-codes-and-error-action-preference | |
| shell: bash | |
| permissions: | |
| contents: read | |
| jobs: | |
| publish: | |
| # Only run it when the push is to the fleetdm/fleet repo. Otherwise the secrets for pushing to | |
| # Docker will not be available. | |
| # | |
| # Also not run if author is dependabot (it doesn't have access to Github secrets). | |
| if: ${{ (github.repository == 'fleetdm/fleet') && (github.actor != 'dependabot[bot]') && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }} | |
| runs-on: ubuntu-22.04 | |
| environment: Docker Hub | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0 | |
| with: | |
| egress-policy: audit | |
| - name: Checkout | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Login to Docker Hub | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_ACCESS_TOKEN }} | |
| - name: Set up Go | |
| uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 | |
| with: | |
| go-version-file: "go.mod" | |
| # Set the Node.js version | |
| - name: Set up Node.js | |
| uses: actions/setup-node@5e21ff4d9bc1a8cf6de233a3057d20ec6b3fb69d # v3.8.1 | |
| with: | |
| node-version-file: package.json | |
| check-latest: true | |
| - name: Install Dependencies | |
| run: make deps | |
| - name: Compute version from branch | |
| id: compute_version | |
| env: | |
| BRANCH: ${{ github.head_ref || github.ref_name }} | |
| run: | | |
| VERSION=$(tools/version-from-branch.sh "$BRANCH" 2>/dev/null) | |
| if [ -z "$VERSION" ]; then | |
| # Fall back to default snapshot version | |
| VERSION="0.0.0-SNAPSHOT-$(git rev-parse --short HEAD)" | |
| fi | |
| echo "FLEET_VERSION=$VERSION" >> $GITHUB_OUTPUT | |
| - name: Run GoReleaser | |
| uses: goreleaser/goreleaser-action@90a3faa9d0182683851fbfa97ca1a2cb983bfca3 # v6.2.1 | |
| with: | |
| distribution: goreleaser-pro | |
| version: "~> 2" | |
| args: release --snapshot --clean -f .goreleaser-snapshot.yml | |
| env: | |
| GORELEASER_KEY: ${{ secrets.GORELEASER_KEY }} | |
| FLEET_VERSION: ${{ steps.compute_version.outputs.FLEET_VERSION }} | |
| - name: Tag image with branch name | |
| run: docker tag fleetdm/fleet:$(git rev-parse --short HEAD) fleetdm/fleet:$(git rev-parse --abbrev-ref HEAD) | |
| - name: Generate tag | |
| id: generate_tag | |
| run: | | |
| echo "FLEET_IMAGE_TAG=$(git rev-parse --abbrev-ref HEAD)" >> $GITHUB_OUTPUT | |
| - name: List VEX files | |
| id: generate_vex_files | |
| run: | | |
| echo "VEX_FILES=$(ls -1 ./security/vex/fleet/ | while IFS= read -r line; do echo "./security/vex/fleet/$line"; done | tr '\n' ',' | sed 's/.$//')" >> $GITHUB_OUTPUT | |
| # We use the trivy command and not the github action because it doesn't support loading VEX files yet. | |
| - name: Check high/critical vulnerabilities before publishing (trivy) | |
| # Only run this when tagging RCs. | |
| if: startsWith(github.ref, 'rc-minor-') || startsWith(github.ref, 'rc-patch-') | |
| env: | |
| TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db | |
| TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db | |
| run: | | |
| mkdir trivy-download | |
| cd trivy-download | |
| curl -L https://github.com/aquasecurity/trivy/releases/download/v0.68.1/trivy_0.68.1_Linux-64bit.tar.gz --output trivy_0.68.1_Linux-64bit.tar.gz | |
| tar -xf trivy_0.68.1_Linux-64bit.tar.gz | |
| mv trivy .. | |
| cd .. | |
| chmod +x ./trivy | |
| ./trivy image \ | |
| --ignore-unfixed \ | |
| --exit-code=1 \ | |
| --pkg-types=os,library \ | |
| --severity=HIGH,CRITICAL \ | |
| --vex="${{ steps.generate_vex_files.outputs.VEX_FILES }}" \ | |
| fleetdm/fleet:${{ steps.generate_tag.outputs.FLEET_IMAGE_TAG }} | |
| - name: Check high/critical vulnerabilities before publishing (docker scout) | |
| # Only run this when tagging RCs. | |
| if: startsWith(github.ref, 'rc-minor-') || startsWith(github.ref, 'rc-patch-') | |
| uses: docker/scout-action@381b657c498a4d287752e7f2cfb2b41823f566d9 # v1.17.1 | |
| with: | |
| command: cves | |
| image: fleetdm/fleet:${{ steps.generate_tag.outputs.FLEET_IMAGE_TAG }} | |
| only-severities: critical,high | |
| only-fixed: true | |
| only-vex-affected: true | |
| write-comment: false | |
| vex-location: ./security/vex/fleet | |
| exit-code: true | |
| # Explicitly push the docker images as GoReleaser will not do so in snapshot mode | |
| - name: Publish Docker images | |
| run: docker push fleetdm/fleet --all-tags | |
| - name: Get tags | |
| run: | | |
| echo "TAG=$(git rev-parse --abbrev-ref HEAD) $(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
| id: docker | |
| - name: List tags for push | |
| run: | | |
| echo "The following TAGs are to be pushed: ${{ steps.docker.outputs.TAG }}" | |
| - name: Login to quay.io | |
| uses: docker/login-action@f4ef78c080cd8ba55a85445d5b36e214a81df20a | |
| with: | |
| registry: quay.io | |
| username: fleetdm+fleetreleaser | |
| password: ${{ secrets.QUAY_REGISTRY_PASSWORD }} | |
| - name: Tag and push to quay.io | |
| run: | | |
| for TAG in ${{ steps.docker.outputs.TAG }}; do | |
| docker tag fleetdm/fleet:${TAG} quay.io/fleetdm/fleet:${TAG} | |
| for i in {1..5}; do | |
| docker push quay.io/fleetdm/fleet:${TAG} && break || sleep 10 | |
| done | |
| done | |
| - name: Slack notification | |
| if: startsWith(github.ref, 'rc-minor-') || startsWith(github.ref, 'rc-patch-') && failure() | |
| uses: slackapi/slack-github-action@e28cf165c92ffef168d23c5c9000cffc8a25e117 # v1.24.0 | |
| with: | |
| payload: | | |
| { | |
| "text": "${{ job.status }}\n${{ github.event.pull_request.html_url || github.event.head.html_url }}", | |
| "blocks": [ | |
| { | |
| "type": "section", | |
| "text": { | |
| "type": "mrkdwn", | |
| "text": "⚠️ Docker publish failed.\nhttps://github.com/fleetdm/fleet/actions/runs/${{ github.run_id }}" | |
| } | |
| } | |
| ] | |
| } | |
| env: | |
| SLACK_WEBHOOK_URL: ${{ secrets.SLACK_G_HELP_ENGINEERING_WEBHOOK_URL }} | |
| SLACK_WEBHOOK_TYPE: INCOMING_WEBHOOK |