mirror of
https://github.com/drwetter/testssl.sh.git
synced 2025-01-03 23:39:45 +01:00
2d03d82fd9
- Included permissions for the action. https://github.com/ossf/scorecard/blob/main/docs/checks.md#token-permissions https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#permissions https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs [Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requests](https://securitylab.github.com/research/github-actions-preventing-pwn-requests/) Restrict the GitHub token permissions only to the required ones; this way, even if the attackers will succeed in compromising your workflow, they won’t be able to do much. Signed-off-by: naveensrinivasan <172697+naveensrinivasan@users.noreply.github.com>
67 lines
1.8 KiB
YAML
67 lines
1.8 KiB
YAML
name: docker-3.1dev
|
|
|
|
on:
|
|
push:
|
|
branches:
|
|
- 3.1dev
|
|
workflow_dispatch:
|
|
schedule:
|
|
- cron: "0 8 * * 1"
|
|
|
|
env:
|
|
BUILD_VERSION: "3.1dev"
|
|
DOCKER_CLI_EXPERIMENTAL: enabled
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
jobs:
|
|
|
|
deploy:
|
|
runs-on: ubuntu-20.04
|
|
|
|
steps:
|
|
- name: Source checkout
|
|
uses: actions/checkout@v3
|
|
|
|
- name: Setup QEMU
|
|
id: qemu
|
|
uses: docker/setup-qemu-action@v1.2.0
|
|
|
|
- name: Setup Buildx
|
|
id: buildx
|
|
uses: docker/setup-buildx-action@v1
|
|
|
|
- name: Set Docker metadata
|
|
id: docker_meta
|
|
uses: docker/metadata-action@v3
|
|
with:
|
|
images: ${{ github.repository }}
|
|
labels: |
|
|
org.opencontainers.image.version=${{ env.BUILD_VERSION }}
|
|
org.opencontainers.image.revision=${{ github.sha }}
|
|
org.opencontainers.image.title=${{ github.repository }}
|
|
|
|
- name: GitHub login
|
|
if: ${{ github.event_name != 'pull_request' }}
|
|
uses: docker/login-action@v1.14.1
|
|
with:
|
|
registry: ghcr.io
|
|
username: ${{ github.actor }}
|
|
password: ${{ secrets.GITHUB_TOKEN }}
|
|
|
|
- name: Build and push
|
|
uses: docker/build-push-action@v2.10.0
|
|
with:
|
|
push: ${{ github.event_name != 'pull_request' }}
|
|
context: .
|
|
file: Dockerfile.git
|
|
platforms: linux/amd64,linux/386,linux/arm64,linux/arm/v7,linux/arm/v6,linux/ppc64le
|
|
build-args: BUILD_VERSION
|
|
cache-from: type=gha, scope=${{ github.workflow }}
|
|
cache-to: type=gha, scope=${{ github.workflow }}
|
|
labels: ${{ steps.docker_meta.outputs.labels }}
|
|
tags: |
|
|
ghcr.io/${{ github.repository }}:${{ env.BUILD_VERSION }}
|
|
ghcr.io/${{ github.repository }}:latest
|