diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 9761fa11..e7d0e5b2 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -4,8 +4,7 @@ updates: directory: "/" schedule: interval: "daily" - cooldown: - default-days: 7 + open-pull-requests-limit: 10 labels: - "area/dependencies" - "bot" diff --git a/.github/workflows/.test-bake.yml b/.github/workflows/.test-bake.yml index 382851b0..88ae13fe 100644 --- a/.github/workflows/.test-bake.yml +++ b/.github/workflows/.test-bake.yml @@ -129,6 +129,25 @@ jobs: const builderOutputs = JSON.parse(core.getInput('builder-outputs')); core.info(JSON.stringify(builderOutputs, null, 2)); + bake-aws-scan: + runs-on: ubuntu-24.04 + if: ${{ github.event_name != 'pull_request' }} + needs: + - bake-aws + steps: + - + name: Login to registry + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + with: + registry: public.ecr.aws + username: ${{ secrets.AWS_ACCESS_KEY_ID }} + password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + - + name: Scan for vulnerabilities + uses: crazy-max/ghaction-container-scan@a0a3900b79d158c85ccf034e5368fae620a9233a # v4.0.0 + with: + image: public.ecr.aws/q3b5f1u4/test-docker-action@${{ needs.bake-aws.outputs.digest }} + bake-aws-nosign: uses: ./.github/workflows/bake.yml permissions: diff --git a/.github/workflows/.test-build.yml b/.github/workflows/.test-build.yml index aaaebe72..e589b522 100644 --- a/.github/workflows/.test-build.yml +++ b/.github/workflows/.test-build.yml @@ -129,6 +129,25 @@ jobs: const builderOutputs = JSON.parse(core.getInput('builder-outputs')); core.info(JSON.stringify(builderOutputs, null, 2)); + build-aws-scan: + runs-on: ubuntu-24.04 + if: ${{ github.event_name != 'pull_request' }} + needs: + - build-aws + steps: + - + name: Login to registry + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 + with: + registry: public.ecr.aws + username: ${{ secrets.AWS_ACCESS_KEY_ID }} + password: ${{ secrets.AWS_SECRET_ACCESS_KEY }} + - + name: Scan for vulnerabilities + uses: crazy-max/ghaction-container-scan@a0a3900b79d158c85ccf034e5368fae620a9233a # v4.0.0 + with: + image: public.ecr.aws/q3b5f1u4/test-docker-action@${{ needs.build-aws.outputs.image-digest }} + build-aws-nosign: uses: ./.github/workflows/build.yml permissions: diff --git a/.github/workflows/.zizmor.yml b/.github/workflows/.zizmor.yml index d3bc93ab..0743841d 100644 --- a/.github/workflows/.zizmor.yml +++ b/.github/workflows/.zizmor.yml @@ -35,7 +35,7 @@ jobs: persist-credentials: false - name: Setup uv - uses: astral-sh/setup-uv@eac588ad8def6316056a12d4907a9d4d84ff7a3b # v7.3.0 + uses: astral-sh/setup-uv@6ee6290f1cbc4156c0bdd66691b2c144ef8df19a # v7.4.0 with: enable-cache: false - @@ -59,7 +59,7 @@ jobs: cat ${TMPDIR}/report-*.toml - name: Upload SARIF report - uses: github/codeql-action/upload-sarif@45cbd0c69e560cd9e7cd7f8c32362050c9b7ded2 # v4.32.2 + uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6 with: sarif_file: ${{ env.TMPDIR }}/zizmor.sarif category: zizmor diff --git a/.github/workflows/bake.yml b/.github/workflows/bake.yml index b8f68ffc..3c18054a 100644 --- a/.github/workflows/bake.yml +++ b/.github/workflows/bake.yml @@ -138,6 +138,9 @@ on: artifact-name: description: "Name of the uploaded artifact (for local output)" value: ${{ jobs.finalize.outputs.artifact-name }} + digest: + description: "Digest of the image pushed or artifact uploaded" + value: ${{ jobs.finalize.outputs.digest }} output-type: description: "Build output type" value: ${{ jobs.finalize.outputs.output-type }} @@ -146,11 +149,11 @@ on: value: ${{ jobs.finalize.outputs.signed }} env: - BUILDX_VERSION: "v0.31.1" - BUILDKIT_IMAGE: "moby/buildkit:v0.27.1" + BUILDX_VERSION: "v0.32.1" + BUILDKIT_IMAGE: "moby/buildkit:v0.28.0" SBOM_IMAGE: "docker/buildkit-syft-scanner:1.10.0" BINFMT_IMAGE: "tonistiigi/binfmt:qemu-v10.2.1-65" - DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.76.0" + DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.81.0" COSIGN_VERSION: "v3.0.2" LOCAL_EXPORT_DIR: "/tmp/buildx-output" MATRIX_SIZE_LIMIT: "20" @@ -224,7 +227,7 @@ jobs: } - name: Expose GitHub Runtime - uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0 + uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0 - name: Set outputs id: set @@ -250,7 +253,7 @@ jobs: script: | const os = require('os'); const { Bake } = require('@docker/actions-toolkit/lib/buildx/bake'); - const { GitHub } = require('@docker/actions-toolkit/lib/github'); + const { GitHub } = require('@docker/actions-toolkit/lib/github/github'); const { Util } = require('@docker/actions-toolkit/lib/util'); const inpSbomImage = core.getInput('sbom-image'); @@ -466,7 +469,7 @@ jobs: name: Docker meta id: meta if: ${{ inputs.output == 'image' }} - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ inputs.meta-images }} tags: ${{ inputs.meta-tags }} @@ -476,18 +479,18 @@ jobs: bake-target: ${{ inputs.meta-bake-target }} - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 if: ${{ inputs.setup-qemu }} with: image: ${{ env.BINFMT_IMAGE }} cache-image: false - name: Expose GitHub Runtime - uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0 + uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.BUILDX_VERSION }} cache-binary: false @@ -617,7 +620,7 @@ jobs: script: | const os = require('os'); const { Build } = require('@docker/actions-toolkit/lib/buildx/build'); - const { GitHub } = require('@docker/actions-toolkit/lib/github'); + const { GitHub } = require('@docker/actions-toolkit/lib/github/github'); const { Util } = require('@docker/actions-toolkit/lib/util'); const inpPlatform = core.getInput('platform'); @@ -739,13 +742,13 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry-auth: ${{ secrets.registry-auths }} - name: Build id: bake - uses: docker/bake-action@5be5f02ff8819ecd3092ea6b2e6261c31774f2b4 # v6.10.0 + uses: docker/bake-action@82490499d2e5613fcead7e128237ef0b0ea210f7 # v7.0.0 with: source: ${{ steps.prepare.outputs.source }} files: ${{ steps.prepare.outputs.files }} @@ -771,7 +774,7 @@ jobs: - name: Login to registry for signing if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }} - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry-auth: ${{ secrets.registry-auths }} env: @@ -862,7 +865,7 @@ jobs: - name: Upload artifact if: ${{ inputs.output == 'local' && inputs.artifact-upload }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ inputs.artifact-name }}${{ steps.prepare.outputs.platform-pair-suffix || '0' }} path: ${{ env.LOCAL_EXPORT_DIR }} @@ -904,17 +907,26 @@ jobs: cosign-version: ${{ env.COSIGN_VERSION }} cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }} artifact-name: ${{ inputs.artifact-upload && inputs.artifact-name || '' }} + digest: ${{ steps.manifest.outputs.digest || steps.artifact.outputs.artifact-digest }} output-type: ${{ inputs.output }} signed: ${{ needs.prepare.outputs.sign }} needs: - prepare - build steps: + - + name: Install @docker/actions-toolkit + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }} + with: + script: | + await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]); - name: Docker meta id: meta if: ${{ inputs.output == 'image' }} - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ inputs.meta-images }} tags: ${{ inputs.meta-tags }} @@ -925,7 +937,7 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry-auth: ${{ secrets.registry-auths }} env: @@ -933,7 +945,7 @@ jobs: - name: Set up Docker Buildx if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.BUILDX_VERSION }} buildkitd-flags: --debug @@ -941,6 +953,7 @@ jobs: cache-binary: false - name: Create manifest + id: manifest if: ${{ inputs.output == 'image' }} uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -950,6 +963,8 @@ jobs: INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }} with: script: | + const { ImageTools } = require('@docker/actions-toolkit/lib/buildx/imagetools'); + const inpPush = core.getBooleanInput('push'); const inpImageNames = core.getMultilineInput('image-names'); const inpTagNames = core.getMultilineInput('tag-names'); @@ -967,26 +982,34 @@ jobs: return; } + let digest; for (const imageName of inpImageNames) { - let createArgs = ['buildx', 'imagetools', 'create']; + const tags = []; for (const tag of inpTagNames) { - createArgs.push('-t', `${imageName}:${tag}`); - } - for (const digest of digests) { - createArgs.push(digest); + tags.push(`${imageName}:${tag}`); } + const result = await new ImageTools().create({ + sources: digests, + tags: tags, + skipExec: !inpPush + }); if (inpPush) { - await exec.exec('docker', createArgs); - } else { - await core.group(`Generated imagetools create command for ${imageName}`, async () => { - core.info(`docker ${createArgs.join(' ')}`); - }); + if (!result.digest) { + core.setFailed('Failed to create manifest, no digest returned'); + return; + } + digest = result.digest; + core.info(`Manifest created: ${imageName}@${result.digest}`); } } + if (digest) { + core.setOutput('digest', digest); + } - name: Merge artifacts + id: artifact if: ${{ inputs.output == 'local' && inputs.artifact-upload }} - uses: actions/upload-artifact/merge@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact/merge@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ inputs.artifact-name }} pattern: ${{ inputs.artifact-name }}* diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 9f0a189d..aa2d77c7 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -141,6 +141,9 @@ on: artifact-name: description: "Name of the uploaded artifact (for local output)" value: ${{ jobs.finalize.outputs.artifact-name }} + digest: + description: "Digest of the image pushed or artifact uploaded" + value: ${{ jobs.finalize.outputs.digest }} output-type: description: "Build output type" value: ${{ jobs.finalize.outputs.output-type }} @@ -149,11 +152,11 @@ on: value: ${{ jobs.finalize.outputs.signed }} env: - BUILDX_VERSION: "v0.31.1" - BUILDKIT_IMAGE: "moby/buildkit:v0.27.1" + BUILDX_VERSION: "v0.32.1" + BUILDKIT_IMAGE: "moby/buildkit:v0.28.0" SBOM_IMAGE: "docker/buildkit-syft-scanner:1.10.0" BINFMT_IMAGE: "tonistiigi/binfmt:qemu-v10.2.1-65" - DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.76.0" + DOCKER_ACTIONS_TOOLKIT_MODULE: "@docker/actions-toolkit@0.81.0" COSIGN_VERSION: "v3.0.2" LOCAL_EXPORT_DIR: "/tmp/buildx-output" MATRIX_SIZE_LIMIT: "20" @@ -228,7 +231,7 @@ jobs: } - name: Expose GitHub Runtime - uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0 + uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0 - name: Set outputs id: set @@ -245,7 +248,7 @@ jobs: INPUT_SIGN: ${{ inputs.sign }} with: script: | - const { GitHub } = require('@docker/actions-toolkit/lib/github'); + const { GitHub } = require('@docker/actions-toolkit/lib/github/github'); const { Util } = require('@docker/actions-toolkit/lib/util'); const inpMatrixSizeLimit = parseInt(core.getInput('matrix-size-limit'), 10); @@ -368,7 +371,7 @@ jobs: name: Docker meta id: meta if: ${{ inputs.output == 'image' }} - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ inputs.meta-images }} tags: ${{ inputs.meta-tags }} @@ -377,18 +380,18 @@ jobs: annotations: ${{ inputs.meta-annotations }} - name: Set up QEMU - uses: docker/setup-qemu-action@c7c53464625b32c7a7e944ae62b3e17d2b600130 # v3.7.0 + uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4.0.0 if: ${{ inputs.setup-qemu }} with: image: ${{ env.BINFMT_IMAGE }} cache-image: false - name: Expose GitHub Runtime - uses: crazy-max/ghaction-github-runtime@3cb05d89e1f492524af3d41a1c98c83bc3025124 # v3.1.0 + uses: crazy-max/ghaction-github-runtime@04d248b84655b509d8c44dc1d6f990c879747487 # v4.0.0 - name: Set up Docker Buildx id: buildx - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.BUILDX_VERSION }} cache-binary: false @@ -516,7 +519,7 @@ jobs: with: script: | const { Build } = require('@docker/actions-toolkit/lib/buildx/build'); - const { GitHub } = require('@docker/actions-toolkit/lib/github'); + const { GitHub } = require('@docker/actions-toolkit/lib/github/github'); const inpPlatform = core.getInput('platform'); const platformPairSuffix = inpPlatform ? `-${inpPlatform.replace(/\//g, '-')}` : ''; @@ -596,13 +599,13 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry-auth: ${{ secrets.registry-auths }} - name: Build id: build - uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 + uses: docker/build-push-action@d08e5c354a6adb9ed34480a06d141179aa583294 # v7.0.0 with: annotations: ${{ steps.prepare.outputs.annotations }} build-args: ${{ inputs.build-args }} @@ -625,7 +628,7 @@ jobs: - name: Login to registry for signing if: ${{ needs.prepare.outputs.sign == 'true' && inputs.output == 'image' }} - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry-auth: ${{ secrets.registry-auths }} env: @@ -716,7 +719,7 @@ jobs: - name: Upload artifact if: ${{ inputs.output == 'local' && inputs.artifact-upload }} - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ inputs.artifact-name }}${{ steps.prepare.outputs.platform-pair-suffix || '0' }} path: ${{ env.LOCAL_EXPORT_DIR }} @@ -758,17 +761,26 @@ jobs: cosign-version: ${{ env.COSIGN_VERSION }} cosign-verify-commands: ${{ steps.set.outputs.cosign-verify-commands }} artifact-name: ${{ inputs.artifact-upload && inputs.artifact-name || '' }} + digest: ${{ steps.manifest.outputs.digest || steps.artifact.outputs.artifact-digest }} output-type: ${{ inputs.output }} signed: ${{ needs.prepare.outputs.sign }} needs: - prepare - build steps: + - + name: Install @docker/actions-toolkit + uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 + env: + INPUT_DAT-MODULE: ${{ env.DOCKER_ACTIONS_TOOLKIT_MODULE }} + with: + script: | + await exec.exec('npm', ['install', '--prefer-offline', '--ignore-scripts', core.getInput('dat-module')]); - name: Docker meta id: meta if: ${{ inputs.output == 'image' }} - uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0 + uses: docker/metadata-action@030e881283bb7a6894de51c315a6bfe6a94e05cf # v6.0.0 with: images: ${{ inputs.meta-images }} tags: ${{ inputs.meta-tags }} @@ -778,7 +790,7 @@ jobs: - name: Login to registry if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry-auth: ${{ secrets.registry-auths }} env: @@ -786,7 +798,7 @@ jobs: - name: Set up Docker Buildx if: ${{ inputs.push && inputs.output == 'image' }} - uses: docker/setup-buildx-action@8d2750c68a42422c14e847fe6c8ac0403b4cbd6f # v3.12.0 + uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0 with: version: ${{ env.BUILDX_VERSION }} buildkitd-flags: --debug @@ -794,6 +806,7 @@ jobs: cache-binary: false - name: Create manifest + id: manifest if: ${{ inputs.output == 'image' }} uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 env: @@ -803,6 +816,8 @@ jobs: INPUT_BUILD-OUTPUTS: ${{ toJSON(needs.build.outputs) }} with: script: | + const { ImageTools } = require('@docker/actions-toolkit/lib/buildx/imagetools'); + const inpPush = core.getBooleanInput('push'); const inpImageNames = core.getMultilineInput('image-names'); const inpTagNames = core.getMultilineInput('tag-names'); @@ -820,26 +835,34 @@ jobs: return; } + let digest; for (const imageName of inpImageNames) { - let createArgs = ['buildx', 'imagetools', 'create']; + const tags = []; for (const tag of inpTagNames) { - createArgs.push('-t', `${imageName}:${tag}`); - } - for (const digest of digests) { - createArgs.push(digest); + tags.push(`${imageName}:${tag}`); } + const result = await new ImageTools().create({ + sources: digests, + tags: tags, + skipExec: !inpPush + }); if (inpPush) { - await exec.exec('docker', createArgs); - } else { - await core.group(`Generated imagetools create command for ${imageName}`, async () => { - core.info(`docker ${createArgs.join(' ')}`); - }); + if (!result.digest) { + core.setFailed('Failed to create manifest, no digest returned'); + return; + } + digest = result.digest; + core.info(`Manifest created: ${imageName}@${result.digest}`); } } + if (digest) { + core.setOutput('digest', digest); + } - name: Merge artifacts + id: artifact if: ${{ inputs.output == 'local' && inputs.artifact-upload }} - uses: actions/upload-artifact/merge@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0 + uses: actions/upload-artifact/merge@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0 with: name: ${{ inputs.artifact-name }} pattern: ${{ inputs.artifact-name }}* diff --git a/.github/workflows/verify.yml b/.github/workflows/verify.yml index 453162f5..95cc865a 100644 --- a/.github/workflows/verify.yml +++ b/.github/workflows/verify.yml @@ -81,7 +81,7 @@ jobs: - name: Login to registry if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'image' }} - uses: docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9 # v3.7.0 + uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0 with: registry-auth: ${{ secrets.registry-auths }} env: @@ -89,7 +89,7 @@ jobs: - name: Download artifacts if: ${{ steps.vars.outputs.signed == 'true' && steps.vars.outputs.output-type == 'local' }} - uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7.0.0 + uses: actions/download-artifact@3e5f45b2cfb9172054b4087a40e8e0b5a5461e7c # v8.0.1 with: name: ${{ steps.vars.outputs.artifact-name }} - diff --git a/README.md b/README.md index 9abbc214..c15f5c31 100644 --- a/README.md +++ b/README.md @@ -12,9 +12,11 @@ ___ * [Build reusable workflow](#build-reusable-workflow) * [Inputs](#inputs) * [Secrets](#secrets) + * [Outputs](#outputs) * [Bake reusable workflow](#bake-reusable-workflow) - * [Inputs](#inputs) - * [Secrets](#secrets) + * [Inputs](#inputs-1) + * [Secrets](#secrets-1) + * [Outputs](#outputs-1) ## Overview @@ -252,6 +254,22 @@ on: | `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) | | `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context | +#### Outputs + +These outputs are available as `needs..outputs.*` and can be passed +directly to the [`verify.yml` reusable workflow](.github/workflows/verify.yml) +with `builder-outputs: ${{ toJSON(needs..outputs) }}`. + +| Name | Type | Description | +|--------------------------|--------|------------------------------------------------------------------------------| +| `meta-json` | JSON | Metadata JSON output from `docker/metadata-action` (for `image` output) | +| `cosign-version` | String | Cosign version used for verification | +| `cosign-verify-commands` | List | Newline-delimited `cosign verify` commands generated when signing is enabled | +| `artifact-name` | String | Name of the uploaded merged artifact (for `local` output) | +| `digest` | String | Digest of the image pushed or artifact uploaded | +| `output-type` | String | Output type selected for the workflow (`image` or `local`) | +| `signed` | Bool | Whether attestation manifests or local artifacts were signed | + ### Bake reusable workflow The [`bake.yml` reusable workflow](.github/workflows/bake.yml) lets you build @@ -357,3 +375,19 @@ on: |------------------|-----------------------|--------------------------------------------------------------------------------| | `registry-auths` | | Raw authentication to registries, defined as YAML objects (for `image` output) | | `github-token` | `${{ github.token }}` | GitHub Token used to authenticate against the repository for Git context | + +#### Outputs + +These outputs are available as `needs..outputs.*` and can be passed +directly to the [`verify.yml` reusable workflow](.github/workflows/verify.yml) +with `builder-outputs: ${{ toJSON(needs..outputs) }}`. + +| Name | Type | Description | +|--------------------------|--------|------------------------------------------------------------------------------| +| `meta-json` | JSON | Metadata JSON output from `docker/metadata-action` (for `image` output) | +| `cosign-version` | String | Cosign version used for verification | +| `cosign-verify-commands` | List | Newline-delimited `cosign verify` commands generated when signing is enabled | +| `artifact-name` | String | Name of the uploaded merged artifact (for `local` output) | +| `digest` | String | Digest of the image pushed or artifact uploaded | +| `output-type` | String | Output type selected for the workflow (`image` or `local`) | +| `signed` | Bool | Whether attestation manifests or local artifacts were signed |