Update dependency express to v4.20.0 [SECURITY] #798
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build | |
on: | |
push: | |
branches: | |
- 'main' | |
tags: | |
- 'v*' | |
pull_request: | |
branches: | |
- 'main' | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
permissions: | |
actions: none | |
checks: none | |
contents: none | |
deployments: none | |
issues: none | |
packages: write | |
pull-requests: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
id-token: none | |
steps: | |
- uses: actions/checkout@2541b1294d2704b0964813337f33b291d3f8596b # tag=v3.0.2 | |
- name: Login to GitHub | |
if: github.event_name != 'pull_request' | |
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- id: docker_meta | |
uses: docker/metadata-action@69f6fc9d46f2f8bf0d5491e4aabe0bb8c6a4678a # tag=v4.0.1 | |
with: | |
images: ghcr.io/${{ github.repository }} | |
flavor: | | |
latest=true | |
tags: | | |
type=sha,format=long | |
type=edge,branch=$repo.default_branch | |
type=semver,pattern={{version}} | |
type=semver,pattern={{major}}.{{minor}} | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@dc7b9719a96d48369863986a06765841d7ea23f6 # tag=v2 | |
- name: build+load | |
uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0 | |
with: | |
context: . | |
tags: ${{ steps.docker_meta.outputs.tags }} | |
labels: ${{ steps.docker_meta.outputs.labels }} | |
load: true | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
- name: Create kind cluster | |
uses: helm/kind-action@d08cf6ff1575077dee99962540d77ce91c62387d | |
timeout-minutes: 5 | |
with: | |
kubectl_version: v1.22.2 | |
cluster_name: kind | |
- name: Install kustomize | |
run: curl -s "https://raw.githubusercontent.com/kubernetes-sigs/kustomize/master/hack/install_kustomize.sh" | bash | |
- name: Load our docker image into kind cluster | |
run: kind load docker-image $(echo "${{ steps.docker_meta.outputs.tags }}" | head -1) | |
- name: Set imagetag with kustomize | |
run: kustomize edit set image ghcr.io/appvia/cosign-keyless-admission-webhook=$(echo "${{ steps.docker_meta.outputs.tags }}" | head -1) | |
- name: Install cert-manager | |
run: | | |
kubectl apply -f https://github.com/jetstack/cert-manager/releases/latest/download/cert-manager.yaml | |
kubectl wait --for=condition=available --timeout=600s -n cert-manager \ | |
deployment/cert-manager \ | |
deployment/cert-manager-cainjector \ | |
deployment/cert-manager-webhook | |
- name: Install our validating webhook | |
run: | | |
kustomize build | kubectl apply -f - | |
kubectl wait --for=condition=available --timeout=600s deployment/cosign-keyless-admission-webhook -n cosign-keyless-admission-webhook | |
- name: Deploy known bad issuer pod | |
run: "! kubectl apply -f test/BadIssuer.yaml" | |
- name: Deploy known bad subject pod | |
run: "! kubectl apply -f test/BadSubject.yaml" | |
- name: Deploy known good pod | |
run: kubectl apply -f test/GoodMixed.yaml | |
- name: push | |
if: github.event_name != 'pull_request' | |
uses: docker/build-push-action@e551b19e49efd4e98792db7592c17c09b89db8d8 # tag=v3.0.0 | |
with: | |
context: . | |
tags: ${{ steps.docker_meta.outputs.tags }} | |
labels: ${{ steps.docker_meta.outputs.labels }} | |
cache-from: type=gha | |
push: true | |
cache-to: type=gha,mode=max | |
outputs: | |
tags: ${{ steps.docker_meta.outputs.tags }} | |
sign: | |
needs: build | |
runs-on: ubuntu-latest | |
if: github.event_name != 'pull_request' | |
permissions: | |
actions: none | |
checks: none | |
contents: none | |
deployments: none | |
issues: none | |
packages: write | |
pull-requests: none | |
repository-projects: none | |
security-events: none | |
statuses: none | |
id-token: write | |
steps: | |
- name: Login to GitHub | |
uses: docker/login-action@49ed152c8eca782a232dede0303416e8f356c37b # tag=v2.0.0 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- uses: sigstore/cosign-installer@48866aa521d8bf870604709cd43ec2f602d03ff2 # tag=v2.4.1 | |
- name: Sign the images | |
run: cosign sign ${TAGS} | |
env: | |
TAGS: ${{needs.build.outputs.tags}} | |
COSIGN_EXPERIMENTAL: 1 |