Merge pull request #340 from cybozu/scan-compatible

Changed to execute a scan job when the build job is finished.
cybozu · Nov 20, 2024 · 70dbf40 · 70dbf40
2 parents 21fe2e6 + ec9626d
commit 70dbf40
Showing 1 changed file with 37 additions and 30 deletions.
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -7,7 +7,7 @@ env:
   go-version: 1.23
 jobs:
   release:
-    name: release images
+    name: Build and release images
     strategy:
       fail-fast: false
       matrix:
@@ -63,52 +63,59 @@ jobs:
           TAG=$(cat TAG)
           for repo in ghcr.io quay.io; do
             for image in ubuntu ubuntu-dev ubuntu-debug; do
-                c="$(container-tag-exists ${repo}/cybozu/$image $TAG 2>&1)"
-                if [ "$c" = "" ]; then
-                    echo "build ${repo}/cybozu/$image:$TAG"
-                    echo ${repo}/cybozu/$image >> BUILDS
-                fi
+              c="$(container-tag-exists ${repo}/cybozu/$image $TAG 2>&1)"
+              if [ "$c" = "" ]; then
+                echo "build ${repo}/cybozu/$image:$TAG"
+                echo ${repo}/cybozu/$image >> BUILDS
+              fi
             done
           done
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
       - name: Build and push images
         run: |
           if [ ! -f BUILDS ]; then
-              echo "nothing to build."
-              exit 0
+            echo "nothing to build."
+            exit 0
           fi
           TAG_MINIMAL=$(cat TAG_MINIMAL)
           TAG=$(cat TAG)
           BRANCH=$(cat BRANCH)
           for d in $(cat BUILDS); do
-              echo
-              echo "building $d ..."
-              dir=$(echo ${d} | awk -F'/' '{print $3}')
-              docker buildx build \
-                --platform linux/amd64,linux/arm64/v8 \
-                --push \
-                -t ${d}:$TAG \
-                -t ${d}:$BRANCH \
-                --build-arg TAG_MINIMAL=$TAG_MINIMAL \
-                --build-arg TAG=$TAG \
-                ${dir}
+            echo
+            echo "building $d ..."
+            dir=$(echo ${d} | awk -F'/' '{print $3}')
+            docker buildx build \
+              --platform linux/amd64,linux/arm64/v8 \
+              --push \
+              -t ${d}:$TAG \
+              -t ${d}:$BRANCH \
+              --build-arg TAG_MINIMAL=$TAG_MINIMAL \
+              --build-arg TAG=$TAG \
+              ${dir}
           done
+
+  scan:
+    name: Scan images
+    runs-on: ubuntu-24.04
+    needs: release
+    env:
+      YAMORY_ACCESS_TOKEN: ${{ secrets.YAMORY_ACCESS_TOKEN }}
+      ubuntu-version: "20.04 22.04 24.04"
+      ubuntu-image: "ubuntu-debug ubuntu-dev"
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
       - name: Install Trivy
         run: |
           curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin
       - name: Scan images
-        env:
-          YAMORY_ACCESS_TOKEN: ${{ secrets.YAMORY_ACCESS_TOKEN }}
         run: |
-          if [ ! -f BUILDS ]; then
-              echo "nothing to scan."
-              exit 0
-          fi
-          TAG=$(cat TAG)
-          BRANCH=$(cat BRANCH)
-          for d in $(cat BUILDS); do
+          for ubuntu_version in ${{ env.ubuntu-version }}; do
+            TAG=$(cat ${ubuntu_version}/TAG)
+            for ubuntu_image in ${{ env.ubuntu-image }}; do
               echo
-              echo "scanning $d:$TAG ..."
-              YAMORY_IMAGE_IDENTIFIER="${d}:$BRANCH" YAMORY_IMAGE_NAME="${d}:$TAG" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
+              echo "scanning ${ubuntu_image}:${TAG} ..."
+              YAMORY_IMAGE_IDENTIFIER="ghcr.io/cybozu/${ubuntu_image}:${ubuntu_version}" YAMORY_IMAGE_NAME="ghcr.io/cybozu/${ubuntu_image}:${TAG}" bash -c "$(curl -sSf -L https://mw-receiver.yamory.io/image/script/trivy)"
+            done
           done