chore(deps): bump actions/upload-artifact from 4.4.3 to 4.5.0 (#149) #131
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build da imagem de container giropops-senhas | |
on: | |
push: | |
branches: | |
- 'main' | |
permissions: | |
contents: read | |
jobs: | |
build: | |
name: Build da Imagem giropops-senhas | |
runs-on: ubuntu-20.04 | |
permissions: | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- name: Fazer checkout do código | |
uses: actions/checkout@6d193bf28034eafb982f37bd894289fe649468fc | |
- name: Configurar QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Instalar Cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3.7.0 | |
- name: Configurar Docker Buildx | |
uses: docker/setup-buildx-action@6524bf65af31da8d45b59e8c27de4bd072b392f5 # v3.8.0 | |
- name: Fazer login no Docker Hub | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} | |
- name: Extrair metadados (tags, labels) para Docker | |
id: meta | |
uses: docker/metadata-action@369eb591f429131d6889c46b94e711f089e6ca96 # v5.6.1 | |
with: | |
images: nataliagranato/linuxtips-giropops-senhas | |
- name: Gerar nome único para a tag | |
id: generate-tag | |
run: | | |
# Obtém os primeiros 5 dígitos do hash do commit e a data | |
SHORT_HASH=$(git log -1 --pretty=format:%h | cut -c1-5) | |
TIMESTAMP=$(date +%Y%m%d%H%M%S) | |
echo "tag=${SHORT_HASH}-${TIMESTAMP}" >> $GITHUB_ENV | |
echo "::set-output name=tag::${SHORT_HASH}-${TIMESTAMP}" | |
- name: Construir e enviar a imagem Docker | |
uses: docker/build-push-action@48aba3b46d1b1fec4febb7c5d0c644b249a11355 # v6.10.0 | |
id: build-and-push | |
with: | |
context: ./src | |
file: ./src/Dockerfile | |
push: true | |
tags: nataliagranato/linuxtips-giropops-senhas:${{ steps.generate-tag.outputs.tag }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: linux/amd64,linux/arm64 | |
- name: Aqua Security Trivy | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | |
with: | |
image-ref: nataliagranato/linuxtips-giropops-senhas:${{ steps.generate-tag.outputs.tag }} | |
format: 'sarif' | |
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL' | |
output: 'trivy-results.sarif' | |
- name: Fazer upload dos resultados do Trivy para a aba de Segurança do GitHub | |
uses: github/codeql-action/upload-sarif@df409f7d9260372bd5f19e5b04e83cb3c43714ae # v3.27.9 | |
if: always() | |
with: | |
sarif_file: 'trivy-results.sarif' | |
- name: Assinar imagem com uma chave | |
run: | | |
images="" | |
for tag in ${TAGS}; do | |
images+="${tag}@${DIGEST} " | |
done | |
cosign sign --yes --key env://COSIGN_PRIVATE_KEY $images | |
env: | |
TAGS: ${{ steps.meta.outputs.tags }} | |
COSIGN_PRIVATE_KEY: ${{ secrets.COSIGN_PRIVATE_KEY }} | |
COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }} | |
DIGEST: ${{ steps.build-and-push.outputs.digest }} |