From 22604d45921dea97939c358a9d18878167a0fa2a Mon Sep 17 00:00:00 2001 From: Akis Maziotis Date: Fri, 12 Jul 2024 08:34:56 +0300 Subject: [PATCH] [fix] ci container image scanning (#27631) Fixup on https://github.com/mattermost/mattermost/pull/27624 Exposing the tag variable to be used in the scanning step. Ticket: https://mattermost.atlassian.net/browse/CLD-8041 Signed-off-by: Akis Maziotis --- .github/workflows/server-ci-artifacts.yml | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/.github/workflows/server-ci-artifacts.yml b/.github/workflows/server-ci-artifacts.yml index 10cd61259bc..a548b2086d0 100644 --- a/.github/workflows/server-ci-artifacts.yml +++ b/.github/workflows/server-ci-artifacts.yml @@ -73,6 +73,8 @@ jobs: runs-on: ubuntu-22.04 needs: - upload-artifacts + outputs: + TAG: ${{ steps.set_tag.outputs.TAG }} steps: - name: cd/docker-login uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 @@ -96,26 +98,32 @@ jobs: - name: cd/setup-docker-buildx uses: docker/setup-buildx-action@0d103c3126aa41d772a8362f6aa67afac040f80c # v3.1.0 + - name: cd/set-docker-tag + id: set_tag + run: | + echo "TAG=$(echo '${{ github.event.workflow_run.head_sha }}' | cut -c1-7)" >> $GITHUB_OUTPUT + - name: cd/docker-build-and-push id: docker env: MM_PACKAGE: https://pr-builds.mattermost.com/mattermost/commit/${{ github.event.workflow_run.head_sha }}/mattermost-team-linux-amd64.tar.gz + TAG: ${{ steps.set_tag.outputs.TAG }} run: | cd server/build - export TAG=$(echo "${{ github.event.workflow_run.head_sha }}" | cut -c1-7) - echo "tag=${TAG}" >> "${GITHUB_OUTPUT}" docker buildx build --no-cache --platform linux/amd64 --push --build-arg MM_PACKAGE=${MM_PACKAGE} -t mattermostdevelopment/mm-te-test:${TAG} -t mattermostdevelopment/mattermost-team-edition:${TAG} . echo "DOCKERHUB_IMAGE_DIGEST=$(cosign triangulate mattermostdevelopment/mattermost-team-edition:${TAG} | cut -d: -f2 | sed 's/\.sig$//' | tr '-' ':')" >> "${GITHUB_OUTPUT}" - name: cd/generate-summary + env: + TAG: ${{ steps.set_tag.outputs.TAG }} run: | echo "### Docker Image for Mattermost team package" >> "${GITHUB_STEP_SUMMARY}" echo " " >> "${GITHUB_STEP_SUMMARY}" echo "Mattermost Repo SHA: \`${{ github.event.workflow_run.head_sha }}\`" >> "${GITHUB_STEP_SUMMARY}" echo " " >> "${GITHUB_STEP_SUMMARY}" - echo "Docker Image: \`mattermostdevelopment/mattermost-team-edition:${{ steps.docker.outputs.tag }}\`" >> "${GITHUB_STEP_SUMMARY}" + echo "Docker Image: \`mattermostdevelopment/mattermost-team-edition:${TAG}\`" >> "${GITHUB_STEP_SUMMARY}" echo "Image Digest: \`${{ steps.docker.outputs.DOCKERHUB_IMAGE_DIGEST }}\`" >> "${GITHUB_STEP_SUMMARY}" - echo "Secure Image: \`mattermostdevelopment/mattermost-team-edition:${{ steps.docker.outputs.tag }}@${{ steps.docker.outputs.DOCKERHUB_IMAGE_DIGEST }}\`" >> "${GITHUB_STEP_SUMMARY}" + echo "Secure Image: \`mattermostdevelopment/mattermost-team-edition:${TAG}@${{ steps.docker.outputs.DOCKERHUB_IMAGE_DIGEST }}\`" >> "${GITHUB_STEP_SUMMARY}" scan-docker-image: runs-on: ubuntu-22.04 @@ -135,11 +143,11 @@ jobs: - name: cd/download-container-image run: | - docker pull mattermostdevelopment/mattermost-team-edition:${{ steps.docker.outputs.tag }} + docker pull mattermostdevelopment/mattermost-team-edition:${{ needs.build-docker.outputs.TAG }} - name: cd/scan-image run: | - ./wizcli docker scan --image mattermostdevelopment/mattermost-team-edition:${{ steps.docker.outputs.tag }} --policy "$POLICYā€¯ + ./wizcli docker scan --image mattermostdevelopment/mattermost-team-edition:${{ needs.build-docker.outputs.TAG }} --policy "$POLICY" update-failure-final-status: if: failure() || cancelled()