Skip to content

Commit d30192b

Browse files
committed
ci: add Docker PR build workflow to exercise the trivy SBOM gate
Signed-off-by: Enrique Lacal <enrique.lacal@kaleido.io>
1 parent 4662d1a commit d30192b

1 file changed

Lines changed: 37 additions & 0 deletions

File tree

.github/workflows/docker_pr.yml

Lines changed: 37 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,37 @@
1+
name: Docker PR Build
2+
3+
on:
4+
pull_request:
5+
branches: [main]
6+
workflow_dispatch:
7+
8+
jobs:
9+
docker:
10+
runs-on: ubuntu-latest
11+
steps:
12+
- uses: actions/checkout@v3
13+
with:
14+
fetch-depth: 0
15+
16+
- name: Set up QEMU
17+
uses: docker/setup-qemu-action@v2
18+
19+
- name: Set up Docker Buildx
20+
id: buildx
21+
uses: docker/setup-buildx-action@v2
22+
23+
# Builds the full Dockerfile, including the SBOM stage that runs
24+
# `trivy sbom ... --exit-code 1`. The build fails if trivy installation
25+
# breaks or any UNKNOWN/HIGH/CRITICAL dependency CVE is present.
26+
# No push: this only validates that the image builds and passes the
27+
# trivy vulnerability gate.
28+
- name: Build (incl. trivy SBOM gate)
29+
uses: docker/build-push-action@v4
30+
with:
31+
context: ./
32+
file: ./Dockerfile
33+
builder: ${{ steps.buildx.outputs.name }}
34+
push: false
35+
load: false
36+
platforms: linux/amd64
37+
cache-from: type=registry,ref=ghcr.io/${{ github.repository }}:buildcache

0 commit comments

Comments
 (0)