Skip to content
Upload depscan Package and Container image

Upload depscan Package and Container image #1592

Sign in to view logs

Upload depscan Package and Container image

Upload depscan Package and Container image #1592

Workflow file for this run

.github/workflows/pythonpublish.yml at ff42770
name: Upload depscan Package and Container image
on:
schedule:
- cron: "0 4 * * *"
push:
paths-ignore:
- '**/README.md'
- 'dockertests.yml'
- 'pythonapp.yml'
- 'gobintests.yml'
branches:
- master
- release/*
tags:
- 'v*'
workflow_dispatch:
concurrency:
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
cancel-in-progress: false
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
jobs:
pypi:
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
id-token: write
steps:
- uses: actions/checkout@v4
- name: Install uv
uses: astral-sh/setup-uv@v5
with:
python-version: '3.12'
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '23.x'
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
- name: Trim CI agent
run: |
chmod +x contrib/free_disk_space.sh
./contrib/free_disk_space.sh
- name: Build
run: |
uv build --all-packages
ls -lh dist
- name: Publish package distributions to PyPI
if: startsWith(github.ref, 'refs/tags/')
run: |
uv publish --trusted-publishing always
build-images:
strategy:
fail-fast: true
matrix:
image:
- id: default-amd64
arch: amd64
dockerfile: Dockerfile
images: |
ghcr.io/${{ github.repository }}
ghcr.io/owasp-dep-scan/depscan
- id: default-arm64
arch: arm64
runner-suffix: -arm
dockerfile: Dockerfile
images: |
ghcr.io/${{ github.repository }}
ghcr.io/owasp-dep-scan/depscan
- id: al9-amd64
arch: amd64
dockerfile: Dockerfile.al9
images: |
ghcr.io/owasp-dep-scan/depscan-al9
ghcr.io/owasp-dep-scan/dep-scan-al9
- id: al9-arm64
arch: arm64
runner-suffix: -arm
dockerfile: Dockerfile.al9
images: |
ghcr.io/owasp-dep-scan/depscan-al9
ghcr.io/owasp-dep-scan/dep-scan-al9
runs-on: ubuntu-24.04${{ matrix.image.runner-suffix }}
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata (tags, labels) for Docker
id: meta
uses: docker/metadata-action@v5
with:
images: ${{ matrix.image.images }}
flavor: latest=false,suffix=-${{ matrix.image.arch }}
- name: Build and push Docker images
uses: docker/build-push-action@v5
id: build
with:
context: .
file: ${{ matrix.image.dockerfile }}
platforms: linux/${{ matrix.image.arch }}
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha,scope=depscan
cache-to: type=gha,mode=max,scope=depscan
deploy-manifest:
needs: [build-images]
strategy:
fail-fast: true
matrix:
image:
- id: default
images: |
ghcr.io/${{ github.repository }}
ghcr.io/owasp-dep-scan/depscan
- id: al9
images: |
ghcr.io/owasp-dep-scan/depscan-al9
ghcr.io/owasp-dep-scan/dep-scan-al9
runs-on: ubuntu-24.04
permissions:
contents: read
packages: write
steps:
- uses: actions/checkout@v4
- uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/metadata-action@v5
id: metadata
with:
images: ${{ matrix.image.images }}
- name: Define Sources
id: sources
run: |
FIRST_TAG=$(echo "${{ steps.metadata.outputs.tags }}" | head -n 1)
echo "amd64_source=${FIRST_TAG}-amd64" >> $GITHUB_OUTPUT
echo "arm64_source=${FIRST_TAG}-arm64" >> $GITHUB_OUTPUT
- uses: int128/docker-manifest-create-action@v2
with:
index-annotations: ${{ steps.metadata.outputs.labels }}
tags: ${{ steps.metadata.outputs.tags }}
sources: |
${{ steps.sources.outputs.amd64_source }}
${{ steps.sources.outputs.arm64_source }}
post-process:
needs: [deploy-manifest]
runs-on: ubuntu-latest
permissions:
contents: write
packages: write
steps:
- uses: actions/checkout@v4
- name: Set up Node.js
uses: actions/setup-node@v4
with:
node-version: '23.x'
- name: Set up JDK
uses: actions/setup-java@v4
with:
distribution: 'temurin'
java-version: '21'
- uses: oras-project/setup-oras@v1
- name: Log in to the Container registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Generate SBOM with cdxgen
run: |
npm install -g @cyclonedx/cdxgen
cdxgen -t python -o bom.json . --profile research
cdxgen -t docker -o depscan-oci-image.cdx.json ghcr.io/owasp-dep-scan/depscan:latest
- name: Attach sbom to the image
if: startsWith(github.ref, 'refs/tags/')
continue-on-error: true
run: |
oras attach --artifact-type sbom/cyclonedx ghcr.io/owasp-dep-scan/depscan:latest ./depscan-oci-image.cdx.json:application/json
oras discover --format tree ghcr.io/owasp-dep-scan/depscan:latest
- name: Create Release
id: create_release
if: startsWith(github.ref, 'refs/tags/')
uses: softprops/action-gh-release@v2
with:
files: |
bom.json
depscan-oci-image.cdx.json
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Setup nydus
run: |
curl -LO https://github.com/dragonflyoss/nydus/releases/download/v2.3.1/nydus-static-v2.3.1-linux-amd64.tgz
tar -xvf nydus-static-v2.3.1-linux-amd64.tgz
chmod +x nydus-static/*
mv nydus-static/* /usr/local/bin/
rm -rf nydus-static-v2.3.1-linux-amd64.tgz nydus-static
- name: nydusify
run: |
nydusify convert --oci --oci-ref --source ghcr.io/owasp-dep-scan/depscan:master --target ghcr.io/owasp-dep-scan/depscan:master-nydus --prefetch-dir /opt/dep-scan
nydusify check --target ghcr.io/owasp-dep-scan/depscan:master-nydus
nydusify convert --oci --oci-ref --source ghcr.io/owasp-dep-scan/dep-scan:master --target ghcr.io/owasp-dep-scan/dep-scan:master-nydus --prefetch-dir /opt/dep-scan
if: github.ref == 'refs/heads/master'
continue-on-error: true