build(deps): bump the kubernetes group across 1 directory with 8 updates #6759

Workflow file for this run

	name: build
	on:
	push:
	branches:
	- main
	release:
	types: [published]
	pull_request:
	env:
	GO_VERSION: '1.22'
	NIX_VERSION: '2.18.1'
	BOM_VERSION: v0.5.1
	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	permissions: {}

	jobs:
	macos:
	runs-on: macos-12
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
	with:
	go-version: ${{ env.GO_VERSION }}
	- run: make test-unit
	- run: make verify-go-lint

	nix:
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
	with:
	install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
	- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
	with:
	name: security-profiles-operator
	authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
	pushFilter: security-profiles-operator
	- run: make nix
	- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
	with:
	name: build
	path: build.tar.gz

	nix-spoc:
	if: github.ref == 'refs/heads/main' \|\| contains(github.ref, 'refs/tags')
	runs-on: ubuntu-22.04
	permissions:
	contents: write # required for updating the release
	id-token: write # required for sigstore signing
	steps:
	- uses: sigstore/cosign-installer@59acb6260d9c0ba8f4a2f9d9b48431a222b68e20 # v3.5.0
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
	with:
	install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
	- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
	with:
	name: security-profiles-operator
	authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
	pushFilter: security-profiles-operator
	- run: \|
	sudo curl -sSfL --retry 5 --retry-delay 3 -o /usr/bin/bom \
	https://github.com/kubernetes-sigs/bom/releases/download/${{ env.BOM_VERSION }}/bom-amd64-linux
	sudo chmod +x /usr/bin/bom
	- run: make nix-spoc
	- uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
	with:
	name: spoc
	path: \|
	build/*
	- uses: softprops/action-gh-release@69320dbe05506a9a39fc8ae11030b214ec2d1f87 # v2.0.5
	if: startsWith(github.ref, 'refs/tags/')
	with:
	files: \|
	build/*

	bpf:
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/setup-go@cdcb36043654635271a94b9a6d1392de5bb323a7 # v5.0.1
	with:
	go-version: ${{ env.GO_VERSION }}
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	- uses: cachix/install-nix-action@ba0dd844c9180cbf77aa72a116d6fbc515d0e87b # v27
	with:
	install_url: https://releases.nixos.org/nix/nix-${{ env.NIX_VERSION }}/install
	- uses: cachix/cachix-action@ad2ddac53f961de1989924296a1f236fcfbaa4fc # v15
	with:
	name: security-profiles-operator
	authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
	pushFilter: security-profiles-operator
	- run: make verify-bpf

	build-image:
	runs-on: ubuntu-22.04
	steps:
	- name: Remove unnecessary files
	run: \|
	sudo rm -rf /usr/share/dotnet
	sudo rm -rf "$AGENT_TOOLSDIRECTORY"
	sudo rm -rf /opt/ghc
	sudo rm -rf /usr/local/share/boost
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	- name: Set up Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.0.0
	- name: Login to Quay
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
	with:
	registry: quay.io/security-profiles-operator
	username: security-profiles-operator+github
	password: ${{ secrets.QUAY_TOKEN }}
	if: github.ref == 'refs/heads/main'
	- name: Image metadata
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: \|
	quay.io/security-profiles-operator/build
	tags: \|
	type=ref,event=branch
	type=ref,event=pr
	type=ref,event=tag
	type=sha,format=long
	- name: Build (and push if needed)
	uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
	with:
	context: .
	file: Dockerfile.build-image
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	push: ${{ github.ref == 'refs/heads/main' }}
	# Only load on PR builds
	load: ${{ github.ref != 'refs/heads/main' }}
	- name: Run container image vulnerability scanner
	uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
	with:
	image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	format: 'table'
	exit-code: '0'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'
	timeout: 30m

	operator-image:
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	- name: Set up Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
	- name: Login to Quay
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
	with:
	registry: quay.io/security-profiles-operator
	username: security-profiles-operator+github
	password: ${{ secrets.QUAY_TOKEN }}
	if: github.ref == 'refs/heads/main'
	- name: Image metadata
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: \|
	quay.io/security-profiles-operator/spo
	tags: \|
	type=ref,event=branch
	type=ref,event=pr
	type=ref,event=tag
	type=sha,format=long
	- name: Build
	uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
	with:
	context: .
	file: Dockerfile
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	load: true
	- name: Run container image vulnerability scanner
	uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
	with:
	image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'

	ubi-image:
	runs-on: ubuntu-22.04
	steps:
	- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
	- name: Set up Docker Buildx
	id: buildx
	uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
	- name: Login to Quay
	uses: docker/login-action@0d4c9c5ea7693da7b068278f7b52bda2a190a446 # v3.2.0
	with:
	registry: quay.io/security-profiles-operator
	username: security-profiles-operator+github
	password: ${{ secrets.QUAY_TOKEN }}
	if: github.ref == 'refs/heads/main'
	- name: Image metadata
	id: meta
	uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5.5.1
	with:
	images: \|
	quay.io/security-profiles-operator/build
	flavor: \|
	suffix=-ubi
	tags: \|
	type=ref,event=branch
	type=ref,event=pr
	type=ref,event=tag
	type=sha,format=long
	# TODO(jaosorior): Push UBI image too
	- name: Build
	uses: docker/build-push-action@c382f710d39a5bb4e430307530a720f50c2d3318 # v6.0.0
	with:
	context: .
	file: Dockerfile.ubi
	tags: ${{ steps.meta.outputs.tags }}
	labels: ${{ steps.meta.outputs.labels }}
	load: true
	- name: Run container image vulnerability scanner
	uses: aquasecurity/trivy-action@d710430a6722f083d3b36b8339ff66b32f22ee55 # 0.19.0
	with:
	image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
	format: 'table'
	exit-code: '1'
	ignore-unfixed: true
	vuln-type: 'os,library'
	severity: 'CRITICAL,HIGH'

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the kubernetes group across 1 directory with 8 updates #6759

Workflow file

build(deps): bump the kubernetes group across 1 directory with 8 updates #6759

Jobs

Run details

Workflow file for this run