add permissions for gcr login to base image build (#5860)

nginxinc · oseoin · Jun 26, 2024 · Jun 26, 2024 · Jun 26, 2024 · Jun 26, 2024
commit 5d5e1e4d3e13f5f123607cabe335984dbed17511
@@ -16,7 +16,6 @@ concurrency:
 
 permissions:
  contents: read
- id-token: write
 
 jobs:
  checks:
@@ -44,6 +43,7 @@ jobs:
  permissions:
  contents: read
  pull-requests: write # for scout report
+ id-token: write
  strategy:
  fail-fast: false
  matrix:
@@ -113,6 +113,7 @@ jobs:
  needs: checks
  permissions:
  contents: read
+ id-token: write
  pull-requests: write # for scout report
  strategy:
  fail-fast: false
@@ -185,6 +186,7 @@ jobs:
  needs: checks
  permissions:
  contents: read
+ id-token: write
  pull-requests: write # for scout report
  strategy:
  fail-fast: false

@@ -114,6 +114,16 @@ jobs:
  fi
  if: ${{ inputs.authenticated && ! inputs.full-build }}
 
+ - name: Setup QEMU
+ uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+ with:
+ platforms: arm,arm64,ppc64le,s390x
+ if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
+ - name: Docker Buildx
+ uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+ if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
  - name: Build Base Container
  uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
  with:
@@ -187,7 +197,7 @@ jobs:
  uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
  continue-on-error: true
  with:
- image-ref: nginx/nginx-ingress:${{ steps.meta.outputs.version }}
+ image-ref: ${{ steps.meta.outputs.tags }}
  format: "sarif"
  output: "${{ inputs.image }}-results/trivy.sarif"
  ignore-unfixed: "true"

@@ -119,6 +119,16 @@ jobs:
  fi
  if: ${{ inputs.authenticated && ! inputs.full-build }}
 
+ - name: Setup QEMU
+ uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0
+ with:
+ platforms: arm,arm64,ppc64le,s390x
+ if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
+ - name: Docker Buildx
+ uses: docker/setup-buildx-action@d70bba72b1f3fd22344832f00baa16ece964efeb # v3.3.0
+ if: ${{ steps.images_exist.outputs.base_exists != 'true' || steps.images_exist.outputs.target_exists != 'true' }}
+
  - name: Build Base Container
  uses: docker/build-push-action@ca052bb54ab0790a636c9b5f226502c73d547a25 # v5.4.0
  with:
@@ -199,19 +209,13 @@ jobs:
  - name: Make directory for security scan results
  run: |
  mkdir -p "${{ inputs.image }}-results/"
-
- - name: Extract image name for Scans
- id: scan-tag
- run: |
- tag=$(echo $DOCKER_METADATA_OUTPUT_JSON | jq -r '[ .tags[] | select(contains("f5-gcs-7899"))] | .[0]')
- echo "tag=$tag" >> $GITHUB_OUTPUT
  if: ${{ inputs.authenticated && steps.build-push.conclusion == 'success' }}
 
  - name: Run Trivy vulnerability scanner
  uses: aquasecurity/trivy-action@595be6a0f6560a0a8fc419ddf630567fc623531d # 0.22.0
  continue-on-error: true
  with:
- image-ref: ${{ steps.scan-tag.outputs.tag }}
+ image-ref: ${{ steps.meta.outputs.tags }}
  format: "sarif"
  output: "${{ inputs.image }}-results/trivy.sarif"
  ignore-unfixed: "true"
@@ -230,7 +234,7 @@ jobs:
  continue-on-error: true
  with:
  command: cves,recommendations
- image: ${{ steps.scan-tag.outputs.tag }}
+ image: ${{ steps.meta.outputs.tags }}
  ignore-base: true
  only-fixed: true
  sarif-file: "${{ inputs.image }}-results/scout.sarif"