ossf/scorecard
1
1
Fork 0
mirror of https://github.com/ossf/scorecard.git synced 2024-09-11 08:55:27 +03:00
Code Issues Actions 6 Packages Projects Releases Wiki Activity

🌱 Use a matrix for docker image building (#3290)

Browse Source 
* working matrix.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* Remove unneeded env vars. Add comments.

Signed-off-by: Spencer Schrock <sschrock@google.com>

* minor syntax change.

Signed-off-by: Spencer Schrock <sschrock@google.com>

---------

Signed-off-by: Spencer Schrock <sschrock@google.com>
This commit is contained in:
Spencer Schrock 2023-07-20 19:03:18 -07:00 committed by GitHub
parent 13dd3063e1
commit be7c032020
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 17 additions and 223 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

240
.github/workflows/docker.yml vendored
View File

@ -23,9 +23,7 @@ on:
- main
env:
PROTOC_VERSION: 3.17.3
GO_VERSION_FILE: go.mod # no good way of getting a mutual version between go.mod and tools/go.mod
CACHE_DEPENDENCY_PATH: "**/go.sum" # include both go.sum and tools/go.sum
jobs:
docs_only_check:
@ -50,240 +48,36 @@ jobs:
name: Check for docs-only changes
run: echo "docs_only=true" >> $GITHUB_OUTPUT
scorecard:
name: scorecard-docker
docker_matrix:
strategy:
matrix:
target:
- 'scorecard-docker'
- 'cron-controller-docker'
- 'cron-worker-docker'
- 'cron-cii-worker-docker'
- 'cron-bq-transfer-docker'
- 'cron-webhook-docker'
- 'cron-github-server-docker'
- 'build-attestor-docker'
name: ${{ matrix.target }}
runs-on: ubuntu-latest
permissions:
contents: read
needs:
- docs_only_check
needs: docs_only_check
if: (needs.docs_only_check.outputs.docs_only != 'true')
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
with:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Go
- name: Setup Go # needed for some of the Makefile evaluations, even if building happens in Docker
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: ${{ env.GO_VERSION_FILE }}
check-latest: true
cache: true
cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
cache: false # the building happens in Docker, so saving this cache would negatively impact other builds
- name: docker build
run: make scorecard-docker
cron-controller:
name: cron-controller-docker
runs-on: ubuntu-latest
permissions:
contents: read
needs:
- docs_only_check
if: (needs.docs_only_check.outputs.docs_only != 'true')
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
with:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: ${{ env.GO_VERSION_FILE }}
check-latest: true
cache: true
cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
- name: docker build
run: make cron-controller-docker
cron-worker:
name: cron-worker-docker
runs-on: ubuntu-latest
permissions:
contents: read
needs:
- docs_only_check
if: (needs.docs_only_check.outputs.docs_only != 'true')
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
with:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: ${{ env.GO_VERSION_FILE }}
check-latest: true
cache: true
cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
- name: docker build
run: make cron-worker-docker
cron-cii-worker:
name: cron-cii--worker-docker
runs-on: ubuntu-latest
permissions:
contents: read
needs:
- docs_only_check
if: (needs.docs_only_check.outputs.docs_only != 'true')
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
with:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: ${{ env.GO_VERSION_FILE }}
check-latest: true
cache: true
cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
- name: docker build
run: make cron-cii-worker-docker
cron-bq-transfer:
name: cron-bq-transfer-docker
runs-on: ubuntu-latest
permissions:
contents: read
needs:
- docs_only_check
if: (needs.docs_only_check.outputs.docs_only != 'true')
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
with:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: ${{ env.GO_VERSION_FILE }}
check-latest: true
cache: true
cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
- name: docker build
run: make cron-bq-transfer-docker
cron-webhook:
name: cron-webhook-docker
runs-on: ubuntu-latest
permissions:
contents: read
needs:
- docs_only_check
if: (needs.docs_only_check.outputs.docs_only != 'true')
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
with:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: ${{ env.GO_VERSION_FILE }}
check-latest: true
cache: true
cache-dependency-path: ${{ env.CACHE_DEPENDENCY_PATH }}
- name: docker build
run: make cron-webhook-docker
cron-github-server:
name: cron-github-server-docker
runs-on: ubuntu-latest
permissions:
contents: read
needs:
- docs_only_check
if: (needs.docs_only_check.outputs.docs_only != 'true')
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
with:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: ${{ env.GO_VERSION_FILE }}
check-latest: true
cache: true
- name: docker build
run: make cron-github-server-docker
attestor:
name: attestor-docker
runs-on: ubuntu-latest
permissions:
contents: read
needs:
- docs_only_check
if: (needs.docs_only_check.outputs.docs_only != 'true')
steps:
- name: Harden Runner
uses: step-security/harden-runner@55d479fb1c5bcad5a4f9099a5d9f37c8857b2845 # v2.4.1
with:
egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs
- name: Install Protoc
uses: arduino/setup-protoc@149f6c87b92550901b26acd1632e11c3662e381f # v1.3.0
with:
version: ${{ env.PROTOC_VERSION }}
repo-token: ${{ secrets.GITHUB_TOKEN }}
- name: Clone the code
uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3
- name: Setup Go
uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1
with:
go-version-file: ${{ env.GO_VERSION_FILE }}
check-latest: true
cache: true
- name: docker build
run: make build-attestor-docker
run: make ${{ matrix.target }}