nicolabs/vegardit-docker-openldap
1
0
Fork 0
mirror of https://github.com/vegardit/docker-openldap.git synced 2026-04-10 16:39:07 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

ci: harden build workflow
Some checks are pending
Build / build (push) Waiting to run
Details
Build / delete-untagged-images (push) Blocked by required conditions
Details

Browse source
This commit is contained in:
sebthom 2026-03-24 20:18:14 +01:00
parent efbf928920
commit 4ba8a959a0
1 changed files with 23 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
.github/workflows/build.yml vendored
View file

@ -46,6 +46,10 @@ env:
TRIVY_CACHE_DIR: ~/.trivy/cache TRIVY_CACHE_DIR: ~/.trivy/cache
permissions: # added using https://github.com/step-security/secure-repo
contents: read
jobs: jobs:
########################################################### ###########################################################
@ -58,6 +62,12 @@ jobs:
packages: write packages: write
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: "Show: GitHub context" - name: "Show: GitHub context"
env: env:
GITHUB_CONTEXT: ${{ toJSON(github) }} GITHUB_CONTEXT: ${{ toJSON(github) }}
@ -69,11 +79,11 @@ jobs:
- name: Git Checkout - name: Git Checkout
uses: actions/checkout@v6 # https://github.com/actions/checkout uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
- name: Run the sh-checker - name: Run the sh-checker
uses: luizm/action-sh-checker@master # https://github.com/marketplace/actions/sh-checker uses: luizm/action-sh-checker@883217215b11c1fabbf00eb1a9a041f62d74c744 # master
env: env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHFMT_OPTS: --simplify --keep-padding SHFMT_OPTS: --simplify --keep-padding
@ -84,13 +94,13 @@ jobs:
- name: Check Dockerfile - name: Check Dockerfile
uses: hadolint/hadolint-action@v3.3.0 uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
with: with:
dockerfile: image/Dockerfile dockerfile: image/Dockerfile
- name: Cache trivy cache - name: Cache trivy cache
uses: actions/cache@v5 uses: actions/cache@668228422ae6a00e4ad889ee87cd7109ec5666a7 # v5.0.4
with: with:
path: ${{ env.TRIVY_CACHE_DIR }} path: ${{ env.TRIVY_CACHE_DIR }}
# https://github.com/actions/cache/issues/342#issuecomment-673371329 # https://github.com/actions/cache/issues/342#issuecomment-673371329
@ -100,7 +110,7 @@ jobs:
- name: Configure fast APT repository mirror - name: Configure fast APT repository mirror
uses: vegardit/fast-apt-mirror.sh@v1 uses: vegardit/fast-apt-mirror.sh@29a5ef3401107220fc3c32a0c659b6a1211f9e0f # v1
- name: Install dos2unix - name: Install dos2unix
@ -123,7 +133,7 @@ jobs:
- name: Login to docker.io - name: Login to docker.io
if: ${{ env.DOCKER_PUSH }} if: ${{ env.DOCKER_PUSH }}
uses: docker/login-action@v4 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
username: ${{ secrets.DOCKER_HUB_USERNAME }} username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_TOKEN }} password: ${{ secrets.DOCKER_HUB_TOKEN }}
@ -131,7 +141,7 @@ jobs:
- name: Login to ghcr.io - name: Login to ghcr.io
if: ${{ env.DOCKER_PUSH_GHCR }} if: ${{ env.DOCKER_PUSH_GHCR }}
uses: docker/login-action@v4 uses: docker/login-action@b45d80f862d83dbcd57f89517bcf500b2ab88fb2 # v4.0.0
with: with:
registry: ghcr.io registry: ghcr.io
username: ${{ github.actor }} username: ${{ github.actor }}
@ -164,8 +174,13 @@ jobs:
packages: write packages: write
steps: steps:
- name: Harden the runner (Audit all outbound calls)
uses: step-security/harden-runner@fa2e9d605c4eeb9fcad4c99c224cee0c6c7f3594 # v2.16.0
with:
egress-policy: audit
- name: Delete untagged images - name: Delete untagged images
uses: dataaxiom/ghcr-cleanup-action@v1 uses: dataaxiom/ghcr-cleanup-action@cd0cdb900b5dbf3a6f2cc869f0dbb0b8211f50c4 # v1.0.16
with: with:
package: ${{ env.DOCKER_REPO_NAME }} package: ${{ env.DOCKER_REPO_NAME }}
delete-untagged: true delete-untagged: true