GitHub actions test #8

	name: build-and-scan

	on:
	workflow_dispatch:
	push:

	env:
	REGISTRY_USER: aborys
	IMAGE_REGISTRY: docker.io
	# A workflow run is made up of one or more jobs that can run sequentially or in parallel
	jobs:
	build:
	strategy:
	matrix:
	flavor: [rocky, rocky-minimal]
	# The type of runner that the job will run on
	runs-on: ubuntu-latest

	# Steps represent a sequence of tasks that will be executed as part of the job
	steps:
	# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
	- name: Checkout repository
	uses: actions/checkout@v4

	- name: Set up QEMU
	uses: docker/setup-qemu-action@v3

	- name: Build ${{ matrix.flavor }} image
	id: build-image
	uses: redhat-actions/buildah-build@v2
	with:
	image: podman-builder
	tags: latest-${{ matrix.flavor }} ${{ github.sha }}-${{ matrix.flavor }} ${{ startsWith(github.ref, 'refs/tags') && format('{0}-{1}', github.ref_name, matrix.flavor) \|\| '' }}
	containerfiles: \|
	./Containerfile.${{ matrix.flavor }}
	platforms: linux/amd64, linux/arm64

	- name: Save image to file
	run: podman save podman-builder:latest-${{ matrix.flavor }} -o ./image

	- name: Create SBOM
	uses: anchore/sbom-action@v0
	with:
	file: ./image
	format: spdx-json
	output-file: "${{ github.event.repository.name }}-sbom.spdx.json"

	- name: Scan SBOM
	id: scan
	uses: anchore/scan-action@v3
	with:
	sbom: "${{ github.event.repository.name }}-sbom.spdx.json"
	fail-build: false

	- name: upload Anchore scan SARIF report
	uses: github/codeql-action/upload-sarif@v2
	with:
	sarif_file: ${{ steps.scan.outputs.sarif }}

Provide feedback