build-and-scan.yaml

name: build-and-scan

on:
  workflow_dispatch:
  push:

env:
  REGISTRY_USER: aborys
  IMAGE_REGISTRY: docker.io
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  build:
    strategy:
      matrix:
        flavor: [rocky, rocky-minimal]
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v3

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Build ${{ matrix.flavor }} image
        id: build-image
        uses: redhat-actions/buildah-build@v2
        with:
          image: podman-builder
          tags: latest-${{ matrix.flavor }} ${{ github.sha }}-${{ matrix.flavor }} ${{ startsWith(github.ref, 'refs/tags') && format('{0}-{1}', github.ref_name, matrix.flavor) || '' }}
          containerfiles: |
            ./Containerfile.${{ matrix.flavor }}
          platforms: linux/amd64, linux/arm64

      - name: Create SBOM
        uses: anchore/sbom-action@v0
        with:
          image: podman-builder:latest-${{ matrix.flavor }}
          format: spdx-json
          output-file: "${{ github.event.repository.name }}-sbom.spdx.json"

      - name: Scan SBOM
        uses: anchore/scan-action@v3
        with:
          sbom: "${{ github.event.repository.name }}-sbom.spdx.json"