-
Notifications
You must be signed in to change notification settings - Fork 8
/
action.yaml
63 lines (60 loc) · 2.43 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
name: "Copacetic Action"
description: "Patch Vulnerable Images"
branding:
icon: "package"
color: "blue"
inputs:
image:
description: 'The image reference to patch'
required: true
image-report:
description: 'The trivy json report of the image to patch'
required: true
patched-tag:
description: 'The new patched image tag'
required: true
timeout:
description: 'The timeout for the copa action'
default: '5m'
buildkit-version:
description: "Buildkit version to use with Copa"
copa-version:
description: "Copa version to use"
output:
description: "Output filename"
format:
description: "Output format"
default: "openvex"
custom-socket:
description: "Custom socket address if setting up containerd image store"
outputs:
patched-image:
description: 'Image reference of patched image'
value: ${{ steps.copa-action.outputs.patched-image }}
runs:
using: "composite"
steps:
- name: Docker run copa-action
id: copa-action
shell: bash
run : |
# check for copa version input, else use latest
if [ -z "${{ inputs.copa-version }}" ]; then
latest_tag=$(curl --retry 5 -s "https://api.github.com/repos/project-copacetic/copacetic/releases/latest" | jq -r '.tag_name')
version=${latest_tag:1}
else
version="${{ inputs.copa-version }}"
fi
# default docker socket and connection type
socket="/var/run/docker.sock"
connection="buildx"
# check for other methods of connection
if [ ! -z "${{ inputs.custom-socket }}" ]; then
socket="${{ inputs.custom-socket }}"
connection="custom-socket"
elif [ ! -z "${{ inputs.buildkit-version }}" ]; then
docker run --net=host --detach --rm --privileged -p 127.0.0.1:8888:8888 --name buildkitd --entrypoint buildkitd moby/buildkit:${{ inputs.buildkit-version }} --addr tcp://0.0.0.0:8888
connection="buildkit-container"
fi
# run copa-action based on inputs
docker run --net=host --mount=type=bind,source=$(pwd),target=/data --mount=type=bind,source="$socket",target="/var/run/docker.sock" --mount=type=bind,source=$GITHUB_OUTPUT,target=$GITHUB_OUTPUT -e GITHUB_OUTPUT --name=copa-action "ghcr.io/project-copacetic/copa-action:v$version" ${{ inputs.image }} ${{ inputs.image-report }} ${{ inputs.patched-tag }} ${{ inputs.timeout }} ${connection} ${{ inputs.format }} ${{ inputs.output }}