diff --git a/.github/workflows/clean-branch-cache.yml b/.github/workflows/clean-branch-cache.yml index 0d8b3a0..b36af0c 100644 --- a/.github/workflows/clean-branch-cache.yml +++ b/.github/workflows/clean-branch-cache.yml @@ -32,10 +32,10 @@ jobs: ## Setting this to not fail the workflow while deleting cache keys. set +e echo "Deleting caches..." - for cacheKey in $cacheKeysForPR - do + while IFS= read -r cacheKey; do + [ -z "$cacheKey" ] && continue gh cache delete "$cacheKey" - done + done <<< "$cacheKeysForPR" echo "Done" env: GH_TOKEN: ${{ github.token }} diff --git a/.github/workflows/docker-build-and-push.yml b/.github/workflows/docker-build-and-push.yml index dff3b70..9cacf45 100644 --- a/.github/workflows/docker-build-and-push.yml +++ b/.github/workflows/docker-build-and-push.yml @@ -140,7 +140,7 @@ jobs: - name: Build and push id: build if: inputs.push - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: annotations: ${{ steps.metadata.outputs.annotations }} cache-from: type=gha @@ -155,7 +155,7 @@ jobs: - name: Build push locally id: build-local if: ${{ !inputs.push }} - uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 + uses: docker/build-push-action@10e90e3645eae34f1e60eeb005ba3a3d33f178e8 # v6.19.2 with: cache-from: type=gha cache-to: type=gha,mode=max @@ -173,10 +173,12 @@ jobs: IMAGE_REF: ${{ inputs.push && format('{0}/{1}@{2}', inputs.registry, inputs.image, steps.build.outputs.digest) || '' }} LOCAL_IMAGE_REF: ${{ !inputs.push && format('localimage:{0}', github.sha) || '' }} run: | - echo "image_name=${IMAGE_NAME}" >> "${GITHUB_OUTPUT}" - echo "image_digest=${IMAGE_DIGEST}" >> "${GITHUB_OUTPUT}" - echo "image_ref=${IMAGE_REF}" >> "${GITHUB_OUTPUT}" - echo "local_image_ref=${LOCAL_IMAGE_REF}" >> "${GITHUB_OUTPUT}" + { + echo "image_name=${IMAGE_NAME}" + echo "image_digest=${IMAGE_DIGEST}" + echo "image_ref=${IMAGE_REF}" + echo "local_image_ref=${LOCAL_IMAGE_REF}" + } >> "${GITHUB_OUTPUT}" - name: Generate artifact attestation if: inputs.push uses: actions/attest-build-provenance@96278af6caaf10aea03fd8d33a09a777ca52d62f # v3.2.0 @@ -186,7 +188,7 @@ jobs: push-to-registry: true create-storage-record: ${{ startsWith(inputs.registry, 'ghcr.io') }} - name: Run Trivy Scan - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0 if: inputs.scan-image with: format: sarif @@ -197,7 +199,7 @@ jobs: output: ${{ inputs.working-directory }}/trivy_results.sarif github-pat: ${{ secrets.GITHUB_TOKEN }} - name: Generate SBOM - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0 if: inputs.push with: format: spdx-json diff --git a/.github/workflows/terraform-ci.yml b/.github/workflows/terraform-ci.yml index 5cbb4c7..0d2b13f 100644 --- a/.github/workflows/terraform-ci.yml +++ b/.github/workflows/terraform-ci.yml @@ -101,7 +101,7 @@ jobs: filter_mode: nofilter - name: Run Trivy Scan - uses: aquasecurity/trivy-action@b6643a29fecd7f34b3597bc6acb0a98b03d33ff8 # v0.33.1 + uses: aquasecurity/trivy-action@c1824fd6edce30d7ab345a9989de00bbd46ef284 # v0.34.0 with: hide-progress: true format: sarif @@ -175,9 +175,11 @@ jobs: id: plan run: | terraform plan -no-color -input=false | tee plan.txt - echo "plan<> $GITHUB_OUTPUT - cat plan.txt >> $GITHUB_OUTPUT - echo "EOF" >> $GITHUB_OUTPUT + { + echo "plan<> "$GITHUB_OUTPUT" continue-on-error: true - uses: actions/github-script@ed597411d8f924073f98dfc5c65a23a2325f34cd # v8.0.0 if: github.event_name == 'pull_request'