mirror of
https://github.com/docker/docker-bench-security.git
synced 2024-11-01 00:21:45 +01:00
update SLSA action
Signed-off-by: Thomas Sjögren <konstruktoid@users.noreply.github.com>
This commit is contained in:
parent
5d5ca0a3da
commit
12f085d42f
1 changed files with 11 additions and 6 deletions
17
.github/workflows/slsa.yml
vendored
17
.github/workflows/slsa.yml
vendored
|
@ -16,11 +16,16 @@ jobs:
|
|||
hashes: ${{ steps.hash.outputs.hashes }}
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Harden Runner
|
||||
uses: step-security/harden-runner@63c24ba6bd7ba022e95695ff85de572c04a18142 # v2.7.0
|
||||
with:
|
||||
egress-policy: audit
|
||||
|
||||
- run: echo "REPOSITORY_NAME=$(echo '${{ github.repository }}' | awk -F '/' '{print $2}')" >> $GITHUB_ENV
|
||||
shell: bash
|
||||
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@27135e314dd1818f797af1db9dae03a9f045786b # master
|
||||
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
|
||||
|
||||
- name: Build artifacts
|
||||
run: |
|
||||
|
@ -33,7 +38,7 @@ jobs:
|
|||
echo "hashes=$(sha256sum ${{ env.REPOSITORY_NAME }}.sha256 | base64 -w0)" >> "$GITHUB_OUTPUT"
|
||||
|
||||
- name: Upload ${{ env.REPOSITORY_NAME }}.sha256
|
||||
uses: actions/upload-artifact@0b7f8abb1508181956e8e162db84b466c27e18ce # v3.1.2
|
||||
uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4.3.1
|
||||
with:
|
||||
name: ${{ env.REPOSITORY_NAME }}.sha256
|
||||
path: ${{ env.REPOSITORY_NAME }}.sha256
|
||||
|
@ -46,17 +51,17 @@ jobs:
|
|||
actions: read
|
||||
id-token: write
|
||||
contents: write
|
||||
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.5.0
|
||||
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v1.10.0
|
||||
with:
|
||||
base64-subjects: "${{ needs.build.outputs.hashes }}"
|
||||
upload-assets: ${{ startsWith(github.ref, 'refs/tags/') }}
|
||||
|
||||
release:
|
||||
needs: [build, provenance]
|
||||
permissions:
|
||||
actions: read
|
||||
id-token: write
|
||||
contents: write
|
||||
needs: [build, provenance]
|
||||
runs-on: ubuntu-latest
|
||||
if: startsWith(github.ref, 'refs/tags/')
|
||||
steps:
|
||||
|
@ -64,12 +69,12 @@ jobs:
|
|||
shell: bash
|
||||
|
||||
- name: Download ${{ env.REPOSITORY_NAME }}.sha256
|
||||
uses: actions/download-artifact@cbed621e49e4c01b044d60f6c80ea4ed6328b281 # v2.1.1
|
||||
uses: actions/download-artifact@c850b930e6ba138125429b7e5c93fc707a7f8427 # v4.1.4
|
||||
with:
|
||||
name: ${{ env.REPOSITORY_NAME }}.sha256
|
||||
|
||||
- name: Upload asset
|
||||
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
|
||||
uses: softprops/action-gh-release@9d7c94cfd0a1f3ed45544c887983e9fa900f0564 # v2.0.4
|
||||
with:
|
||||
files: |
|
||||
${{ env.REPOSITORY_NAME }}.sha256
|
||||
|
|
Loading…
Reference in a new issue