From 989b9b396cfb31056f0f275c859fad17e932cb89 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Sun, 7 Dec 2025 12:34:38 +0100 Subject: [PATCH 01/11] Cosmetic changes --- .markdownlint.yml | 2 +- .yamllint.yaml | 2 -- README.md | 12 ++++++------ 3 files changed, 7 insertions(+), 9 deletions(-) diff --git a/.markdownlint.yml b/.markdownlint.yml index 4572cb2..ee5665e 100644 --- a/.markdownlint.yml +++ b/.markdownlint.yml @@ -1,4 +1,4 @@ # ref. https://github.com/DavidAnson/markdownlint default: true -MD013: # Line length +MD013: line_length: 240 diff --git a/.yamllint.yaml b/.yamllint.yaml index 26e0a4e..cb9ccf3 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -1,7 +1,5 @@ # ref. https://yamllint.readthedocs.io/en/stable/configuration.html - extends: default - rules: document-start: disable line-length: diff --git a/README.md b/README.md index 1923984..009280d 100644 --- a/README.md +++ b/README.md @@ -4,9 +4,9 @@ Repository of workflow parts to be used in GitHub Actions. ## Actions -Name | Detail --------------------------------------------------------------- | --------------------------------------------------------------------------- -[Docker > Build & Push](docker/build-push/action.yml) | Build a new container image with Docker and push it to a container registry -[Docker > Build & Scan](docker/build-scan/action.yml) | Build a new container image with Docker and scan it -[.NET > Build, lint & test](dotnet/build-lint-test/action.yml) | Build .NET code, lint it and run tests -[MongoDB > Start](mongodb/start/action.yml) | Start a local MongoDB database +Technology | Role | Action | Detail +-----------|----------|---------------------------------------------------------|---------------------------------------------------------------------------- +Docker | CD | [Build & Push](docker/build-push/action.yml) | Build a new container image with Docker, and push it to a container registry +Docker | CI | [Build & Scan](docker/build-scan/action.yml) | Build a new container image with Docker, and scan it +.NET | CI | [Build, lint & test](dotnet/build-lint-test/action.yml) | Build .NET code, check the code with linter and Sonar, and run tests +MongoDB | Services | [Start](mongodb/start/action.yml) | Start a local MongoDB database From ce587cfb05ad30fa8bb2e2486b6116c4432d53c6 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Tue, 27 Jan 2026 14:02:52 +0100 Subject: [PATCH 02/11] Add container build arguments --- docker/build-push/action.yml | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/docker/build-push/action.yml b/docker/build-push/action.yml index 57bf33c..0af3077 100644 --- a/docker/build-push/action.yml +++ b/docker/build-push/action.yml @@ -5,11 +5,11 @@ inputs: container_registry: description: Container registry required: true - container_username: - description: Container username + container_registry_username: + description: Container registry username required: true - container_password: - description: Container password + container_registry_password: + description: Container registry password required: true docker_file: description: Path to the Dockerfile @@ -27,6 +27,10 @@ inputs: description: Create latest tag? required: false default: 'false' + build_arguments: + description: Container build arguments + required: false + default: '' runs: using: "composite" @@ -35,10 +39,10 @@ runs: uses: docker/login-action@v3 with: registry: ${{ inputs.container_registry }} - username: ${{ inputs.container_username }} - password: ${{ inputs.container_password }} + username: ${{ inputs.container_registry_username }} + password: ${{ inputs.container_registry_password }} - name: Build container image - run: docker build . --file ${{inputs.docker_file}} --tag ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}} + run: docker build . --file ${{inputs.docker_file}} --tag ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}}${{inputs.build_arguments}} shell: bash - name: Push image to container registry run: docker push ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}} From 227a97bc77887cfbb9af34f56f35d306ed0a5c7f Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Thu, 29 Jan 2026 00:29:17 +0100 Subject: [PATCH 03/11] Add mongodb-atlas/add-runner-ip/action.yml --- mongodb-atlas/add-runner-ip/action.yml | 56 ++++++++++++++++++++++++++ 1 file changed, 56 insertions(+) create mode 100644 mongodb-atlas/add-runner-ip/action.yml diff --git a/mongodb-atlas/add-runner-ip/action.yml b/mongodb-atlas/add-runner-ip/action.yml new file mode 100644 index 0000000..9886b15 --- /dev/null +++ b/mongodb-atlas/add-runner-ip/action.yml @@ -0,0 +1,56 @@ +name: Add GitHub Actions runner public IP to MongoDB Atlas +description: Update project IP access list (temporary) + +inputs: + atlas_publickey: + description: MongoDB public key + required: true + atlas_privatekey: + description: MongoDB private key + required: true + atlas_groupid: + description: MongoDB group ID + required: true + github_runid: + description: GitHub run ID + required: true + +runs: + using: "composite" + steps: + - name: Add runner IP to MongoDB Atlas + shell: bash + run: | + # gets current outbound IP of this runner + RUNNER_IP=$(curl -s https://api.ipify.org || curl -s https://ifconfig.me) + if [ -z "$RUNNER_IP" ]; then + echo "Failed to detect runner IP" + exit 1 + fi + + echo "Detected runner IP: $RUNNER_IP" + + # prepares JSON payload (single /32 entry, temporary delete after 1 hour) + # uses ISO 8601 UTC for deleteAfterDate (current time + 3600s) + DELETE_AFTER=$(date -u -d '+3600 seconds' +"%Y-%m-%dT%H:%M:%SZ") + PAYLOAD="[{\"ipAddress\": \"$RUNNER_IP\", \"comment\": \"GH Actions temp - run ${{ github.run_id }}\", \"deleteAfterDate\": \"$DELETE_AFTER\"}]" + + # calls Atlas API v2 to add the entry (uses digest Auth via curl) + RESPONSE=$(curl -s -w "%{http_code}" --user "${{inputs.atlas_publickey}}:${{inputs.atlas_privatekey}}" --digest \ + -H "Accept: application/vnd.atlas.2023-01-01+json" \ + -H "Content-Type: application/json" \ + --data "$PAYLOAD" \ + "https://cloud.mongodb.com/api/atlas/v2/groups/${{inputs.atlas_groupid}}/accessList") + + HTTP_CODE=${RESPONSE: -3} + BODY=${RESPONSE%???} + + echo "API response code: $HTTP_CODE" + echo "API response body: $BODY" + + if [[ "$HTTP_CODE" != "201" ]]; then + echo "Failed to add IP to Atlas access list (code $HTTP_CODE)" + exit 1 + fi + + echo "Successfully added temporary IP $RUNNER_IP to Atlas access list (auto-deletes ~1h)" From 701b7cc04608657a2f2d0d87a4c20f7c54c8f8a7 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Thu, 29 Jan 2026 00:36:33 +0100 Subject: [PATCH 04/11] Remove logs --- mongodb-atlas/add-runner-ip/action.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/mongodb-atlas/add-runner-ip/action.yml b/mongodb-atlas/add-runner-ip/action.yml index 9886b15..4b2e238 100644 --- a/mongodb-atlas/add-runner-ip/action.yml +++ b/mongodb-atlas/add-runner-ip/action.yml @@ -43,10 +43,6 @@ runs: "https://cloud.mongodb.com/api/atlas/v2/groups/${{inputs.atlas_groupid}}/accessList") HTTP_CODE=${RESPONSE: -3} - BODY=${RESPONSE%???} - - echo "API response code: $HTTP_CODE" - echo "API response body: $BODY" if [[ "$HTTP_CODE" != "201" ]]; then echo "Failed to add IP to Atlas access list (code $HTTP_CODE)" From 71735bbe3d7e6e3c9f2a5dd2cb87ab07974812c7 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Sun, 1 Feb 2026 15:11:20 +0100 Subject: [PATCH 05/11] Add cosign, fossa and syft --- docker/build-push/action.yml | 22 +++++++++--- docker/build-scan/action.yml | 7 ++++ dotnet/build-lint-test/action.yml | 58 ++++++++++++++++++++++++------- 3 files changed, 71 insertions(+), 16 deletions(-) diff --git a/docker/build-push/action.yml b/docker/build-push/action.yml index 0af3077..ec84579 100644 --- a/docker/build-push/action.yml +++ b/docker/build-push/action.yml @@ -42,14 +42,28 @@ runs: username: ${{ inputs.container_registry_username }} password: ${{ inputs.container_registry_password }} - name: Build container image - run: docker build . --file ${{inputs.docker_file}} --tag ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}}${{inputs.build_arguments}} + run: docker build . --file ${{ inputs.docker_file }} --tag ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }}${{ inputs.build_arguments }} + shell: bash + - name: Install Cosign + uses: sigstore/cosign-installer@v4 + with: + cosign-release: 'v3.0.3' + - name: Sign image with Cosign + run: cosign sign --yes ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} shell: bash - name: Push image to container registry - run: docker push ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}} + run: docker push ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} shell: bash - name: Push latest tag to container registry if: ${{ inputs.create_latest == 'true' }} run: | - docker tag ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}} ${{inputs.image_path}}/${{inputs.image_name}}:latest - docker push ${{inputs.image_path}}/${{inputs.image_name}}:latest + docker tag ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} ${{ inputs.image_path }}/${{ inputs.image_name }}:latest + docker push ${{ inputs.image_path }}/${{ inputs.image_name }}:latest shell: bash + - name: Generate SBOM with Syft + uses: anchore/sbom-action@v0 + with: + path: ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} + # format: spdx-json # Or cyclonedx-json + # output-file: sbom.json + # upload-artifact: true # Auto-upload to workflow artifacts diff --git a/docker/build-scan/action.yml b/docker/build-scan/action.yml index fbc1a5d..abfb68c 100644 --- a/docker/build-scan/action.yml +++ b/docker/build-scan/action.yml @@ -37,6 +37,13 @@ runs: - name: Build container image run: docker build . --file ${{inputs.docker_file}} --tag ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}} shell: bash + - name: Install Cosign + uses: sigstore/cosign-installer@v4 + with: + cosign-release: 'v3.0.3' + - name: Sign image with Cosign + run: cosign sign --yes ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}} + shell: bash - name: Scan container image with NeuVector if: ${{ inputs.neuvector_enabled == 'true' }} uses: neuvector/scan-action@main diff --git a/dotnet/build-lint-test/action.yml b/dotnet/build-lint-test/action.yml index 995974e..2fe7b85 100644 --- a/dotnet/build-lint-test/action.yml +++ b/dotnet/build-lint-test/action.yml @@ -5,35 +5,43 @@ inputs: dotnet_version: description: .NET SDK version to be used required: false - default: '10.0.x' + default: "10.0.x" sonar_enabled: description: Enable code scan by Sonar required: false - default: 'false' + default: "false" sonar_organization: description: Sonar organization required: false - default: '' + default: "" sonar_host_url: description: Sonar host URL required: false - default: '' + default: "" sonar_project_name: description: Sonar project name required: false - default: '' + default: "" sonar_project_key: description: Sonar project key required: false - default: '' + default: "" sonar_token: description: Sonar token for login required: false - default: '' + default: "" report_folder: description: Folder where report files will be generated required: false default: report + fossa_enabled: + description: Enable license compliance with FOSSA + required: false + default: "false" + fossa_api_key: + description: FOSSA API KEY + required: false + default: "" runs: using: "composite" @@ -41,13 +49,13 @@ runs: - name: Install .NET uses: actions/setup-dotnet@v4 with: - dotnet-version: ${{inputs.dotnet_version}} + dotnet-version: ${{ inputs.dotnet_version }} - name: Set up JDK for Sonar if: ${{ inputs.sonar_enabled == 'true' }} uses: actions/setup-java@v4 with: java-version: 21 - distribution: 'zulu' + distribution: "zulu" - name: Install .NET linters if: ${{ inputs.dotnet_version == '7.0.x' }} run: dotnet tool install -g dotnet-format --version "7.*" --add-source https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet7/nuget/v3/index.json @@ -86,24 +94,50 @@ runs: shell: bash - name: Start code analysis if: ${{ inputs.sonar_enabled == 'true' }} - run: ./.sonar/scanner/dotnet-sonarscanner begin /k:"${{inputs.sonar_project_key}}" /o:"${{inputs.sonar_organization}}" /n:"${{inputs.sonar_project_name}}" /d:sonar.token="${{inputs.sonar_token}}" /d:sonar.host.url="${{inputs.sonar_host_url}}" /d:sonar.cpd.exclusions="**/*Generated*.cs,${{inputs.report_folder}}/**" /d:sonar.exclusions="${{inputs.report_folder}}/**/*" /d:sonar.coverageReportPaths="${{inputs.report_folder}}/SonarQube.xml" + run: | + ./.sonar/scanner/dotnet-sonarscanner begin /k:"${{ inputs.sonar_project_key }}" /o:"${{ inputs.sonar_organization }}" \ + /n:"${{ inputs.sonar_project_name }}" /d:sonar.token="${{ inputs.sonar_token}}" /d:sonar.host.url="${{inputs.sonar_host_url}}" \ + /d:sonar.cpd.exclusions="**/*Generated*.cs,${{ inputs.report_folder }}/**" /d:sonar.exclusions="${{ inputs.report_folder }}/**/*" \ + /d:sonar.coverageReportPaths="${{ inputs.report_folder }}/SonarQube.xml" shell: bash - name: Build .NET solution run: dotnet build --no-restore shell: bash - name: Run tests - run: dotnet test --no-build --verbosity normal --configuration Debug --logger:"junit;LogFilePath=..\..\artifacts\{assembly}-test-result.xml;MethodFormat=Class;FailureBodyFormat=Verbose" --collect:"XPlat Code Coverage" + run: | + dotnet test --no-build --verbosity normal --configuration Debug \ + --logger:"junit;LogFilePath=..\..\artifacts\{assembly}-test-result.xml;MethodFormat=Class;FailureBodyFormat=Verbose" \ + --collect:"XPlat Code Coverage" shell: bash env: ASPNETCORE_ENVIRONMENT: Development Application__IsHttpsRedirectionEnabled: "false" - name: Generate test report - run: reportgenerator "-reports:./test/*/TestResults/*/coverage.cobertura.xml" "-targetdir:${{inputs.report_folder}}" "-reporttypes:Cobertura;Html;TextSummary;SonarQube" + run: | + reportgenerator "-reports:./test/*/TestResults/*/coverage.cobertura.xml" \ + "-targetdir:${{inputs.report_folder}}" \ + "-reporttypes:Cobertura;Html;TextSummary;SonarQube" shell: bash - name: Complete code analysis if: ${{ inputs.sonar_enabled == 'true' }} run: ./.sonar/scanner/dotnet-sonarscanner end /d:sonar.token="${{inputs.sonar_token}}" shell: bash + + - name: License Compliance with FOSSA + if: ${{ inputs.fossa_enabled == 'true' }} + uses: fossas/fossa-action@v1 + with: + api-key: "${{ inputs.fossa_api_key }}" + run-tests: false + + - name: Generate SBOM with Syft + uses: anchore/sbom-action@v0 + # with: + # path: . # Or Dockerfile path + # format: spdx-json # Or cyclonedx-json + # output-file: sbom.json + # upload-artifact: true # Auto-upload to workflow artifacts + - name: Archive test results uses: actions/upload-artifact@v4 with: From f49a7cf927a50914248bc7f34e5636943c7405bc Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Sun, 1 Feb 2026 15:23:01 +0100 Subject: [PATCH 06/11] use explicit version of cosign-installer --- docker/build-push/action.yml | 2 +- docker/build-scan/action.yml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/build-push/action.yml b/docker/build-push/action.yml index ec84579..3e2659d 100644 --- a/docker/build-push/action.yml +++ b/docker/build-push/action.yml @@ -45,7 +45,7 @@ runs: run: docker build . --file ${{ inputs.docker_file }} --tag ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }}${{ inputs.build_arguments }} shell: bash - name: Install Cosign - uses: sigstore/cosign-installer@v4 + uses: sigstore/cosign-installer@v4.0.0 with: cosign-release: 'v3.0.3' - name: Sign image with Cosign diff --git a/docker/build-scan/action.yml b/docker/build-scan/action.yml index abfb68c..805f2d3 100644 --- a/docker/build-scan/action.yml +++ b/docker/build-scan/action.yml @@ -38,7 +38,7 @@ runs: run: docker build . --file ${{inputs.docker_file}} --tag ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}} shell: bash - name: Install Cosign - uses: sigstore/cosign-installer@v4 + uses: sigstore/cosign-installer@v4.0.0 with: cosign-release: 'v3.0.3' - name: Sign image with Cosign From 501e38d63f37df30dc77be6918aa4d418070e815 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Sun, 1 Feb 2026 15:36:07 +0100 Subject: [PATCH 07/11] Improve cosign --- docker/build-push/action.yml | 28 +++++++++++++++++++++------- docker/build-scan/action.yml | 7 ------- 2 files changed, 21 insertions(+), 14 deletions(-) diff --git a/docker/build-push/action.yml b/docker/build-push/action.yml index 3e2659d..e26b187 100644 --- a/docker/build-push/action.yml +++ b/docker/build-push/action.yml @@ -41,25 +41,22 @@ runs: registry: ${{ inputs.container_registry }} username: ${{ inputs.container_registry_username }} password: ${{ inputs.container_registry_password }} + - name: Build container image run: docker build . --file ${{ inputs.docker_file }} --tag ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }}${{ inputs.build_arguments }} shell: bash - - name: Install Cosign - uses: sigstore/cosign-installer@v4.0.0 - with: - cosign-release: 'v3.0.3' - - name: Sign image with Cosign - run: cosign sign --yes ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} - shell: bash + - name: Push image to container registry run: docker push ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} shell: bash + - name: Push latest tag to container registry if: ${{ inputs.create_latest == 'true' }} run: | docker tag ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} ${{ inputs.image_path }}/${{ inputs.image_name }}:latest docker push ${{ inputs.image_path }}/${{ inputs.image_name }}:latest shell: bash + - name: Generate SBOM with Syft uses: anchore/sbom-action@v0 with: @@ -67,3 +64,20 @@ runs: # format: spdx-json # Or cyclonedx-json # output-file: sbom.json # upload-artifact: true # Auto-upload to workflow artifacts + + - name: Install Cosign + uses: sigstore/cosign-installer@v4.0.0 + with: + cosign-release: 'v3.0.3' + - name: Get image digest + id: digest + run: | + DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} | cut -d'@' -f2) + echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT + shell: bash + - name: Sign image with Cosign + env: + COSIGN_EXPERIMENTAL: 1 # If using keyless (recommended for GitHub Actions) + run: | + cosign sign --yes ${{ inputs.image_path }}/${{ inputs.image_name }}@${{ steps.digest.outputs.DIGEST }} + shell: bash diff --git a/docker/build-scan/action.yml b/docker/build-scan/action.yml index 805f2d3..fbc1a5d 100644 --- a/docker/build-scan/action.yml +++ b/docker/build-scan/action.yml @@ -37,13 +37,6 @@ runs: - name: Build container image run: docker build . --file ${{inputs.docker_file}} --tag ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}} shell: bash - - name: Install Cosign - uses: sigstore/cosign-installer@v4.0.0 - with: - cosign-release: 'v3.0.3' - - name: Sign image with Cosign - run: cosign sign --yes ${{inputs.image_path}}/${{inputs.image_name}}:${{inputs.image_tag}} - shell: bash - name: Scan container image with NeuVector if: ${{ inputs.neuvector_enabled == 'true' }} uses: neuvector/scan-action@main From d6b3d09da84ebf86e66c189c30446b76e1ec59d7 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Sun, 1 Feb 2026 15:49:34 +0100 Subject: [PATCH 08/11] Move sbom generation --- docker/build-push/action.yml | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/docker/build-push/action.yml b/docker/build-push/action.yml index e26b187..eebba82 100644 --- a/docker/build-push/action.yml +++ b/docker/build-push/action.yml @@ -46,6 +46,15 @@ runs: run: docker build . --file ${{ inputs.docker_file }} --tag ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }}${{ inputs.build_arguments }} shell: bash + - name: Generate SBOM with Syft + uses: anchore/sbom-action@v0 + continue-on-error: true + with: + image: ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} + # format: spdx-json # Or cyclonedx-json + # output-file: sbom.json + # upload-artifact: true # Auto-upload to workflow artifacts + - name: Push image to container registry run: docker push ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} shell: bash @@ -57,27 +66,21 @@ runs: docker push ${{ inputs.image_path }}/${{ inputs.image_name }}:latest shell: bash - - name: Generate SBOM with Syft - uses: anchore/sbom-action@v0 - with: - path: ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} - # format: spdx-json # Or cyclonedx-json - # output-file: sbom.json - # upload-artifact: true # Auto-upload to workflow artifacts - - name: Install Cosign uses: sigstore/cosign-installer@v4.0.0 with: cosign-release: 'v3.0.3' + - name: Get image digest id: digest run: | DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} | cut -d'@' -f2) echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT shell: bash + - name: Sign image with Cosign env: - COSIGN_EXPERIMENTAL: 1 # If using keyless (recommended for GitHub Actions) + COSIGN_EXPERIMENTAL: 1 run: | cosign sign --yes ${{ inputs.image_path }}/${{ inputs.image_name }}@${{ steps.digest.outputs.DIGEST }} shell: bash From e156c11b3b5cacfcda62d6391847e73be612bf1c Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Sun, 1 Feb 2026 22:20:18 +0100 Subject: [PATCH 09/11] Update yamllint config --- .yamllint.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.yamllint.yaml b/.yamllint.yaml index cb9ccf3..8224dfe 100644 --- a/.yamllint.yaml +++ b/.yamllint.yaml @@ -4,5 +4,5 @@ rules: document-start: disable line-length: level: warning - max: 120 + max: 180 truthy: disable From a1935f8af82e96f022dc217ac63ba4c28b51e7a0 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Sun, 1 Feb 2026 22:27:59 +0100 Subject: [PATCH 10/11] Remove trailing spaces --- .editorconfig | 17 +++++++++++------ docker/build-push/action.yml | 14 +++++++------- 2 files changed, 18 insertions(+), 13 deletions(-) diff --git a/.editorconfig b/.editorconfig index f932d93..9ae301b 100644 --- a/.editorconfig +++ b/.editorconfig @@ -1,6 +1,11 @@ -root = true - -[*] -end_of_line = lf -insert_final_newline = true -indent_style = space +root = true + +[*] +end_of_line = lf +indent_size = 2 +indent_style = space +insert_final_newline = true +trim_trailing_whitespace = true + +[md] +trim_trailing_whitespace = false diff --git a/docker/build-push/action.yml b/docker/build-push/action.yml index eebba82..c834361 100644 --- a/docker/build-push/action.yml +++ b/docker/build-push/action.yml @@ -41,11 +41,11 @@ runs: registry: ${{ inputs.container_registry }} username: ${{ inputs.container_registry_username }} password: ${{ inputs.container_registry_password }} - + - name: Build container image run: docker build . --file ${{ inputs.docker_file }} --tag ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }}${{ inputs.build_arguments }} shell: bash - + - name: Generate SBOM with Syft uses: anchore/sbom-action@v0 continue-on-error: true @@ -54,30 +54,30 @@ runs: # format: spdx-json # Or cyclonedx-json # output-file: sbom.json # upload-artifact: true # Auto-upload to workflow artifacts - + - name: Push image to container registry run: docker push ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} shell: bash - + - name: Push latest tag to container registry if: ${{ inputs.create_latest == 'true' }} run: | docker tag ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} ${{ inputs.image_path }}/${{ inputs.image_name }}:latest docker push ${{ inputs.image_path }}/${{ inputs.image_name }}:latest shell: bash - + - name: Install Cosign uses: sigstore/cosign-installer@v4.0.0 with: cosign-release: 'v3.0.3' - + - name: Get image digest id: digest run: | DIGEST=$(docker inspect --format='{{index .RepoDigests 0}}' ${{ inputs.image_path }}/${{ inputs.image_name }}:${{ inputs.image_tag }} | cut -d'@' -f2) echo "DIGEST=$DIGEST" >> $GITHUB_OUTPUT shell: bash - + - name: Sign image with Cosign env: COSIGN_EXPERIMENTAL: 1 From b36858b7bc5fba5885cc19fec55c9a5d993141e4 Mon Sep 17 00:00:00 2001 From: Bertrand THOMAS Date: Sun, 1 Feb 2026 23:33:31 +0100 Subject: [PATCH 11/11] Add comment --- docker/build-push/action.yml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/docker/build-push/action.yml b/docker/build-push/action.yml index c834361..48a5005 100644 --- a/docker/build-push/action.yml +++ b/docker/build-push/action.yml @@ -1,5 +1,12 @@ name: Build and push a container image -description: Builds a new container image with Docker and pushes it to a registry +description: | + Builds a new container image with Docker and pushes it to a registry + Make sure to add (needed by cosign): + ``` + permissions: + id-token: write + contents: read + ``` inputs: container_registry: