edit ci.yml

norefice-github · Oct 10, 2023 · 04e03aa · 04e03aa
1 parent 301d6ab
commit 04e03aa
Showing 1 changed file with 77 additions and 65 deletions.
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -2,13 +2,15 @@ name: CI Pipeline
 
 on:
   push:
-    branches: [ "main" ]
+    branches: ["main"]
     tags: ["v*.*.*"]
+  pull_request_target:
+    branches: ["main"]
 
 env:
   DOCKER_ORG: demonstrationorg
   IMAGE_NAME: demonstrationorg/juvenile
-  SHA: ${{ github.event.after }}
+  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
   DOCKERFILE_PATH: Dockerfile
   PROD_IMAGE: demonstrationorg/juvenile:main
 
@@ -18,74 +20,84 @@ jobs:
   build:
     runs-on: ubuntu-latest
     permissions:
-      # required for all workflows
       security-events: write
-      # only required for workflows in private repositories
       actions: read
       contents: read
 
 
     steps:
-    - name: Checkout repository
-      uses: actions/checkout@v3
-      with:
-        ref: ${{ env.SHA }}
-
-    - name: Setup Docker buildx
-      uses: docker/setup-buildx-action@v2
-
-    - name: Log into registry
-      uses: docker/login-action@v2
-      with:
-        username: ${{secrets.DOCKER_USERNAME}}
-        password: ${{ secrets.DOCKER_PASSWORD }}
-
-    - name: Extract Docker metadata
-      id: meta
-      uses: docker/metadata-action@v4
-      with:
-        images: ${{ env.IMAGE_NAME }}
-        labels: |
-          org.opencontainers.image.revision=${{ env.SHA }}
-          com.docker.image.source.entrypoint=${{ env.DOCKERFILE_PATH }}
-      
-    - name: Build and push Docker image on push
-      id: build-and-push
-      if: ${{ github.event_name != 'pull_request_target' }}
-      uses: docker/build-push-action@v4
-      with:
-        context: .
-        load: false
-        push: true
-        tags: ${{ steps.meta.outputs.tags }}
-        labels: ${{ steps.meta.outputs.labels }}
-        platforms: "linux/amd64,linux/arm64"
-        sbom: true
-        provenance: true
-
-    - name: Compare to deployed image
-      id: docker-scout-compare
-      if: ${{ github.event_name != 'pull_request_target' }}
-      uses: docker/scout-action@main
-      with:
-        command: compare
-        image: ${{ steps.meta.outputs.tags }}
-        only-severities: critical,high
-        to: ${{ env.PROD_IMAGE }}
-        platform: "linux/arm64"
-        exit-code: true       
-        summary: true
-        organization: ${{ env.DOCKER_ORG }}
-
-    - name: Analyze for critical and high CVEs
-      id: docker-scout-cves
-      if: ${{ github.event_name == 'pull_request_target' }}
-      uses: docker/scout-action@main
-      with:
-        command: cves
-        image: ${{ steps.meta.outputs.tags }}
-        sarif-file: sarif.output.json
-        platform: "linux/arm64"
-        summary: true
+      - name: Checkout repository
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ env.SHA }}
+
+      - name: Setup Docker buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log into registry
+        uses: docker/login-action@v2
+        with:
+          username: ${{secrets.DOCKER_USERNAME}}
+          password: ${{ secrets.DOCKER_PASSWORD }}
+
+      - name: Extract Docker metadata
+        id: meta
+        uses: docker/metadata-action@v4
+        with:
+          images: ${{ env.IMAGE_NAME }}
+          labels: |
+            org.opencontainers.image.revision=${{ env.SHA }}
+            com.docker.image.source.entrypoint=${{ env.DOCKERFILE_PATH }}
+        
+      - name: Build and push Docker image on push
+        id: build-and-push
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          load: false
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: "linux/amd64,linux/arm64"
+          sbom: true
+          provenance: true
 
+      - name: Build and push Docker image on PR
+        id: build-and-push-pr
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          load: true
+          push: false
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          platforms: "linux/arm64"
+          sbom: false
+          provenance: false 
 
+      - name: Analyze for critical and high CVEs
+        id: docker-scout-cves
+        if: ${{ github.event_name != 'pull_request_target' }}
+        uses: docker/scout-action@main
+        with:
+          command: cves
+          image: ${{ steps.meta.outputs.tags }}
+          sarif-file: sarif.output.json
+          platform: "linux/arm64"
+          summary: true
+
+      - name: Compare to deployed image
+        id: docker-scout-compare
+        if: ${{ github.event_name == 'pull_request_target' }}
+        uses: docker/scout-action@main
+        with:
+          command: compare
+          image: ${{ steps.meta.outputs.tags }}
+          only-severities: critical,high
+          to: ${{ env.PROD_IMAGE }}
+          platform: "linux/arm64"
+          exit-code: true       
+          summary: true
+          organization: ${{ env.DOCKER_ORG }}