mirror of https://github.com/docker/docs.git
Add raw filter to Scout CI doc
Signed-off-by: Chris Chinchilla <chris.ward@docker.com> Update scout/ci.md Co-authored-by: CrazyMax <github@crazymax.dev>
This commit is contained in:
Chris Chinchilla
parent
6dd9522756
commit
9a77ddf9b4
40
scout/ci.md
40
scout/ci.md
|
|
@ -24,6 +24,7 @@ with Docker in general, see [the GitHub Actions documentation](../build/ci/githu
|
||||||
|
|
||||||
Add the following to a GitHub action YAML file:
|
Add the following to a GitHub action YAML file:
|
||||||
|
|
||||||
|
{% raw %}
|
||||||
```yaml
|
```yaml
|
||||||
name: Docker
|
name: Docker
|
||||||
|
|
||||||
|
|
@ -38,8 +39,8 @@ on:
|
||||||
env:
|
env:
|
||||||
# Use docker.io for Docker Hub if empty
|
# Use docker.io for Docker Hub if empty
|
||||||
REGISTRY: docker.io
|
REGISTRY: docker.io
|
||||||
IMAGE_NAME: $\{\{ github.repository \}\}
|
IMAGE_NAME: ${{ github.repository }}
|
||||||
SHA: $\{\{ github.event.pull_request.head.sha || github.event.after \}\}
|
SHA: ${{ github.event.pull_request.head.sha || github.event.after }}
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
build:
|
build:
|
||||||
|
|
@ -48,6 +49,7 @@ jobs:
|
||||||
contents: read
|
contents: read
|
||||||
packages: write
|
packages: write
|
||||||
```
|
```
|
||||||
|
{% endraw %}
|
||||||
|
|
||||||
This sets up the workflow to run on pull requests and pushes to the `main`
|
This sets up the workflow to run on pull requests and pushes to the `main`
|
||||||
branch, and sets up environment variables available to all workflow steps. It
|
branch, and sets up environment variables available to all workflow steps. It
|
||||||
|
|
@ -56,24 +58,25 @@ the permissions available to the job.
|
||||||
|
|
||||||
Add the following to the YAML file:
|
Add the following to the YAML file:
|
||||||
|
|
||||||
|
{% raw %}
|
||||||
```yaml
|
```yaml
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v3
|
uses: actions/checkout@v3
|
||||||
with:
|
with:
|
||||||
ref: $\{\{ env.SHA \}\}
|
ref: ${{ env.SHA }}
|
||||||
|
|
||||||
- name: Setup Docker buildx
|
- name: Setup Docker buildx
|
||||||
uses: docker/setup-buildx-action@v2.5.0
|
uses: docker/setup-buildx-action@v2.5.0
|
||||||
|
|
||||||
# Login against a Docker registry except on PR
|
# Login against a Docker registry except on PR
|
||||||
# https://github.com/docker/login-action
|
# https://github.com/docker/login-action
|
||||||
- name: Log into registry $\{\{ env.REGISTRY \}\}
|
- name: Log into registry ${{ env.REGISTRY }}
|
||||||
uses: docker/login-action@v2.1.0
|
uses: docker/login-action@v2.1.0
|
||||||
with:
|
with:
|
||||||
registry: $\{\{ env.REGISTRY \}\}
|
registry: ${{ env.REGISTRY }}
|
||||||
username: $\{\{ secrets.DOCKER_USER \}\}
|
username: ${{ secrets.DOCKER_USER }}
|
||||||
password: $\{\{ secrets.DOCKER_PAT \}\}
|
password: ${{ secrets.DOCKER_PAT }}
|
||||||
|
|
||||||
# Extract metadata (tags, labels) for Docker
|
# Extract metadata (tags, labels) for Docker
|
||||||
# https://github.com/docker/metadata-action
|
# https://github.com/docker/metadata-action
|
||||||
|
|
@ -81,14 +84,15 @@ Add the following to the YAML file:
|
||||||
id: meta
|
id: meta
|
||||||
uses: docker/metadata-action@v4.4.0
|
uses: docker/metadata-action@v4.4.0
|
||||||
with:
|
with:
|
||||||
images: $\{\{ env.REGISTRY \}\}/$\{\{ env.IMAGE_NAME \}\}
|
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
|
||||||
labels: |
|
labels: |
|
||||||
org.opencontainers.image.revision=$\{\{ env.SHA \}\}
|
org.opencontainers.image.revision=${{ env.SHA }}
|
||||||
tags: |
|
tags: |
|
||||||
type=edge,branch=$repo.default_branch
|
type=edge,branch=$repo.default_branch
|
||||||
type=semver,pattern=v\{\{version\}\}
|
type=semver,pattern=v{{version}}
|
||||||
type=sha,prefix=,suffix=,format=short
|
type=sha,prefix=,suffix=,format=short
|
||||||
```
|
```
|
||||||
|
{% endraw %}
|
||||||
|
|
||||||
This creates workflow steps to checkout the repository, set up Docker buildx,
|
This creates workflow steps to checkout the repository, set up Docker buildx,
|
||||||
log into the Docker registry, and extract metadata from Git reference and GitHub
|
log into the Docker registry, and extract metadata from Git reference and GitHub
|
||||||
|
|
@ -96,6 +100,7 @@ events to use in later steps.
|
||||||
|
|
||||||
Add the following to the YAML file:
|
Add the following to the YAML file:
|
||||||
|
|
||||||
|
{% raw %}
|
||||||
```yaml
|
```yaml
|
||||||
# Build and push Docker image with Buildx (don't push on PR)
|
# Build and push Docker image with Buildx (don't push on PR)
|
||||||
# https://github.com/docker/build-push-action
|
# https://github.com/docker/build-push-action
|
||||||
|
|
@ -105,11 +110,12 @@ Add the following to the YAML file:
|
||||||
with:
|
with:
|
||||||
context: .
|
context: .
|
||||||
push: true
|
push: true
|
||||||
tags: $\{\{ steps.meta.outputs.tags \}\}
|
tags: ${{ steps.meta.outputs.tags }}
|
||||||
labels: $\{\{ steps.meta.outputs.labels \}\}
|
labels: ${{ steps.meta.outputs.labels }}
|
||||||
cache-from: type=gha
|
cache-from: type=gha
|
||||||
cache-to: type=gha,mode=max
|
cache-to: type=gha,mode=max
|
||||||
```
|
```
|
||||||
|
{% endraw %}
|
||||||
|
|
||||||
This uses the extracted metadata from the previous step to build and push the
|
This uses the extracted metadata from the previous step to build and push the
|
||||||
Docker image to Docker Hub. GitHub Actions skips this step on pull requests and
|
Docker image to Docker Hub. GitHub Actions skips this step on pull requests and
|
||||||
|
|
@ -117,19 +123,21 @@ only runs when a pull request is merged.
|
||||||
|
|
||||||
Add the following to the YAML file:
|
Add the following to the YAML file:
|
||||||
|
|
||||||
|
{% raw %}
|
||||||
```yaml
|
```yaml
|
||||||
- name: Docker Scout
|
- name: Docker Scout
|
||||||
id: docker-scout
|
id: docker-scout
|
||||||
if: $\{\{ github.event_name == 'pull_request' \}\}
|
if: ${{ github.event_name == 'pull_request' }}
|
||||||
uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506
|
uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506
|
||||||
with:
|
with:
|
||||||
command: compare
|
command: compare
|
||||||
image: $\{\{ steps.meta.outputs.tags \}\}
|
image: ${{ steps.meta.outputs.tags }}
|
||||||
to: $\{\{ env.REGISTRY \}\}/$\{\{ env.IMAGE_NAME \}\}:edge
|
to: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:edge
|
||||||
ignore-unchanged: true
|
ignore-unchanged: true
|
||||||
only-severities: critical,high
|
only-severities: critical,high
|
||||||
token: $\{\{ secrets.DOCKER_PAT \}\}
|
token: ${{ secrets.DOCKER_PAT }}
|
||||||
```
|
```
|
||||||
|
{% endraw %}
|
||||||
|
|
||||||
This final step uses the Docker Scout CLI to run [the `compare` command](../engine/reference/commandline/scout_compare.md), comparing the new
|
This final step uses the Docker Scout CLI to run [the `compare` command](../engine/reference/commandline/scout_compare.md), comparing the new
|
||||||
image to the published one. It only shows critical or high-severity vulnerabilities and
|
image to the published one. It only shows critical or high-severity vulnerabilities and
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue