From 85b33f9cf21254ae32365f1aaa1db291317fc389 Mon Sep 17 00:00:00 2001 From: nathanjnorris <13533617+nathanjnorris@users.noreply.github.com> Date: Tue, 2 Apr 2024 20:17:11 -0700 Subject: [PATCH 1/3] Update yaml --- .github/workflows/on_pr.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml index 3fe1131..0e75ea3 100644 --- a/.github/workflows/on_pr.yml +++ b/.github/workflows/on_pr.yml @@ -10,11 +10,11 @@ env: IMAGE_NAME: cloudflared-ssh-action jobs: - name: 'Dependency Review' dependency-review: + name: 'Dependency Review' runs-on: ubuntu-latest steps: - - name: 'Checkout Repository' + - name: 'Checkout code' uses: actions/checkout@v4 - name: Dependency Review uses: actions/dependency-review-action@v4 From dfe6596f9ce18466ab36399c9b14bae84ccee366 Mon Sep 17 00:00:00 2001 From: nathanjnorris <13533617+nathanjnorris@users.noreply.github.com> Date: Tue, 2 Apr 2024 21:02:48 -0700 Subject: [PATCH 2/3] Add depends on --- .github/workflows/on_pr.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml index 0e75ea3..84ca93f 100644 --- a/.github/workflows/on_pr.yml +++ b/.github/workflows/on_pr.yml @@ -23,6 +23,7 @@ jobs: build-and-push-image: name: Build and push to GitHub Packages + needs: dependency-review runs-on: ubuntu-latest permissions: contents: read From ceb838bd4352e0b5f3f3d209ecd296d20ff00634 Mon Sep 17 00:00:00 2001 From: nathanjnorris <13533617+nathanjnorris@users.noreply.github.com> Date: Tue, 2 Apr 2024 21:20:44 -0700 Subject: [PATCH 3/3] Update permissions --- .github/workflows/on_pr.yml | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/.github/workflows/on_pr.yml b/.github/workflows/on_pr.yml index 84ca93f..b47e28f 100644 --- a/.github/workflows/on_pr.yml +++ b/.github/workflows/on_pr.yml @@ -1,9 +1,7 @@ name: Build and scan container for vulnerabilities on: pull_request: - -permissions: - contents: read + env: REGISTRY: ghcr.io @@ -13,6 +11,8 @@ jobs: dependency-review: name: 'Dependency Review' runs-on: ubuntu-latest + permissions: + contents: read steps: - name: 'Checkout code' uses: actions/checkout@v4 @@ -37,7 +37,7 @@ jobs: uses: docker/login-action@v3 with: registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} + username: ${{ github.repository_owner }} password: ${{ secrets.GITHUB_TOKEN }} - name: Build and push @@ -51,6 +51,9 @@ jobs: name: Run Trivy scanner needs: build-and-push-image runs-on: ubuntu-latest + permissions: + contents: read + packages: read steps: - name: Checkout code uses: actions/checkout@v4 @@ -66,7 +69,7 @@ jobs: format: 'sarif' output: 'trivy-results.sarif' env: - TRIVY_USERNAME: ${{ github.actor }} + TRIVY_USERNAME: ${{ github.repository_owner }} TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} - name: Upload Trivy scan results to GitHub Security tab @@ -79,6 +82,8 @@ jobs: name: Delete old container images needs: scan-image runs-on: ubuntu-latest + permissions: + packages: write steps: - name: Delete images uses: actions/delete-package-versions@v5