forked from AckeeDevOps/docker-gitlab-builder-android
-
Notifications
You must be signed in to change notification settings - Fork 0
42 lines (37 loc) · 1.41 KB
/
pull_request.yml
File metadata and controls
42 lines (37 loc) · 1.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: Pull request
on:
pull_request:
types:
- opened
- synchronize
jobs:
pull_request:
runs-on: ubuntu-24.04
permissions:
# Allows docker/scout-action to write a comment to PR
pull-requests: write
steps:
- name: Check out code
uses: actions/checkout@v6
# We need to login to dhi.io for getting hardened base image and to Docker Hub for using Docker Scout
- name: Login
uses: ./.github/actions/login
with:
user-name: ${{ vars.DOCKER_HUB_TEST_USERNAME }}
# Test public repos read only token on a separate androidackee test account.
token: ${{ vars.DOCKER_HUB_TEST_TOKEN }}
- name: Preflight checks
uses: ./.github/actions/common-preflight-check
with:
image-tag: "pr"
# We run Docker Scout to check for CVEs only in the PR because we just want to see a report of
# vulnerabilities without failing the build (and this behaviour is useless for deploy workflow).
# We don't want to ever fail even on critical fixable CVEs because they can come from transitive
# dependencies that we don't control and can't usually reliably patch.
- name: Docker Scout
uses: docker/scout-action@v1
with:
command: "cves"
only-severities: "critical,high"
# Report only CVEs that have a fix available
only-fixed: true