@@ -131,8 +131,11 @@ jobs:
131
131
- uses : actions/checkout@master
132
132
- name : Define Matrix
133
133
id : define-matrix
134
+ # To avoid pulling the snyk image too often due to a very large matrix,
135
+ # we generate a matrix without architecure, and run the scan twice
136
+ # in each job, once for amd64 and once for arm64.
134
137
run : |
135
- echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py) >> "$GITHUB_OUTPUT"
138
+ echo matrix=$(python ./.github/scripts/matrix/gen-matrix.py --no-arch ) >> "$GITHUB_OUTPUT"
136
139
137
140
debian-sdk :
138
141
name : Debian SDK images
@@ -152,23 +155,40 @@ jobs:
152
155
- name : Set version
153
156
run : |
154
157
[ -z "${{ env.DISPATCH_REF }}" ] && echo "PULUMI_VERSION=$(curl https://www.pulumi.com/latest-version)" >> $GITHUB_ENV || echo "PULUMI_VERSION=${{ env.DISPATCH_REF }}" >> $GITHUB_ENV
155
- - name : Set image name
158
+ - name : Set image name - amd64
156
159
run : |
157
- echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-${{ matrix.arch }} " >> $GITHUB_ENV
158
- - name : Snyk scan
160
+ echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-amd64 " >> $GITHUB_ENV
161
+ - name : Snyk scan - amd64
159
162
continue-on-error : true
160
163
uses : snyk/actions/docker@master
161
164
env :
162
165
SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
163
166
with :
164
167
image : ${{ env.IMAGE_NAME }}
165
- args : --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/${{ matrix.arch }}
166
- - name : Filter Sarif File
168
+ args : --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/amd64
169
+ - name : Filter Sarif File - amd64
167
170
run : python ./.github/scripts/filter-sarif.py
168
171
- name : Upload result to GitHub Code Scanning
169
172
uses : github/codeql-action/upload-sarif@v3
170
173
with :
171
174
sarif_file : out.sarif
175
+ - name : Set image name - arm64
176
+ run : |
177
+ echo "IMAGE_NAME=${{ env.DOCKER_ORG }}/pulumi-${{ matrix.sdk }}${{ matrix.suffix }}:${{ env.PULUMI_VERSION }}-debian-arm64" >> $GITHUB_ENV
178
+ - name : Snyk scan - arm64
179
+ continue-on-error : true
180
+ uses : snyk/actions/docker@master
181
+ env :
182
+ SNYK_TOKEN : ${{ secrets.SNYK_TOKEN }}
183
+ with :
184
+ image : ${{ env.IMAGE_NAME }}
185
+ args : --severity-threshold=high --file=docker/${{ matrix.sdk }}/Dockerfile.debian --platform=linux/arm64
186
+ - name : Filter Sarif File - arm64
187
+ run : python ./.github/scripts/filter-sarif.py
188
+ - name : Upload result to GitHub Code Scanning - arm64
189
+ uses : github/codeql-action/upload-sarif@v3
190
+ with :
191
+ sarif_file : out.sarif
172
192
173
193
ubi-sdk :
174
194
name : UBI SDK images
0 commit comments