Update Docker login command in clean_packages.yml workflow

sredevopsorg · Apr 30, 2024 · 2663472 · 2663472
1 parent beb66f1
commit 2663472
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 7 deletions.
diff --git a/.github/workflows/clean_packages.yml b/.github/workflows/clean_packages.yml
@@ -2,7 +2,10 @@ name: Delete old container images
 
 on: workflow_dispatch
 
-permissions: write-all
+permissions:
+  contents: read
+  packages: write
+  id-token: write
 
 jobs:
   build-containers:
@@ -11,9 +14,20 @@ jobs:
     env:
       IMAGE: ghcr.io/sredevopsorg/ghcr-retention-policy-test
     steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+          ref: ${{ github.ref }}
+          persist-credentials: false
+
       - uses: docker/setup-buildx-action@v1
-      - run: docker login ghcr.io -u ${{ github.actor }} --password-stdin <<< ${{ github.token }}
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@master
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
       # Each build should be different because of the $RANDOM addition
       - name: Build latest
         run: |
@@ -70,12 +84,14 @@ jobs:
       - name: Delete images more than 2 seconds old
         uses: sredevopsorg/container-retention-policy@main
         id: delete-images
+        continue-on-error: true
         with:
           image-names: ghcr-retention-policy-test
-          cut-off: 2 seconds ago UTC+2
-          account-type: personal
+          cut-off: 2 seconds ago UTC+0
+          account-type: org
           token: ${{ github.token }}
           skip-tags: ${{ steps.image-version.outputs.image-versions }}
+
 
       - name: Write skipped tags to cache
         run: |

diff --git a/.github/workflows/scorecard-analysis.yaml b/.github/workflows/scorecard-analysis.yaml
@@ -0,0 +1,57 @@
+name: Scorecard analysis workflow
+on:
+  push:
+    # Only the default branch is supported.
+    branches:
+    - main
+  schedule:
+    # Weekly on Saturdays.
+    - cron:  '30 1 * * 6'
+  workflow_dispatch:
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Needed for Code scanning upload
+      security-events: write
+      # Needed for GitHub OIDC token if publish_results is true
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@0ad4b8fadaa221de15dcec353f45205ec38ea70b # v4.1.4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@0864cf19026789058feabb7e87baa5f140aac736 # v2.3.1
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Scorecard team runs a weekly scan of public GitHub repos,
+          # see https://github.com/ossf/scorecard#public-data.
+          # Setting `publish_results: true` helps us scale by leveraging your workflow to
+          # extract the results instead of relying on our own infrastructure to run scans.
+          # And it's free for you!
+          publish_results: true
+
+      # Upload the results as artifacts (optional). Commenting out will disable
+      # uploads of run results in SARIF format to the repository Actions tab.
+      # https://docs.github.com/en/actions/advanced-guides/storing-workflow-data-as-artifacts
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4.3.3
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      # Upload the results to GitHub's code scanning dashboard (optional).
+      # Commenting out will disable upload of results to your repo's Code Scanning dashboard
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@8f596b4ae3cb3c588a5c46780b86dd53fef16c52 # v3.25.2
+        with:
+          sarif_file: results.sarif
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 [![release](https://img.shields.io/github/v/release/sredevopsorg/container-retention-policy)](https://github.com/sredevopsorg/container-retention-policy/releases/latest)
 [![coverage](https://codecov.io/gh/snok/drf-openapi-tester/branch/master/graph/badge.svg)](https://codecov.io/gh/sredevopsorg/container-retention-policy)
 
-# 📘 GHCR Container Retention Policy
+# 📘 GHCR Container Retention Policy (Forked from @snok )
 
 A GitHub Action for deleting old image versions from the GitHub container registry.
 
@@ -56,6 +56,7 @@ For an organization, a full example might look something like this:
 name: Delete old container images
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: "0 0 * * *"  # every day at midnight
 
@@ -94,6 +95,7 @@ While for a personal account, something like this might do:
 name: Delete old container images
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: '0 0 0 * *'  # the first day of the month
 
@@ -118,6 +120,7 @@ An example showing 2 different retention policies based on image tags format:
 name: Delete old container images
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: '0 0 0 * *'  # the first day of the month
 
@@ -152,6 +155,7 @@ An example using `${{ secrets.GITHUB_TOKEN }}` in a repository with package name
 name: Delete old container images
 
 on:
+  workflow_dispatch:
   schedule:
     - cron: '0 0 0 * *'  # the first day of the month
 

diff --git a/action.yml b/action.yml
@@ -1,4 +1,4 @@
-name: 'Container Retention Policy (Forked)'
+name: 'Container Retention Policy (Forked from @snok)'
 description: 'Create a retention policy for your GHCR hosted container images'
 branding:
   icon: "book"