Skip to content
Publish Container Images

Improve certificate handling and GitHub Actions security #3

Sign in to view logs

Improve certificate handling and GitHub Actions security

Improve certificate handling and GitHub Actions security #3

Workflow file for this run

.github/workflows/publish-container.yml at 876e593
name: Publish Container Images
on:
push:
branches: [ main ]
tags: [ 'v*' ]
workflow_dispatch:
# Set explicit permissions - only grant what's needed
permissions:
contents: read # Needed to check out the repository
packages: write # Needed to push to GitHub Container Registry
# The following permissions are NOT needed and should remain at default (none):
# - issues
# - pull-requests
# - actions
# - security-events
# - id-token
# - deployments
jobs:
push-to-registry:
name: Push containers to GitHub Container Registry
runs-on: ubuntu-latest
# Job-level permissions are already set at workflow level
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Create certificate file for build
run: |

Check failure on line 35 in .github/workflows/publish-container.yml

View workflow run for this annotation

GitHub Actions / Publish Container Images

Invalid workflow file 

The workflow is not valid. .github/workflows/publish-container.yml (Line: 35, Col: 14): Unexpected symbol: '$SECRET_NAME'. Located at position 9 within expression: secrets.$SECRET_NAME
mkdir -p certs/org
# Function to create certificate from parts
create_cert_from_parts() {
# Start with an empty file
: > certs/org/ca-bundle.pem
# Add each available part (up to 20 parts)
for i in {1..20}; do
SECRET_NAME="CA_BUNDLE_PART$i"
if [ -n "$(eval echo \${{ secrets.$SECRET_NAME }})" ]; then
echo "Adding certificate part $i"
echo "$(eval echo \${{ secrets.$SECRET_NAME }})" >> certs/org/ca-bundle.pem
else
# Stop when we run out of parts
break
fi
done
echo "Using CA certificate assembled from multiple parts"
}
# First try using single secret
if [ -n "${{ secrets.CA_BUNDLE }}" ]; then
echo "${{ secrets.CA_BUNDLE }}" > certs/org/ca-bundle.pem
echo "Using CA certificate from single secret"
# Next try using split certificate parts
elif [ -n "${{ secrets.CA_BUNDLE_PART1 }}" ]; then
create_cert_from_parts
else
# Fallback to empty file
touch certs/org/empty-ca-bundle.pem
echo "Using empty CA certificate file"
fi
# Modified to ensure Dockerfiles exist instead of relying on symlinks
- name: Prepare Dockerfiles
run: |
# Instead of relying on symlinks, directly reference the actual files
echo "Using Dockerfile for full build"
echo "Using Dockerfile.optimized for minimal build"
- name: Log in to GitHub Container Registry
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Extract metadata
id: meta
uses: docker/metadata-action@v4
with:
images: ghcr.io/${{ github.repository }}
tags: |
type=ref,event=branch
type=semver,pattern={{version}}
type=semver,pattern={{major}}.{{minor}}
type=sha,format=long
- name: Build and push minimal container
uses: docker/build-push-action@v4
with:
context: .
# Directly use the actual Dockerfile.optimized instead of a symlink
file: ./Dockerfile.optimized
push: true
tags: |
ghcr.io/${{ github.repository }}:minimal
${{ steps.meta.outputs.tags }}-minimal
labels: ${{ steps.meta.outputs.labels }}
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Build and push full container
uses: docker/build-push-action@v4
with:
context: .
# Directly use the actual Dockerfile instead of a symlink
file: ./Dockerfile
push: true
tags: |
ghcr.io/${{ github.repository }}:latest
ghcr.io/${{ github.repository }}:full
${{ steps.meta.outputs.tags }}-full
labels: ${{ steps.meta.outputs.labels }}
build-args: |
BUILD_TYPE=full
cache-from: type=gha
cache-to: type=gha,mode=max