.github/workflows/pull-request.yaml

name: Pull Request

on:
  pull_request:
    branches:
      - main

jobs:
  build:
    name: Build OCI Image
    permissions: write-all
    strategy:
      fail-fast: false
      matrix:
        os: [alpine, debian]
    runs-on: ubuntu-latest
    defaults:
      run:
        shell: bash
    steps:
      - name: Checkout
        uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0

      - name: Run Hadolint
        uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
        with:
          dockerfile: ./${{ matrix.os }}.dockerfile
          format: sarif
          output-file: hadolint.sarif
          no-fail: true

      - name: Upload Hadolint SARIF report
        uses: github/codeql-action/upload-sarif@8775e868027fa230df8586bdf502bbd9b618a477 # v2.2.3
        with:
          category: hadolint-${{ matrix.os }}
          sarif_file: hadolint.sarif

      - name: Generate OCI image metadata
        id: metadata
        uses: docker/metadata-action@507c2f2dc502c992ad446e3d7a5dfbe311567a96 # v4.3.0
        with:
          flavor: |
            latest=false
          images: |
            ${{ github.repository }}
          tags: |
            type=raw,value=${{ matrix.os }}-local
          labels: |
            org.opencontainers.image.description=Fluentd aggregator OCI image based on the default Fluentd OCI image.
            org.opencontainers.image.authors=Fluentd developers <fluentd@googlegroups.com>

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@f03ac48505955848960e80bbb68046aa35c7b9e7 # v2.4.1

      - name: Build OCI image
        id: build
        uses: docker/build-push-action@3b5e8027fcad23fda98b2e3ac259d8d67585f671 # v4.0.0
        with:
          file: ./${{ matrix.os }}.dockerfile
          context: .
          provenance: false
          sbom: false
          platforms: linux/amd64
          cache-from: type=gha
          cache-to: type=gha,mode=max
          tags: ${{ steps.metadata.outputs.tags }}
          labels: ${{ steps.metadata.outputs.labels }}
          load: true
          push: false

      - name: Generate OCI image Syft SBOM
        uses: anchore/sbom-action@07978da4bdb4faa726e52dfc6b1bed63d4b56479 # v0.13.3
        with:
          image: "${{ github.repository }}:${{ steps.metadata.outputs.version }}"
          dependency-snapshot: true
          format: spdx-json
          artifact-name: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom
          output-file: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json

      - name: Scan OCI image Syft SBOM with Grype
        id: scan
        uses: anchore/scan-action@84aa2c1d0eba986ed2274869c27f1e35a625449f # v3.3.3
        with:
          sbom: ${{ github.event.repository.name }}-${{ matrix.os }}-syft-sbom.spdx.json
          severity-cutoff: medium
          output-format: sarif
          fail-build: false

      - name: Upload Grype SARIF report
        uses: github/codeql-action/upload-sarif@8775e868027fa230df8586bdf502bbd9b618a477 # v2.2.3
        with:
          category: grype-${{ matrix.os }}
          sarif_file: ${{ steps.scan.outputs.sarif }}