mirror of
https://github.com/rustfs/rustfs.git
synced 2026-07-01 21:34:21 +08:00
28 lines
1.2 KiB
Bash
Executable File
28 lines
1.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
workflow=".github/workflows/docker.yml"
|
|
|
|
require_literal() {
|
|
local needle="$1"
|
|
local description="$2"
|
|
|
|
if ! grep -Fq "$needle" "$workflow"; then
|
|
echo "missing container scan workflow contract: $description" >&2
|
|
exit 1
|
|
fi
|
|
}
|
|
|
|
require_literal "scan-docker-image:" "scan job"
|
|
require_literal "needs: [ build-check, build-docker ]" "build dependency"
|
|
require_literal "needs.build-check.outputs.should_build == 'true' && needs.build-check.outputs.should_push == 'true'" "release image push guard"
|
|
require_literal "docker/login-action@c94ce9fb468520275223c153574b00df6fe4bcc9" "pinned GHCR login action"
|
|
require_literal "aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25" "pinned Trivy action"
|
|
require_literal 'image-ref: ${{ env.REGISTRY_GHCR }}:${{ needs.build-check.outputs.version }}${{ matrix.suffix }}' "GHCR image reference"
|
|
require_literal "format: sarif" "SARIF report format"
|
|
require_literal 'exit-code: "0"' "report-only failure policy"
|
|
require_literal "actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a" "pinned report upload action"
|
|
require_literal "container-image-scan-" "scan report artifact name"
|
|
|
|
echo "Container scan workflow contract ok."
|