fix: code scanning alert no. 12: Reflected cross-site scripting #7002
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: atlantis-image | |
on: | |
push: | |
branches: | |
- 'main' | |
- 'release-**' | |
tags: | |
- v*.*.* | |
pull_request: | |
branches: | |
- 'main' | |
- 'release-**' | |
types: | |
- opened | |
- reopened | |
- synchronize | |
- ready_for_review | |
workflow_dispatch: | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }} | |
cancel-in-progress: true | |
jobs: | |
changes: | |
outputs: | |
should-run-build: ${{ steps.changes.outputs.src == 'true' || startsWith(github.ref, 'refs/tags/') }} | |
if: github.event.pull_request.draft == false | |
runs-on: ubuntu-24.04 | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- uses: dorny/paths-filter@de90cc6fb38fc0963ad72b210f1f284cd68cea36 # v3 | |
id: changes | |
with: | |
filters: | | |
src: | |
- 'Dockerfile' | |
- 'docker-entrypoint.sh' | |
- '.github/workflows/atlantis-image.yml' | |
- '**.go' | |
- 'go.*' | |
build: | |
needs: [changes] | |
if: needs.changes.outputs.should-run-build == 'true' | |
name: Build Image | |
strategy: | |
matrix: | |
image_type: [alpine, debian] | |
runs-on: ubuntu-24.04 | |
env: | |
# Set docker repo to either the fork or the main repo where the branch exists | |
DOCKER_REPO: ghcr.io/${{ github.repository }} | |
# Push if not a pull request and references the main branch | |
PUSH: ${{ github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/')) }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
# Lint the Dockerfile first before setting anything up | |
- name: Lint Dockerfile | |
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 | |
with: | |
dockerfile: "Dockerfile" | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3 | |
with: | |
image: tonistiigi/binfmt:latest | |
platforms: arm64,arm | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 | |
# https://github.com/docker/build-push-action/issues/761#issuecomment-1575006515 | |
with: | |
driver-opts: | | |
image=moby/buildkit:v0.14.0 | |
# release version is the name of the tag i.e. v0.10.0 | |
# release version also has the image type appended i.e. v0.10.0-alpine | |
# release tag is either pre-release or latest i.e. latest | |
# release tag also has the image type appended i.e. latest-alpine | |
# if it's v0.10.0 and alpine, it will do v0.10.0, v0.10.0-alpine, latest, latest-alpine | |
# if it's v0.10.0 and debian, it will do v0.10.0-debian, latest-debian | |
- name: Docker meta | |
id: meta | |
uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 # v5 | |
env: | |
SUFFIX: ${{ format('-{0}', matrix.image_type) }} | |
with: | |
images: | | |
${{ env.DOCKER_REPO }} | |
labels: | | |
org.opencontainers.image.authors="@runatlantis Github Org" | |
org.opencontainers.image.licenses=Apache-2.0 | |
tags: | | |
# semver | |
type=semver,pattern={{version}},prefix=v,suffix=${{ env.SUFFIX }} | |
type=semver,pattern={{version}},prefix=v,enable=${{ matrix.image_type == 'alpine' }} | |
type=semver,pattern={{major}}.{{minor}},prefix=v,suffix=${{ env.SUFFIX }} | |
# dev | |
type=raw,event=push,value=dev,enable={{is_default_branch}},suffix=${{ env.SUFFIX }} | |
type=raw,event=push,value=dev,enable={{is_default_branch}},suffix=${{ env.SUFFIX }}-{{ sha }} | |
type=raw,event=push,value=dev,enable=${{ github.ref == format('refs/heads/{0}', 'main') && matrix.image_type == 'alpine' }},suffix= | |
# prerelease | |
type=raw,event=tag,value=prerelease-latest,enable=${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'pre') && matrix.image_type == 'alpine' }},suffix= | |
type=raw,event=tag,value=prerelease-latest,enable=${{ startsWith(github.ref, 'refs/tags/') && contains(github.ref, 'pre') }},suffix=${{ env.SUFFIX }} | |
# latest | |
type=raw,event=tag,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'pre') && matrix.image_type == 'alpine' }},suffix= | |
type=raw,event=tag,value=latest,enable=${{ startsWith(github.ref, 'refs/tags/') && !contains(github.ref, 'pre') }},suffix=${{ env.SUFFIX }} | |
# pr | |
type=ref,event=pr,suffix=${{ env.SUFFIX }} | |
flavor: | | |
# This is disabled here so we can use the raw form above | |
latest=false | |
# Suffix is not used here since there's no way to disable it above | |
- name: Login to Packages Container registry | |
uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 # v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
# Publish release to container registry | |
- name: Populate release version | |
if: contains(fromJson('["push", "pull_request"]'), github.event_name) | |
run: echo "RELEASE_VERSION=${{ startsWith(github.ref, 'refs/tags/') && '${GITHUB_REF#refs/*/}' || 'dev' }}" >> $GITHUB_ENV | |
- name: "Build ${{ env.PUSH == 'true' && 'and push' || '' }} ${{ env.DOCKER_REPO }} image" | |
if: contains(fromJson('["push", "pull_request"]'), github.event_name) | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6 | |
with: | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
context: . | |
build-args: | | |
ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} | |
ATLANTIS_VERSION=${{ env.RELEASE_VERSION }} | |
ATLANTIS_COMMIT=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }} | |
ATLANTIS_DATE=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }} | |
platforms: linux/arm64/v8,linux/amd64,linux/arm/v7 | |
push: ${{ env.PUSH }} | |
tags: ${{ steps.meta.outputs.tags }} | |
target: ${{ matrix.image_type }} | |
labels: ${{ steps.meta.outputs.labels }} | |
outputs: type=image,name=target,annotation-index.org.opencontainers.image.description=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.description'] }} | |
test: | |
needs: [changes] | |
if: needs.changes.outputs.should-run-build == 'true' | |
name: Test Image With Goss | |
runs-on: ubuntu-24.04 | |
strategy: | |
matrix: | |
image_type: [alpine, debian] | |
env: | |
# Set docker repo to either the fork or the main repo where the branch exists | |
DOCKER_REPO: ghcr.io/${{ github.repository }} | |
steps: | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3 | |
# https://github.com/docker/build-push-action/issues/761#issuecomment-1575006515 | |
with: | |
driver-opts: | | |
image=moby/buildkit:v0.14.0 | |
- name: "Build and load into Docker" | |
if: contains(fromJson('["push", "pull_request"]'), github.event_name) | |
uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 # v6 | |
with: | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
context: . | |
build-args: | | |
ATLANTIS_BASE_TAG_TYPE=${{ matrix.image_type }} | |
push: false | |
load: true | |
tags: "${{ env.DOCKER_REPO }}:goss-test" | |
target: ${{ matrix.image_type }} | |
- name: "Setup Goss" | |
uses: e1himself/goss-installation-action@fbb6fb55d3e59c96045b2500eeb8ce0995d99ac1 # v1.2.1 | |
with: | |
version: "v0.4.7" | |
- name: Execute Goss tests | |
run: | | |
dgoss run --rm ${{ env.DOCKER_REPO }}:goss-test bash -c 'while true; do sleep 1; done;' | |
skip-build: | |
needs: [changes] | |
if: needs.changes.outputs.should-run-build == 'false' | |
name: Build Image | |
strategy: | |
matrix: | |
image_type: [alpine, debian] | |
runs-on: ubuntu-24.04 | |
steps: | |
- run: 'echo "No build required"' |