container-scan.yaml

name: Container Scans

permissions:
  actions: read

on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - main
  merge_group:
    paths-ignore:
    - "LICENSE"
    - "CODEOWNERS"
    
jobs:
  container-scans:
    runs-on: ubuntu-latest
    steps:
      - name: Harden Runner
        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
        with:
          egress-policy: audit
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
      - name: Use Node.js latest
        uses: actions/setup-node@1d0ff469b7ec7b3cb9d8673fde0c81c44821de2a # v4.2.0
        with:
          node-version: 20
          cache: "npm"
      - name: Install Pepr Dependencies
        run: npm ci
      - name: Build Pepr Controller Image
        run: npm run build:image
      - name: Configure Grype Ignore File
        run: |
          mkdir -p ~/.grype
          echo "ignore:" > ~/.grype.yaml
          echo "  - vulnerability: CVE-2025-0395" >> ~/.grype.yaml
      - name: Vulnerability Scan
        uses: anchore/scan-action@7c05671ae9be166aeb155bad2d7df9121823df32 # v6.1.0
        with:
          image: "pepr:dev"
          fail-build: true
          severity-cutoff: high
      - name: Generate SBOM
        uses: anchore/sbom-action@f325610c9f50a54015d37c8d16cb3b0e2c8f4de0 # v0.18.0
        with:
          image: pepr:dev
          upload-artifact: true
          upload-artifact-retention: 30