ci: container image audit

.github/workflows/audit.yaml

@@ -8,8 +8,8 @@ on:
   workflow_dispatch:
 
 jobs:
-  audit:
-    name: Vulnerability audit
+  nuget-audit:
+    name: NuGet packages
     runs-on: ubuntu-latest
     timeout-minutes: 5
     steps:
@@ -36,6 +36,18 @@ jobs:
       # NU1903:	Package with high severity detected
       # NU1904:	Package with critical severity detected
       # NU1905:	An audit source does not provide a vulnerability database
-      - name: Audit
+      - name: Audit NuGet packages
         run: >
-          dotnet restore Drift.sln -p:WarningsAsErrors='"NU1900;NU1901;NU1902;NU1903;NU1904;NU1905"'
+          dotnet restore Drift.sln
+          -p:WarningsAsErrors='"NU1900;NU1901;NU1902;NU1903;NU1904;NU1905"'
+
+  container-audit:
+    name: Container image
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - name: Audit container image
+        run: >
+          docker run --rm anchore/grype:latest
+          --fail-on high
+          hojmark/drift:latest

.github/workflows/ci.yaml

@@ -37,11 +37,11 @@ jobs:
         uses: ./.github/actions/setup-runner
 
       - name: Run tests
-        run: |
-          dotnet run \
-          --project ./build/_build.csproj \
-          --target Test \
-          --commit ${{ github.sha }} \
+        run: >
+          dotnet run
+          --project ./build/_build.csproj
+          --target Test
+          --commit ${{ github.sha }}
           --msbuildverbosity ${{ github.event.inputs.verbosity }}
 
       - name: Display test results
@@ -51,7 +51,7 @@ jobs:
 
       # TODO fix publish warnings and re-enable check
       - name: Check for warnings
-        run: |
-          dotnet run \
-          --project ./build/_build.csproj \
+        run: >
+          dotnet run
+          --project ./build/_build.csproj
           --target CheckBuildWarnings

.github/workflows/prerelease.yaml

@@ -25,13 +25,13 @@ jobs:
       - name: Release
         env:
           CUSTOM_VERSION: ${{ github.event.inputs.customVersion }}
-        run: |
-          dotnet run \
-            --project ./build/_build.csproj \
-            --target PreRelease \
-            --commit ${{ github.sha }} \
-            --githubtoken ${{ secrets.GITHUB_TOKEN }} \
-            --dockerhubpassword ${{ secrets.DOCKER_HUB_PAT_RW }} \
+        run: >
+          dotnet run
+            --project ./build/_build.csproj
+            --target PreRelease
+            --commit ${{ github.sha }}
+            --githubtoken ${{ secrets.GITHUB_TOKEN }}
+            --dockerhubpassword ${{ secrets.DOCKER_HUB_PAT_RW }}
             --customversion $CUSTOM_VERSION
 
       - name: Display test results

.github/workflows/release.yaml

@@ -18,12 +18,12 @@ jobs:
         uses: ./.github/actions/setup-runner
 
       - name: Release
-        run: |
-          dotnet run \
-            --project ./build/_build.csproj \
-            --target Release \
-            --commit ${{ github.sha }} \
-            --githubtoken ${{ secrets.GITHUB_TOKEN }} \
+        run: >
+          dotnet run
+            --project ./build/_build.csproj
+            --target Release
+            --commit ${{ github.sha }}
+            --githubtoken ${{ secrets.GITHUB_TOKEN }}
             --dockerhubpassword ${{ secrets.DOCKER_HUB_PAT_RW }} 
 
       - name: Display test results

.github/workflows/renovate.yaml

@@ -30,11 +30,11 @@ jobs:
           private-key: ${{ secrets.RENOVATE_APP_PK }}
 
       - name: Run Renovate
-        run: |
-          docker run --rm \
-            -e RENOVATE_LOG_LEVEL=${{ inputs.log_level }} \
-            -e RENOVATE_PRINT_CONFIG=${{ inputs.log_level != 'info' }} \
-            -e RENOVATE_PLATFORM=github \
-            -e RENOVATE_REPOSITORIES=hojmark/drift \
-            -e RENOVATE_TOKEN=${{ steps.app-token.outputs.token }} \
-            renovate/renovate:latest
+        run: >
+          docker run --rm
+          -e RENOVATE_LOG_LEVEL=${{ inputs.log_level }}
+          -e RENOVATE_PRINT_CONFIG=${{ inputs.log_level != 'info' }}
+          -e RENOVATE_PLATFORM=github
+          -e RENOVATE_REPOSITORIES=hojmark/drift 
+          -e RENOVATE_TOKEN=${{ steps.app-token.outputs.token }}
+          renovate/renovate:latest