chore(deps): update dependency ubuntu to v24 (#87)

* chore(deps): update dependency ubuntu to v24 * update --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: chgl <chgl@users.noreply.github.com>
miracum · Oct 3, 2024 · 0c1519a · 0c1519a
1 parent 1a9180b
commit 0c1519a
Show file tree

Hide file tree

Showing 5 changed files with 41 additions and 16 deletions.
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -79,7 +79,7 @@ jobs:
       github-token: ${{ secrets.GITHUB_TOKEN }}
 
   test:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     needs:
       - build
     steps:
@@ -88,6 +88,7 @@ jobs:
       - name: Set up containerd image store
         shell: bash
         run: |
+          [ -f /etc/docker/daemon.json ] || echo "{}" | sudo tee /etc/docker/daemon.json
           jq '. | .+{"features": {"containerd-snapshotter": true}}' /etc/docker/daemon.json > /tmp/docker-daemon-with-containerd.json
           sudo mv /tmp/docker-daemon-with-containerd.json /etc/docker/daemon.json
           cat /etc/docker/daemon.json

diff --git a/.github/workflows/standard-build.yaml b/.github/workflows/standard-build.yaml
@@ -92,7 +92,7 @@ on:
 jobs:
   build:
     name: build image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
       packages: write
@@ -124,6 +124,7 @@ jobs:
       - name: Set up containerd image store
         shell: bash
         run: |
+          [ -f /etc/docker/daemon.json ] || echo "{}" | sudo tee /etc/docker/daemon.json
           jq '. | .+{"features": {"containerd-snapshotter": true}}' /etc/docker/daemon.json > /tmp/docker-daemon-with-containerd.json
           sudo mv /tmp/docker-daemon-with-containerd.json /etc/docker/daemon.json
           cat /etc/docker/daemon.json
@@ -230,14 +231,34 @@ jobs:
 
       - name: install trivy
         run: |
-          wget https://github.com/aquasecurity/trivy/releases/download/v0.53.0/trivy_0.53.0_Linux-64bit.deb
-          sudo dpkg -i trivy_0.53.0_Linux-64bit.deb
+          wget https://github.com/aquasecurity/trivy/releases/download/v0.56.0/trivy_0.56.0_Linux-64bit.deb
+          sudo dpkg -i trivy_0.56.0_Linux-64bit.deb
+
+      - name: Check trivy db sha
+        id: trivy-db-sha
+        env:
+          GH_TOKEN: ${{ github.token }}
+        run: |
+          endpoint='/orgs/aquasecurity/packages/container/trivy-db/versions'
+          headers='Accept: application/vnd.github+json'
+          jqFilter='.[] | select(.metadata.container.tags[] | contains("latest")) | .name | sub("sha256:";"")'
+          sha=$(gh api -H "${headers}" "${endpoint}" | jq --raw-output "${jqFilter}")
+          echo "Trivy DB sha256:${sha}"
+          echo "sha=${sha}" >> "${GITHUB_OUTPUT}"
+
+      - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
+        with:
+          path: "${{ github.workspace }}/.cache/trivy"
+          key: ${{ runner.os }}-trivy-db-${{ steps.trivy-db-sha.outputs.sha }}
 
       - name: Create Trivy vulnerability attestation
         if: ${{ inputs.enable-trivy-scan }}
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
           trivy image \
             --exit-code=0 \
+            --cache-dir="${{ github.workspace }}/.cache/trivy" \
             --format=cosign-vuln \
             --output=trivy-vuln-attestation.json \
             --ignore-unfixed="${{ inputs.trivy-ignore-unfixed }}" \
@@ -258,9 +279,12 @@ jobs:
 
       - name: Run Trivy vulnerability scanner for PR comment
         if: ${{ github.event_name == 'pull_request' && inputs.enable-trivy-scan }}
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
         run: |
           trivy image \
             --exit-code=0 \
+            --cache-dir="${{ github.workspace }}/.cache/trivy" \
             --format=template \
             --output=trivy-pr-report.md \
             --template="@trivy-pr-report.md.tpl" \
@@ -304,7 +328,7 @@ jobs:
 
   sign-image:
     name: sign image
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: ${{ github.event_name != 'pull_request' }}
     needs:
       - build
@@ -337,7 +361,7 @@ jobs:
 
   attest-trivy-vulnerability-report:
     name: attest trivy vulnerability report
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: ${{ github.event_name != 'pull_request' && inputs.enable-trivy-scan }}
     needs:
       - build
@@ -376,7 +400,7 @@ jobs:
 
   upload-attestion-to-release:
     name: upload slsa attestations to release assets
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: ${{ startsWith(github.ref, 'refs/tags/') }}
     needs:
       - image-provenance

diff --git a/.github/workflows/standard-lint.yaml b/.github/workflows/standard-lint.yaml
@@ -58,7 +58,7 @@ on:
 jobs:
   megalinter:
     name: MegaLinter
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: ${{ github.event_name == 'pull_request' }}
     permissions:
       issues: write
@@ -91,7 +91,7 @@ jobs:
 
   dependency-review:
     name: dependency review
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # can only run on PRs or the error is:
     # "Both a base ref and head ref must be provided, either via the `base_ref`/`head_ref` config options, or by running a `pull_request`/`pull_request_target` workflow."
     if: ${{ github.event_name == 'pull_request' }}
@@ -105,7 +105,7 @@ jobs:
 
   gradle-wrapper-validation:
     name: validate gradle wrapper
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: ${{ inputs.enable-validate-gradle-wrapper }}
     permissions:
       contents: read
@@ -117,7 +117,7 @@ jobs:
 
   base-image-signature-verification:
     name: verify Dockerfile base image signature
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: ${{ inputs.enable-verify-base-image-signature }}
     permissions:
       contents: read
@@ -138,7 +138,7 @@ jobs:
 
   codeql-analyze:
     name: CodeQL analyze
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     if: ${{ inputs.enable-codeql }}
     permissions:
       actions: read

diff --git a/.github/workflows/standard-release.yaml b/.github/workflows/standard-release.yaml
@@ -17,7 +17,7 @@ on:
 jobs:
   release:
     name: release
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     # run only on pushes. The semantic release default config allows releases
     # to only be created from the default branch ('master'). The ci.yaml
     # is configured to only run on pushes to master as well.
@@ -47,7 +47,7 @@ jobs:
         uses: cycjimmy/semantic-release-action@b1b432f13acb7768e0c8efdec416d363a57546f2 # v4.1.1
         with:
           extra_plugins: |
-            conventional-changelog-conventionalcommits@5.0.0
+            conventional-changelog-conventionalcommits@8.0.0
             semantic-release-replace-plugin@1.2.0
             @semantic-release/git@10.0.1
         env:

diff --git a/.github/workflows/standard-schedule.yaml b/.github/workflows/standard-schedule.yaml
@@ -23,7 +23,7 @@ on:
 jobs:
   check-links:
     name: check links using lychee
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     permissions:
       issues: write
     steps:
@@ -63,7 +63,7 @@ jobs:
 
   trivy-scan:
     name: scan images with trivy
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
     strategy:
       matrix:
         image: ${{ fromJSON(inputs.images) }}