chore(deps): bump docker/setup-qemu-action from 5306bad0baa6b616b9934712d4eba8da2112606d to 8b562efa09ec1557a9e26f25a7c6292838acea94

[dependabot]

Bumps docker/setup-qemu-action from 5306bad0baa6b616b9934712d4eba8da2112606d to 8b562efa09ec1557a9e26f25a7c6292838acea94.

Commits

• 8b562ef Merge pull request #175 from crazy-max/publish-immutable-action
• 2f493fa ci: publish as immutable action workflow
• 719c55c Merge pull request #162 from docker/dependabot/npm_and_yarn/path-to-regexp-6.3.0
• 0d9790b build(deps): bump path-to-regexp from 6.2.2 to 6.3.0
• 49b3bc8 Merge pull request #155 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 9dec05b chore: update generated content
• 73387bc build(deps): bump @​docker/actions-toolkit from 0.34.0 to 0.35.0
• fcfabe0 Merge pull request #154 from docker/dependabot/npm_and_yarn/docker/actions-to...
• 948a838 chore: update generated content
• 31629f6 switch to Docker exec
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dryrunsecurity]

DryRun Security Summary

The provided GitHub Actions workflow builds and publishes Docker images for the Janssen Project, implementing security-conscious practices such as multi-architecture support, conditional build logic, versioning and tagging, and Cosign-based image signing to ensure the integrity and authenticity of the Docker images.

Expand for full summary

Summary:

The provided GitHub Actions workflow is responsible for building and publishing Docker images for the Janssen Project. The workflow demonstrates a security-conscious approach to the image build and deployment process. Key security-related aspects of the workflow include the use of QEMU to enable multi-architecture support, the implementation of conditional build logic to minimize the attack surface, the versioning and tagging strategy to differentiate development and production-ready images, the ability to override image tags and war versions (which should be carefully validated), and the use of Cosign to sign the Docker images, ensuring their integrity and authenticity.

Overall, the workflow appears to be well-structured and designed with security in mind. The conditional build logic, versioning and tagging approach, and image signing features are particularly noteworthy from an application security perspective. However, it's essential to ensure that any user-provided input, such as manual image tags and war versions, are properly validated and sanitized to prevent potential security issues.

Files Changed:

• .github/workflows/docker_build_image.yml: This file contains the GitHub Actions workflow responsible for building and publishing Docker images for the Janssen Project. The key changes include:
  • Setting up QEMU to enable multi-architecture support for the Docker build process.
  • Implementing conditional build logic to only build images for the directories that have changed or when a new tag is pushed.
  • Determining the Docker image version based on Git tags or a default version specified in the Dockerfile, and generating additional tags (e.g., with a "_dev" suffix).
  • Allowing users to provide a manual image tag and war version to override the defaults, which should be carefully validated.
  • Ensuring that all dependent Docker images are built before building the "docker-jans-all-in-one" image.
  • Updating the build date inside the Dockerfile for workflow dispatch events.
  • Building and pushing the Docker images to the GitHub Container Registry (GHCR).
  • Signing the Docker images using the Cosign tool and the GitHub OIDC token.

Code Analysis

We ran 9 analyzers against 1 file and 0 analyzers had findings. 9 analyzers had no findings.

Riskiness

🟢 Risk threshold not exceeded.

View PR in the DryRun Dashboard.

[moabu]

@dependabot recreate