Merged changes

2025-12-05 16:07:55 +09:00 · 2025-12-05 16:07:55 +09:00 · 4d3a91ef92
commit 4d3a91ef92
parent 129e325a27
4 changed files with 20 additions and 66 deletions
--- a/.github/workflows/images_build.yml
+++ b/.github/workflows/images_build.yml
@ -389,8 +389,14 @@ jobs:
          labels: |
            org.opencontainers.image.revision=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.revision'] }}
            org.opencontainers.image.created=${{ fromJSON(steps.meta.outputs.json).labels['org.opencontainers.image.created'] }}
-          cache-from: ${{ steps.cache_data.outputs.cache_from }}
-          cache-to: ${{ steps.cache_data.outputs.cache_to }}
+
+      - name: Scan for vulnerabilities
+        if: ${{ matrix.os != 'centos' }}
+        uses: crazy-max/ghaction-container-scan@v3
+        with:
+          image: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
+          annotations: true
+          dockerfile: ${{ format('{0}/{1}/{2}/Dockerfile', env.DOCKERFILES_DIRECTORY, env.BASE_BUILD_NAME, matrix.os) }}

      - name: Sign the images with GitHub OIDC Token
        if: ${{ env.AUTO_PUSH_IMAGES == 'true' }}
--- a/.github/workflows/images_build_rhel.yml
+++ b/.github/workflows/images_build_rhel.yml
@ -409,7 +409,7 @@ jobs:
          tags: ${{ steps.meta.outputs.tags }}
          containerfiles: |
            ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile
-          build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
+          build-args: BUILD_BASE_IMAGE=localhost/${{ steps.base_build.outputs.base_build_image }}
          extra-args: |
            --iidfile=${{ github.workspace }}/iidfile
            --build-context sources=./sources/
@ -606,9 +606,8 @@ jobs:
          containerfiles: |
            ${{ env.DOCKERFILES_DIRECTORY }}/${{ matrix.build }}/rhel/Dockerfile
          extra-args: |
-            --pull
            --iidfile=${{ github.workspace }}/iidfile
-          build-args: BUILD_BASE_IMAGE=${{ steps.base_build.outputs.base_build_image }}
+          build-args: BUILD_BASE_IMAGE=localhost/${{ steps.base_build.outputs.base_build_image }}

      - name: Log in to ${{ env.REGISTRY }}
        uses: redhat-actions/podman-login@9184318aae1ee5034fbfbacc0388acf12669171f # v1.6
--- a/.github/workflows/sonarcloud.yml
+++ b/.github/workflows/sonarcloud.yml
@ -1,61 +0,0 @@
-# This workflow uses actions that are not certified by GitHub.
-# They are provided by a third-party and are governed by
-# separate terms of service, privacy policy, and support
-# documentation.
-
-# This workflow helps you trigger a SonarCloud analysis of your code and populates
-# GitHub Code Scanning alerts with the vulnerabilities found.
-# Free for open source project.
-
-# 1. Login to SonarCloud.io using your GitHub account
-
-# 2. Import your project on SonarCloud
-#     * Add your GitHub organization first, then add your repository as a new project.
-#     * Please note that many languages are eligible for automatic analysis,
-#       which means that the analysis will start automatically without the need to set up GitHub Actions.
-#     * This behavior can be changed in Administration > Analysis Method.
-#
-# 3. Follow the SonarCloud in-product tutorial
-#     * a. Copy/paste the Project Key and the Organization Key into the args parameter below
-#          (You'll find this information in SonarCloud. Click on "Information" at the bottom left)
-#
-#     * b. Generate a new token and add it to your Github repository's secrets using the name SONAR_TOKEN
-#          (On SonarCloud, click on your avatar on top-right > My account > Security
-#           or go directly to https://sonarcloud.io/account/security/)
-
-# Feel free to take a look at our documentation (https://docs.sonarcloud.io/getting-started/github/)
-# or reach out to our community forum if you need some help (https://community.sonarsource.com/c/help/sc/9)
-
-name: SonarCloud analysis
-
-on:
-  push:
-    branches: [ "7.2" ]
-  pull_request:
-    branches: [ "7.2" ]
-  workflow_dispatch:
-
-permissions:
-  pull-requests: read # allows SonarCloud to decorate PRs with analysis results
-
-jobs:
-  Analysis:
-    runs-on: ubuntu-latest
-
-    steps:
-      - name: Block egress traffic
-        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
-        with:
-          egress-policy: audit
-
-      - name: Checkout repository
-        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-        with:
-          # Disabling shallow clone is recommended for improving relevancy of reporting
-          fetch-depth: 0
-
-      - name: Analyze with SonarCloud
-        uses: SonarSource/sonarqube-scan-action@v5.2.0
-        env:
-          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}  # Needed to get PR information
-          SONAR_TOKEN: ${{ secrets.SONAR_TOKEN }}   # Generate a token on Sonarcloud.io, add it to the secrets of this repo with the name SONAR_TOKEN (Settings > Secrets > Actions > add new repository secret)
--- a/env_vars/chrome_dp.json
+++ b/env_vars/chrome_dp.json
@ -1530,6 +1530,16 @@
      "name": "writev",
      "action": "SCMP_ACT_ALLOW",
      "args": null
+    },
+    {
+      "name": "statx",
+      "action": "SCMP_ACT_ALLOW",
+      "args": null
+    },
+    {
+      "name": "openat2",
+      "action": "SCMP_ACT_ALLOW",
+      "args": null
    }
  ]
 }