Upgrade GitHub Actions and Cosign in security docs

2026-03-11 12:21:17 +00:00 · 2026-03-09 18:02:17 -07:00
parent 53f20dede7
commit 83ba6b7b47
1 changed files with 9 additions and 11 deletions
--- a/18_security/18.6_image_security.md
+++ b/18_security/18.6_image_security.md
@@ -300,7 +300,7 @@ FROM ubuntu:latest
 RUN apt-get update && apt-get install -y curl

 # ✓ 推荐：固定基础镜像版本和摘要
-FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e6...
+FROM ubuntu:22.04@sha256:a6d2b38300ce017add71440577d5b0a90460d0e6e0e14...（完整 64 位哈希）
 RUN apt-get update && apt-get install -y curl=7.68.0-1ubuntu1
 ```

@@ -320,7 +320,7 @@ RUN apk add --no-cache curl && \

 RUN go build -o app .

-FROM alpine:3.17@sha256:abcd...
+FROM alpine:3.17@sha256:abcd1234...（请替换为实际完整的 64 位摘要哈希）
 COPY --from=builder /app/app /app
 ```

@@ -405,13 +405,13 @@ jobs:

    steps:
    - name: Checkout code
-      uses: actions/checkout@v3
+      uses: actions/checkout@v4

    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v2
+      uses: docker/setup-buildx-action@v3

    - name: Build Docker image
-      uses: docker/build-push-action@v4
+      uses: docker/build-push-action@v6
      with:
        context: .
        push: false
@@ -427,7 +427,7 @@ jobs:
        severity: 'HIGH,CRITICAL'

    - name: Upload Trivy results to GitHub Security tab
-      uses: github/codeql-action/upload-sarif@v2
+      uses: github/codeql-action/upload-sarif@v3
      with:
        sarif_file: 'trivy-results.sarif'

@@ -439,28 +439,26 @@ jobs:
        output-file: sbom-cyclonedx.json

    - name: Upload SBOM
-      uses: actions/upload-artifact@v3
+      uses: actions/upload-artifact@v4
      with:
        name: sbom
        path: sbom-cyclonedx.json

    - name: Sign image with Cosign
      if: github.event_name == 'push'
-      env:
-        COSIGN_EXPERIMENTAL: 1
      run: |
        cosign sign --yes ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest

    - name: Login to Registry and Push
      if: github.event_name == 'push'
-      uses: docker/login-action@v2
+      uses: docker/login-action@v3
      with:
        registry: ${{ env.REGISTRY }}
        username: ${{ github.actor }}
        password: ${{ secrets.GITHUB_TOKEN }}

    - name: Push image
-      uses: docker/build-push-action@v4
+      uses: docker/build-push-action@v6
      with:
        context: .
        push: true