-
Notifications
You must be signed in to change notification settings - Fork 3
/
action.yaml
84 lines (76 loc) · 3.31 KB
/
action.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
name: 'Aqua Security Trivy installer'
description: 'Install Trivy binary from release page'
author: 'Aqua Security'
inputs:
version:
description: 'Trivy version to install'
required: false
default: 'latest'
path:
description: 'Path in runner to install Trivy. Trivy will be installed in "<path>/trivy-bin" dir ("$HOME/.local/bin/trivy-bin" by default)'
required: false
default: '$HOME/.local/bin'
cache:
description: 'Used to specify whether caching is needed. Set to false, if you would like to disable caching.'
required: false
default: 'false'
token:
description: >
Access token used to check out the Trivy repository.
The token is required when using GitHub Enterprise Server (GHES).
https://github.com/actions/create-github-app-token can be used to obtain such a token.
The token should be limited to read access only for public repositories.
See more details in https://github.com/aquasecurity/setup-trivy/issues/10
required: false
## ${{ github.token }} is default value for actions/checkout
## cf. https://github.com/actions/checkout/blob/eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871/action.yml#L24
default: ${{ github.token }}
runs:
using: 'composite'
steps:
- name: Binary dir
id: binary-dir
shell: bash
run: echo "dir=${{ inputs.path }}/trivy-bin" >> $GITHUB_OUTPUT
## Don't cache `latest` version
- name: Check the version for caching
if: ${{ inputs.cache == 'true' && inputs.version == 'latest' }}
shell: bash
run: |
echo "'setup-trivy' doesn't currently support caching the 'latest' version"
echo "read https://github.com/aquasecurity/setup-trivy?tab=readme-ov-file#caching for more details"
- name: Restore Trivy binary from cache
if: ${{ inputs.cache == 'true' && inputs.version != 'latest' }}
id: cache
uses: actions/cache@v4
with:
path: ${{ steps.binary-dir.outputs.dir }}
key: trivy-binary-${{ inputs.version }}-${{ runner.os }}-${{ runner.arch }}
- name: Checkout install script
if: steps.cache.outputs.cache-hit != 'true'
uses: actions/checkout@v4
with:
repository: aquasecurity/trivy
sparse-checkout: |
contrib
path: trivy
fetch-depth: 1
## We have to explicitly set GitHub server to avoid it being overwritten for GHES
## cf. https://github.com/aquasecurity/setup-trivy/issues/10
github-server-url: 'https://github.com'
token: ${{ inputs.token }}
## Install Trivy using install script,
## Copy the `contrib` directory to the directory with the binary
## Remove the `trivy` directory produced by the checkout step, as it may cause errors in linters/checks in the calling code.
- name: Install Trivy
if: steps.cache.outputs.cache-hit != 'true'
shell: bash
run: |
echo "installing Trivy binary"
bash ./trivy/contrib/install.sh -b ${{ steps.binary-dir.outputs.dir }} ${{ inputs.version }}
cp -r ./trivy/contrib ${{ steps.binary-dir.outputs.dir }}/contrib
rm -rf ./trivy
## Add the Trivy binary, retrieved from cache or installed by a script, to $GITHUB_PATH
- name: Add Trivy binary to $GITHUB_PATH
shell: bash
run: echo ${{ steps.binary-dir.outputs.dir }} >> $GITHUB_PATH