Skip to content

chore(deps): update trufflesecurity/trufflehog action to v3.88.1 #372

chore(deps): update trufflesecurity/trufflehog action to v3.88.1

chore(deps): update trufflesecurity/trufflehog action to v3.88.1 #372

name: 'Docker Build Branch'
on:
pull_request:
types: [ labeled, opened, reopened, synchronize ]
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
REPO_NAME: ${{ github.event.repository.name }}
PROMTOOL_IMAGE_NAME: sre-promtool
PROMTOOL_VERSION: 2.38.0
USER: ho-cto
jobs:
code-quality:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Hadolint Dockerfile
uses: hadolint/[email protected]
with:
dockerfile: ./monitoring-as-code/Dockerfile
- name: Jsonnet format check
run: sh ${{ github.workspace }}/monitoring-as-code/fmt.sh && git diff --exit-code --color
- name: Jsonnet lint check
run: sh ${{ github.workspace }}/monitoring-as-code/lint.sh
container-image-build:
needs: code-quality
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Set up Docker Buildx
uses: docker/[email protected]
- name: Calculate metadata
id: meta
uses: docker/metadata-action@v4
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
tags: |
type=raw,value=${{ github.event.pull_request.head.sha }}
- name: Build container
uses: docker/[email protected]
with:
context: ./monitoring-as-code
file: ./monitoring-as-code/Dockerfile
push: false
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
build-args: |
PACKAGE_TOKEN=${{secrets.GITHUB_TOKEN}}
MAC_VERSION='#${{ github.event.number }}'
outputs: type=docker,dest=/tmp/${{ env.REPO_NAME }}.tar
- name: Upload artifact
uses: actions/[email protected]
with:
name: ${{ env.REPO_NAME }}
path: /tmp/${{ env.REPO_NAME }}.tar
code-test:
needs: container-image-build
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Download artifact
uses: actions/[email protected]
with:
name: ${{ env.REPO_NAME }}
path: /tmp
- name: Load Docker image
run: |
docker load --input /tmp/${{ env.REPO_NAME }}.tar
echo "IMAGE_TAG=$(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep sre-monitoring-as-code)" >> $GITHUB_ENV
- name: Run monitoring mixin
run: docker run -v ${{ github.workspace }}/monitoring-as-code:${{ github.workspace }}/data -t ${{ env.IMAGE_TAG }} -m monitoring -rd -i ${{ github.workspace }}/data/mixin-defs -o ${{ github.workspace }}/data/output
- name: Run testing mixin
run: docker run -v ${{ github.workspace }}/monitoring-as-code:${{ github.workspace }}/data -t ${{ env.IMAGE_TAG }} -m testing -rd -i ${{ github.workspace }}/data/mixin-defs -o ${{ github.workspace }}/data/output
- name: Run promtool checks
run: for FILE in ${{ github.workspace }}/monitoring-as-code/output/prometheus-rules/*-rules.yaml; do docker run -v ${{ github.workspace }}/monitoring-as-code:${{ github.workspace }}/data ${{env.REGISTRY}}/${{env.USER}}/${{env.PROMTOOL_IMAGE_NAME}}:${{env.PROMTOOL_VERSION}} check rules ${{ github.workspace }}/data/output/prometheus-rules/$(basename $FILE); if [ $? -ne 0 ]; then echo "Validation of rules files failed for $(basename $FILE) - exiting"; exit 1; fi done
container-image-test:
needs: container-image-build
permissions:
security-events: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Download artifact
uses: actions/[email protected]
with:
name: ${{ env.REPO_NAME }}
path: /tmp
- name: Load Docker image
run: |
docker load --input /tmp/${{ env.REPO_NAME }}.tar
echo "IMAGE_TAG=$(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep sre-monitoring-as-code)" >> $GITHUB_ENV
- name: Setup Node.js
uses: actions/setup-node@v3
with:
node-version: 18.10.0
- name: Setup Snyk
run: |
npm install snyk -g
snyk auth ${{secrets.SNYK_TOKEN}}
- name: Snyk Container Scan
id: snyk-dockerfile
run: |
snyk container test --file=./monitoring-as-code/Dockerfile --sarif-file-output=snyk.sarif --app-vulns --severity-threshold=medium ${{ env.IMAGE_TAG }}
continue-on-error: true
- name: Upload result to GitHub Code Scanning
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: snyk.sarif
- name: Check on failures
if: steps.snyk-dockerfile.outcome != 'success'
run: exit 1
container-image-push:
needs: [code-test, container-image-test]
permissions:
packages: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/[email protected]
- name: Download artifact
uses: actions/[email protected]
with:
name: ${{ env.REPO_NAME }}
path: /tmp
- name: Load Docker image
run: |
docker load --input /tmp/${{ env.REPO_NAME }}.tar
echo "IMAGE_TAG=$(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep sre-monitoring-as-code)" >> $GITHUB_ENV
- name: Login to GitHub Container Registry
uses: docker/[email protected]
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image to GitHub Container Registry
run: docker push ${{ env.IMAGE_TAG }}