Skip to content
Back to pull request #201

Fix trivy workflow #13

Sign in to view logs

Fix trivy workflow

Fix trivy workflow #13

Workflow file for this run

.github/workflows/compass-manager.yaml at 0b00ee7
name: Compass Manager
on:
push:
branches:
- main
tags:
- '[0-9]+.[0-9]+.[0-9]+'
- '[0-9]+.[0-9]+.[0-9]+-*'
paths-ignore:
- .reuse
- hack/
- LICENSES/
- LICENSE
- .gitignore
- "**.md"
pull_request_target:
types: [opened, synchronize, reopened]
paths-ignore:
- .reuse
- hack/
- LICENSES/
- LICENSE
- .gitignore
- "**.md"
permissions:
id-token: write # This is required for requesting the JWT token
contents: read # This is required for actions/checkout
jobs:
setup:
permissions:
contents: read
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.tag.outputs.tag }}
code: ${{ steps.detect-files.outputs.code_any_changed }}
steps:
- name: Checkout code
uses: actions/checkout@v4
- id: tag
if: github.event_name == 'push' && github.ref_type == 'tag'
run: echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
- name: Detect files
id: detect-files
uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78
with:
files_yaml: |
code:
- ./**.go
- ./go.mod
- ./go.sum
unit-tests:
permissions:
contents: read
needs: setup
if: needs.setup.outputs.code == 'true'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Set up go environment
uses: actions/setup-go@v4
with:
cache-dependency-path: go.sum
go-version-file: go.mod
- name: Run unit tests
run: make test | tee test.log
- name: Upload test logs artifact
uses: actions/upload-artifact@v4
if: success() || failure()
with:
name: test.log
path: test.log
trivy:
permissions:
contents: read
runs-on: "ubuntu-20.04"
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
scan-ref: '.'
exit-code: 1
severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
ignore-unfixed: false
timeout: '5m0s'
vuln-type: 'os,library'
format: json
output: 'trivy-results.json'
- name: Install trivy
run: |
mkdir ./trivy
curl -L https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar xvz --directory=./trivy
./trivy/trivy --version
- name: Convert results
if: success() || failure()
run: |
./trivy/trivy convert -f table -o trivy-results.txt trivy-results.json
./trivy/trivy convert -f sarif -o trivy-results.sarif trivy-results.json
- name: Upload Trivy scan results to GitHub Security tab
if: (success() || failure()) && github.ref == 'refs/heads/main'
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'
- name: Upload trivy table
if: success() || failure()
uses: actions/upload-artifact@v4
with:
name: trivy-results.txt
path: trivy-results.txt
build-image:
needs: setup
uses: kyma-project/test-infra/.github/workflows/image-builder.yml@main # Usage: kyma-project/test-infra/.github/workflows/image-builder.yml@main
with:
name: compass-manager
dockerfile: Dockerfile
context: .
tags: ${{ needs.setup.outputs.tag }}
summary:
runs-on: ubuntu-latest
needs: [setup, build-image, unit-tests, trivy]
if: success() || failure()
steps:
- name: "Download test log"
uses: actions/download-artifact@v4
with:
name: test.log
- name: "Download trivy log"
uses: actions/download-artifact@v4
with:
name: trivy-results.txt
- name: "Generate summary"
run: |
{
echo '# Compass Manager'
echo '## Trivy'
echo '```txt'
cat trivy-results.txt
echo '```'
echo '## Test Log'
echo '```'
cat test.log
echo '```'
echo '## Images'
echo '```json'
echo '${{ needs.build-image.outputs.images }}' | jq
echo '```'
} >> $GITHUB_STEP_SUMMARY