kyma-project · kyma-bot · Aug 13, 2024 · Aug 12, 2024 · Aug 12, 2024 · Aug 13, 2024
@@ -0,0 +1,161 @@
+name: Compass Manager
+
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - '[0-9]+.[0-9]+.[0-9]+'
+      - '[0-9]+.[0-9]+.[0-9]+-*'
+    paths-ignore:
+      - .reuse
+      - hack/
+      - LICENSES/
+      - LICENSE
+      - .gitignore
+      - "**.md"
+
+  pull_request_target:
+    types: [opened, synchronize, reopened]
+    paths-ignore:
+      - .reuse
+      - hack/
+      - LICENSES/
+      - LICENSE
+      - .gitignore
+      - "**.md"
+
+permissions:
+  id-token: write # This is required for requesting the JWT token
+  contents: read # This is required for actions/checkout
+
+jobs:
+  setup:
+    permissions:
+      contents: read
+    runs-on: ubuntu-latest
+    outputs:
+      tag: ${{ steps.tag.outputs.tag }}
+      code: ${{ steps.detect-files.outputs.code_any_changed }}
+    steps:
+      - id: tag
+        if: github.event_name == 'push' && github.ref_type == 'tag'
+        run: echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT
+      - name: Detect files
+        id: detect-files
+        uses: tj-actions/changed-files@d6babd6899969df1a11d14c368283ea4436bca78
+        with:
+          files_yaml: |
+            code:
+              - **.go
+              - go.mod
+              - go.sum
+
+  unit-tests:
+    permissions:
+      contents: read
+    needs: setup
+    if: needs.setup.outputs.code == 'true'
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+    - name: Set up go environment
+      uses: actions/setup-go@v4
+      with:
+        cache-dependency-path: go.sum
+        go-version-file: go.mod
+    - name: Run unit tests
+      run: make test | tee test.log
+    - name: Upload test logs artifact
+      uses: actions/upload-artifact@v4
+      if: success() || failure()
+      with:
+        name: test.log
+        path: test.log
+
+  trivy:
+    permissions:
+      contents: read
+    runs-on: "ubuntu-20.04"
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Install trivy
+        run: |
+          mkdir /trivy
+          curl -L https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar xvz --directory=/trivy
+          /trivy/trivy --version
+
+      - name: Run Trivy vulnerability scanner
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'fs'
+          scan-ref: '.'
+
+          exit-code: 1
+          severity: 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'
+          ignore-unfixed: false
+          timeout: '5m0s'
+          vuln-type: 'os,library'
+
+          format: json
+          output: 'trivy-results.json'
+
+      - name: Convert results
+        run: |
+          trivy convert -f table -o trivy-results.txt trivy-results.json
+          trivy convert -f sarif -o trivy-results.sarif trivy-results.json
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        with:
+          sarif_file: 'trivy-results.sarif'
+
+      - name: Upload trivy table
+        uses: actions/upload-artifact@v4
+        with:
+          name: trivy-results.txt
+          path: trivy-results.txt
+
+
+  build-image:
+    needs: setup
+    uses: kyma-project/test-infra/.github/workflows/image-builder.yml@main # Usage: kyma-project/test-infra/.github/workflows/image-builder.yml@main
+    with:
+      name: compass-manager
+      dockerfile: Dockerfile
+      context: .
+      tags: ${{ needs.setup.outputs.tag }}
+
+  summary:
+    runs-on: ubuntu-latest
+    needs: [setup, build-image, unit-tests, trivy]
+    if: success() || failure()
+    steps:
+      - name: "Download test log"
+        uses: actions/download-artifact@v4
+        with:
+          name: test.log
+      - name: "Download trivy log"
+        uses: actions/download-artifact@v4
+        with:
+          name: trivy-results.txt
+      - name: "Generate summary"
+        run: |
+          {
+            echo '# Compass Manager'
+            echo '## Trivy'
+            echo '```txt'
+            cat trivy-results.txt
+            echo '```'
+            echo '## Test Log'
+            echo '```'
+            cat test.log
+            echo '```'
+            echo '## Images'
+            echo '```json'
+            echo '${{ needs.build-image.outputs.images }}' | jq
+            echo '```'
+          } >> $GITHUB_STEP_SUMMARY