Skip to content
ci

chore(docs): add advanced usage section to relevant stacks #76

Sign in to view logs

chore(docs): add advanced usage section to relevant stacks

chore(docs): add advanced usage section to relevant stacks #76

Workflow file for this run

.github/workflows/ci.yml at a325c77
---
name: ci
concurrency:
cancel-in-progress: ${{ ! startsWith(github.ref, 'refs/tags/v') }}
group: ci-${{ github.ref_name }}-${{ github.event_name }}
on:
push:
branches:
- main
tags:
- v*
pull_request:
branches:
- main
env:
ANSIBLE_FORCE_COLOR: "1"
PY_COLORS: "1"
jobs:
checkov:
if: |
contains(fromJson('["schedule", "pull_request", "push"]'), github.event_name)
permissions:
contents: read
security-events: write
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Checkov GitHub Action
uses: bridgecrewio/checkov-action@v12
with:
config_file: .checkov_config.yaml
output_format: cli,sarif
output_file_path: console,results.sarif
trivy:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
strategy:
fail-fast: false
matrix:
scan-type:
- fs
- config
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Cache trivy db
uses: actions/cache@v4
with:
path: |
~/.cache/trivy
~/work/temp
key: ${{ runner.os }}-trivy-db-${{ hashFiles('**/trivy.yaml') }}
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
format: sarif
ignore-unfixed: true
output: trivy-results.sarif
scan-ref: .
scan-type: ${{ matrix.scan-type }}
severity: CRITICAL,HIGH
trivy-config: trivy.yaml
token-setup-trivy: ${{ secrets.GH_PAT }}
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
ansible-lint:
if: github.event_name == 'push' || github.event_name == 'pull_request'
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run ansible-lint
uses: ansible/ansible-lint@main
release-please:
if: github.event_name == 'push' && github.ref == 'refs/heads/main'
runs-on: ubuntu-latest
permissions:
contents: write
pull-requests: write
steps:
- name: Release please
uses: googleapis/release-please-action@v4
with:
release-type: simple