Skip to content

chore: Setup Trivy cache #7183

chore: Setup Trivy cache

chore: Setup Trivy cache #7183

Workflow file for this run

name: Plural
on:
push:
branches:
- master
paths-ignore:
- ".github/workflows/daily.yaml"
- ".github/workflows/firebase-hosting-pull-request.yml"
- ".github/workflows/pr-labels.yaml"
- ".github/workflows/publish.yaml"
- ".github/workflows/push-to-plural.yaml"
- ".github/workflows/www.yaml"
- ".github/workflows/trivy-artifact-scan.yaml"
- 'www/**'
- "plural/**"
- "*.md"
pull_request:
branches: [ master ]
paths-ignore:
- ".github/workflows/daily.yaml"
- ".github/workflows/firebase-hosting-pull-request.yml"
- ".github/workflows/pr-labels.yaml"
- ".github/workflows/publish.yaml"
- ".github/workflows/push-to-plural.yaml"
- ".github/workflows/www.yaml"
- ".github/workflows/trivy-artifact-scan.yaml"
- 'www/**'
- "plural/**"
- "*.md"
jobs:
build:
name: Build image
runs-on: ubuntu-20.04
strategy:
matrix:
app: [ plural, cron, worker, rtc ]
permissions:
contents: 'read'
id-token: 'write'
packages: 'write'
security-events: write
actions: read
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
- name: Docker meta ${{ matrix.app }}
id: meta
uses: docker/metadata-action@v4
with:
# list of Docker images to use as base name for tags
images: |
ghcr.io/pluralsh/${{ matrix.app }}
# generate Docker tags based on the following events/attributes
tags: |
type=sha
type=ref,event=pr
type=ref,event=branch
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Test Build ${{ matrix.app }} image
uses: docker/build-push-action@v3
with:
context: "."
file: "./Dockerfile"
push: true
load: false
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
build-args: |
APP_NAME=${{ matrix.app }}
GIT_COMMIT=$GITHUB_SHA
- name: Run Trivy vulnerability scanner on ${{ matrix.app }} image
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
security-checks: 'vuln,secret'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
trivy-scan:
name: Trivy fs scan
runs-on: ubuntu-20.04
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
hide-progress: false
skip-dirs: 'www,plural'
format: 'sarif'
output: 'trivy-results.sarif'
security-checks: 'vuln,secret'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
env:
TRIVY_SKIP_DB_UPDATE: true
TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
test-release:
name: Test release
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- name: test-release
uses: pluralsh/[email protected]
with:
path: ./plural/helm/plural
release: v0.10.10
- run: cat plural/helm/plural/Chart.yaml
test:
name: Test
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: erlef/setup-beam@v1
with:
version-file: .tool-versions
version-type: strict
- uses: azure/setup-helm@v3
with:
version: latest
- name: install plural cli
run: |
mkdir scratch && cd scratch
curl -sL 'https://github.com/pluralsh/plural-cli/releases/download/v0.5.18/plural-cli_0.5.18_Linux_amd64.tar.gz' | tar xzvf -
chmod +x plural
cp plural /usr/local/bin/plural
- run: make install-cockroach
- run: make testup
- name: Restore dependencies cache
uses: actions/cache@v3
with:
path: deps
key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }}
restore-keys: ${{ runner.os }}-mix-6
- name: Restore _build
uses: actions/cache@v3
with:
path: _build
key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }}
restore-keys: ${{ runner.os }}-mix-6
- run: mix deps.get
- run: mix test
- run: mix coveralls.html
- run: pip3 install ansi2html junit2html
- run: mkdir junit
- run: junit2html _build/test/lib/api/test-junit-report.xml junit/api.html
- run: junit2html _build/test/lib/core/test-junit-report.xml junit/core.html
- run: junit2html _build/test/lib/cron/test-junit-report.xml junit/cron.html
- run: junit2html _build/test/lib/graphql/test-junit-report.xml junit/graphql.html
- run: junit2html _build/test/lib/email/test-junit-report.xml junit/email.html
- run: junit2html _build/test/lib/rtc/test-junit-report.xml junit/rtc.html
- run: junit2html _build/test/lib/worker/test-junit-report.xml junit/worker.html
- name: Run stoat action
uses: stoat-dev/stoat-action@v0
if: always()
- uses: 8398a7/action-slack@v3
with:
status: ${{ job.status }}
fields: workflow,job,repo,message,commit,author
env:
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} # required
if: always()
updateSchema:
name: Check that Schema is up to date
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: erlef/setup-beam@v1
with:
version-file: .tool-versions
version-type: strict
- name: Restore dependencies cache
uses: actions/cache@v3
with:
path: deps
key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }}
restore-keys: ${{ runner.os }}-mix-6
- name: Restore _build
uses: actions/cache@v3
with:
path: _build
key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }}
restore-keys: ${{ runner.os }}-mix-6
- name: get dependencies
run: mix deps.get
- name: update schema
run: mix absinthe.schema.sdl --schema GraphQl schema/schema.graphql
- name: Verify Changed files
uses: tj-actions/verify-changed-files@v17
id: verify-changed-files
with:
files: |
schema/schema.graphql
- name: Schema changed
if: steps.verify-changed-files.outputs.files_changed == 'true'
run: |
echo "::error Schema has changed changed. Please run 'make update-schema' and commit the changes."
exit 1