chore: Setup Trivy cache #7183
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Plural | |
on: | |
push: | |
branches: | |
- master | |
paths-ignore: | |
- ".github/workflows/daily.yaml" | |
- ".github/workflows/firebase-hosting-pull-request.yml" | |
- ".github/workflows/pr-labels.yaml" | |
- ".github/workflows/publish.yaml" | |
- ".github/workflows/push-to-plural.yaml" | |
- ".github/workflows/www.yaml" | |
- ".github/workflows/trivy-artifact-scan.yaml" | |
- 'www/**' | |
- "plural/**" | |
- "*.md" | |
pull_request: | |
branches: [ master ] | |
paths-ignore: | |
- ".github/workflows/daily.yaml" | |
- ".github/workflows/firebase-hosting-pull-request.yml" | |
- ".github/workflows/pr-labels.yaml" | |
- ".github/workflows/publish.yaml" | |
- ".github/workflows/push-to-plural.yaml" | |
- ".github/workflows/www.yaml" | |
- ".github/workflows/trivy-artifact-scan.yaml" | |
- 'www/**' | |
- "plural/**" | |
- "*.md" | |
jobs: | |
build: | |
name: Build image | |
runs-on: ubuntu-20.04 | |
strategy: | |
matrix: | |
app: [ plural, cron, worker, rtc ] | |
permissions: | |
contents: 'read' | |
id-token: 'write' | |
packages: 'write' | |
security-events: write | |
actions: read | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v3 | |
with: | |
fetch-depth: 0 | |
- name: Docker meta ${{ matrix.app }} | |
id: meta | |
uses: docker/metadata-action@v4 | |
with: | |
# list of Docker images to use as base name for tags | |
images: | | |
ghcr.io/pluralsh/${{ matrix.app }} | |
# generate Docker tags based on the following events/attributes | |
tags: | | |
type=sha | |
type=ref,event=pr | |
type=ref,event=branch | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v2 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v2 | |
- name: Login to GHCR | |
uses: docker/login-action@v2 | |
with: | |
registry: ghcr.io | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Test Build ${{ matrix.app }} image | |
uses: docker/build-push-action@v3 | |
with: | |
context: "." | |
file: "./Dockerfile" | |
push: true | |
load: false | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
platforms: linux/amd64 | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
build-args: | | |
APP_NAME=${{ matrix.app }} | |
GIT_COMMIT=$GITHUB_SHA | |
- name: Run Trivy vulnerability scanner on ${{ matrix.app }} image | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'image' | |
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
hide-progress: false | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
security-checks: 'vuln,secret' | |
ignore-unfixed: true | |
#severity: 'CRITICAL,HIGH' | |
env: | |
TRIVY_SKIP_DB_UPDATE: true | |
TRIVY_SKIP_JAVA_DB_UPDATE: true | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
trivy-scan: | |
name: Trivy fs scan | |
runs-on: ubuntu-20.04 | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Run Trivy vulnerability scanner in fs mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
hide-progress: false | |
skip-dirs: 'www,plural' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
security-checks: 'vuln,secret' | |
ignore-unfixed: true | |
#severity: 'CRITICAL,HIGH' | |
env: | |
TRIVY_SKIP_DB_UPDATE: true | |
TRIVY_SKIP_JAVA_DB_UPDATE: true | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
test-release: | |
name: Test release | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- name: test-release | |
uses: pluralsh/[email protected] | |
with: | |
path: ./plural/helm/plural | |
release: v0.10.10 | |
- run: cat plural/helm/plural/Chart.yaml | |
test: | |
name: Test | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: erlef/setup-beam@v1 | |
with: | |
version-file: .tool-versions | |
version-type: strict | |
- uses: azure/setup-helm@v3 | |
with: | |
version: latest | |
- name: install plural cli | |
run: | | |
mkdir scratch && cd scratch | |
curl -sL 'https://github.com/pluralsh/plural-cli/releases/download/v0.5.18/plural-cli_0.5.18_Linux_amd64.tar.gz' | tar xzvf - | |
chmod +x plural | |
cp plural /usr/local/bin/plural | |
- run: make install-cockroach | |
- run: make testup | |
- name: Restore dependencies cache | |
uses: actions/cache@v3 | |
with: | |
path: deps | |
key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }} | |
restore-keys: ${{ runner.os }}-mix-6 | |
- name: Restore _build | |
uses: actions/cache@v3 | |
with: | |
path: _build | |
key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }} | |
restore-keys: ${{ runner.os }}-mix-6 | |
- run: mix deps.get | |
- run: mix test | |
- run: mix coveralls.html | |
- run: pip3 install ansi2html junit2html | |
- run: mkdir junit | |
- run: junit2html _build/test/lib/api/test-junit-report.xml junit/api.html | |
- run: junit2html _build/test/lib/core/test-junit-report.xml junit/core.html | |
- run: junit2html _build/test/lib/cron/test-junit-report.xml junit/cron.html | |
- run: junit2html _build/test/lib/graphql/test-junit-report.xml junit/graphql.html | |
- run: junit2html _build/test/lib/email/test-junit-report.xml junit/email.html | |
- run: junit2html _build/test/lib/rtc/test-junit-report.xml junit/rtc.html | |
- run: junit2html _build/test/lib/worker/test-junit-report.xml junit/worker.html | |
- name: Run stoat action | |
uses: stoat-dev/stoat-action@v0 | |
if: always() | |
- uses: 8398a7/action-slack@v3 | |
with: | |
status: ${{ job.status }} | |
fields: workflow,job,repo,message,commit,author | |
env: | |
SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK }} # required | |
if: always() | |
updateSchema: | |
name: Check that Schema is up to date | |
runs-on: ubuntu-20.04 | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: erlef/setup-beam@v1 | |
with: | |
version-file: .tool-versions | |
version-type: strict | |
- name: Restore dependencies cache | |
uses: actions/cache@v3 | |
with: | |
path: deps | |
key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }} | |
restore-keys: ${{ runner.os }}-mix-6 | |
- name: Restore _build | |
uses: actions/cache@v3 | |
with: | |
path: _build | |
key: ${{ runner.os }}-mix-6-${{ hashFiles('**/mix.lock') }} | |
restore-keys: ${{ runner.os }}-mix-6 | |
- name: get dependencies | |
run: mix deps.get | |
- name: update schema | |
run: mix absinthe.schema.sdl --schema GraphQl schema/schema.graphql | |
- name: Verify Changed files | |
uses: tj-actions/verify-changed-files@v17 | |
id: verify-changed-files | |
with: | |
files: | | |
schema/schema.graphql | |
- name: Schema changed | |
if: steps.verify-changed-files.outputs.files_changed == 'true' | |
run: | | |
echo "::error Schema has changed changed. Please run 'make update-schema' and commit the changes." | |
exit 1 |