Skip to content

Commit

Permalink
chore(ci): add docker-hadolint and docker-trivy analysis
Browse files Browse the repository at this point in the history
  • Loading branch information
@kilianpaquier
kilianpaquier committed Mar 4, 2024
1 parent deb288e commit 0529e86
Show file tree
Hide file tree
Showing 4 changed files with 127 additions and 21 deletions.
1 change: 1 addition & 0 deletions .craft
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
docker_registry: ghcr.io
license: mit
ci: github
maintainers:
Expand Down
63 changes: 57 additions & 6 deletions .github/workflows/integration.yml
View file
Original file line number Diff line number Diff line change
@@ -1,11 +1,18 @@
# Code generated by craft; DO NOT EDIT.

name: Go Integration
run-name: Go Integration
name: Integration
run-name: Integration

on:
- push
- workflow_dispatch
pull_request:
push:
branches:
- main
- staging
- develop
- v[0-9]+
- v[0-9]+.[0-9]+
workflow_dispatch:

jobs:

Expand All @@ -20,6 +27,10 @@ jobs:
- uses: actions/checkout@v4
- id: sha
run: echo "sha=$(echo "${{ github.ref_name }}" | sha256sum | cut -c -8)" >> $GITHUB_OUTPUT
- id: regexp
run: |
echo "ref=$(echo "${{ github.ref }}" | sed 's#\/#\\/#g')" >> $GITHUB_OUTPUT
echo "ref_name=$(echo "${{ github.ref_name }}" | sed 's#\/#\\/#g')" >> $GITHUB_OUTPUT
- id: semantic_release
uses: cycjimmy/semantic-release-action@v4
with:
Expand All @@ -44,7 +55,8 @@ jobs:
{ "name": "alpha", "prerelease": true },
{ "name": "staging", "prerelease": "beta" },
{ "name": "develop", "prerelease": "alpha" },
{ "name": "${{ github.ref_name }}", "prerelease": "${{ steps.sha.outputs.sha }}" }
{ "name": "${{ steps.regexp.outputs.ref }}", "prerelease": "${{ steps.sha.outputs.sha }}" },
{ "name": "${{ steps.regexp.outputs.ref_name }}", "prerelease": "${{ steps.sha.outputs.sha }}" }
]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -98,4 +110,43 @@ jobs:
fail_ci_if_error: true
file: coverage.out
slug: ${{ github.repository }}
token: ${{ secrets.CODECOV_TOKEN }}
token: ${{ secrets.CODECOV_TOKEN }}

docker-hadolint:
runs-on: ubuntu-latest
permissions:
pull-requests: write
security-events: write
steps:
- uses: actions/checkout@v3
- uses: hadolint/[email protected]
continue-on-error: true # enforce scan upload to codeql
with:
format: sarif
output-file: hadolint-results.sarif
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: hadolint-results.sarif
category: docker-hadolint
- id: hadolint
uses: hadolint/[email protected]
continue-on-error: true # enforce scan upload pull request
with:
format: tty
- uses: actions/github-script@v7
if: github.event_name == 'pull_request'
with:
script: |
const output = `
#### Hadolint: \`${{ steps.hadolint.outcome }}\`
\`\`\`
${process.env.HADOLINT_RESULTS}
\`\`\`
`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
});
60 changes: 45 additions & 15 deletions .github/workflows/release.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,11 @@ run-name: Release

on:
workflow_dispatch:
inputs:
dry_run:
description: Dry run
type: boolean
default: false

jobs:

Expand All @@ -19,6 +24,8 @@ jobs:
- uses: actions/checkout@v4
- id: sha
run: echo "sha=$(echo "${{ github.ref_name }}" | sha256sum | cut -c -8)" >> $GITHUB_OUTPUT
- id: regexp
run: echo "branch=$(echo "${{ github.ref_name }}" | sed 's#\/#\\/#g')" >> $GITHUB_OUTPUT
- id: semantic_release
uses: cycjimmy/semantic-release-action@v4
with:
Expand All @@ -43,7 +50,7 @@ jobs:
{ "name": "alpha", "prerelease": true },
{ "name": "staging", "prerelease": "beta" },
{ "name": "develop", "prerelease": "alpha" },
{ "name": "${{ github.ref_name }}", "prerelease": "${{ steps.sha.outputs.sha }}" }
{ "name": "${{ steps.regexp.outputs.branch }}", "prerelease": "${{ steps.sha.outputs.sha }}" }
]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Expand Down Expand Up @@ -72,30 +79,24 @@ jobs:
- uses: actions/upload-artifact@v4
with:
name: executables
# order is important to filter unwanted globs after the filter or desired globs
path: |
dist/*
!dist/*.json
!dist/*.yaml
!dist/*/
checksums.txt
dist/*
retention-days: 1

docker-build:
runs-on: ubuntu-latest
environment: release
permissions:
packages: write
needs:
- version
env:
REGISTRY: ghcr.io
IMAGE_NAME: ${{ github.repository }}
steps:
- uses: actions/checkout@v4
- id: meta
uses: docker/metadata-action@v5
with:
images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
images: ghcr.io/${{ github.repository }}
labels: |
org.opencontainers.image.created={{date 'YYYY-MM-DDTHH:mm:ssZ'}}
org.opencontainers.image.ref.name="${{ github.ref_name }}"
Expand All @@ -109,25 +110,51 @@ jobs:
- uses: docker/setup-buildx-action@v3
- uses: docker/login-action@v3
with:
registry: ${{ env.REGISTRY }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.REGISTRY_TOKEN }}
- uses: docker/build-push-action@v5
with:
context: .
push: true
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}

docker-trivy:
runs-on: ubuntu-latest
permissions:
security-events: write
needs:
- version
- docker-build
steps:
- uses: actions/checkout@v4
- uses: aquasecurity/trivy-action@master
continue-on-error: true # enforce scan upload to codeql
with:
image-ref: "ghcr.io/${{ github.repository }}:${{ needs.version.outputs.version }}"
exit-code: "1"
format: sarif
output: trivy-results.sarif
ignore-unfixed: false
severity: MEDIUM,HIGH,CRITICAL
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }}
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: trivy-results.sarif
category: docker-trivy

release:
runs-on: ubuntu-latest
environment: release
if: github.ref_protected == true
permissions:
contents: write
issues: write
needs:
- go-build
- docker-build
env:
GIT_AUTHOR_NAME: ${{ github.triggering_actor }}
GIT_AUTHOR_EMAIL: ${{ github.triggering_actor }}@users.noreply.github.com
Expand All @@ -137,6 +164,8 @@ jobs:
- uses: actions/checkout@v4
- id: sha
run: echo "sha=$(echo "${{ github.ref_name }}" | sha256sum | cut -c -8)" >> $GITHUB_OUTPUT
- id: regexp
run: echo "branch=$(echo "${{ github.ref_name }}" | sed 's#\/#\\/#g')" >> $GITHUB_OUTPUT
- uses: actions/download-artifact@v4
with:
name: executables
Expand All @@ -152,6 +181,7 @@ jobs:
@semantic-release/release-notes-generator
conventional-changelog-conventionalcommits
semantic-release-license
dry_run: ${{ inputs.dry_run }}
tag_format: v${version}
branches: |
[
Expand All @@ -162,7 +192,7 @@ jobs:
{ "name": "alpha", "prerelease": true },
{ "name": "staging", "prerelease": "beta" },
{ "name": "develop", "prerelease": "alpha" },
{ "name": "${{ github.ref_name }}", "prerelease": "${{ steps.sha.outputs.sha }}" }
{ "name": "${{ steps.regexp.outputs.branch }}", "prerelease": "${{ steps.sha.outputs.sha }}" }
]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
24 changes: 24 additions & 0 deletions codecov.yml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,29 @@
# Code generated by craft; DO NOT EDIT.

codecov:
require_ci_to_pass: true
notify:
wait_for_ci: true

comment:
require_changes: true

coverage:
status:
project:
default:
target: 85%
threshold: 10%
if_not_found: failure
informational: false
only_pulls: false
patch:
target: 85%
threshold: 10%
if_not_found: failure
informational: false
only_pulls: false

ignore:
- "cmd"
- "examples"
Expand Down

0 comments on commit 0529e86

Please sign in to comment.