From 3dbd584a6f1c4d3d8565f9c7fae4ad6369d1cde0 Mon Sep 17 00:00:00 2001 From: Kilian PAQUIER Date: Tue, 5 Mar 2024 20:10:39 +0100 Subject: [PATCH] chore(ci): add docker-hadolint and docker-trivy analysis --- .craft | 15 +++--- .github/workflows/integration.yml | 84 ++++++++++++------------------- .github/workflows/release.yml | 52 ++++++++++++++----- .golangci.yml | 2 +- Dockerfile | 2 +- codecov.yml | 24 +++++++++ go.mod | 2 +- 7 files changed, 108 insertions(+), 73 deletions(-) diff --git a/.craft b/.craft index ac54cb3..b19d55a 100644 --- a/.craft +++ b/.craft @@ -1,9 +1,12 @@ +ci: + name: github + options: + - codecov + - dependabot +docker: + registry: ghcr.io license: mit -ci: github maintainers: - - url: https://kilianpaquier.com - name: kilianpaquier -codecov: true -dependabot: true -no_api: true + - url: https://kilianpaquier.com + name: kilianpaquier no_chart: true diff --git a/.github/workflows/integration.yml b/.github/workflows/integration.yml index 2d04b69..ba6ac23 100644 --- a/.github/workflows/integration.yml +++ b/.github/workflows/integration.yml @@ -1,60 +1,21 @@ # Code generated by craft; DO NOT EDIT. -name: Go Integration -run-name: Go Integration +name: Integration +run-name: Integration on: - - push - - workflow_dispatch + pull_request: + push: + branches: + - main + - staging + - develop + - v[0-9]+ + - v[0-9]+.[0-9]+ + workflow_dispatch: jobs: - version: - runs-on: ubuntu-latest - permissions: - contents: write - outputs: - version: v${{ steps.semantic_release.outputs.new_release_version }} - release: ${{ steps.release.outputs.release }} - steps: - - uses: actions/checkout@v4 - - id: sha - run: echo "sha=$(echo "${{ github.ref_name }}" | sha256sum | cut -c -8)" >> $GITHUB_OUTPUT - - id: semantic_release - uses: cycjimmy/semantic-release-action@v4 - with: - extra_plugins: | - @semantic-release/changelog - @semantic-release/commit-analyzer - @semantic-release/exec - @semantic-release/git - @semantic-release/github - @semantic-release/release-notes-generator - conventional-changelog-conventionalcommits - semantic-release-license - ci: false - dry_run: true - tag_format: v${version} - branches: | - [ - "(master|main)", - "v+([0-9])?(.{+([0-9]),x}).x", - { "name": "next", "prerelease": true }, - { "name": "beta", "prerelease": true }, - { "name": "alpha", "prerelease": true }, - { "name": "staging", "prerelease": "beta" }, - { "name": "develop", "prerelease": "alpha" }, - { "name": "${{ github.ref_name }}", "prerelease": "${{ steps.sha.outputs.sha }}" } - ] - env: - GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} - - run: echo v${{ steps.semantic_release.outputs.new_release_version }} - - id: release - run: | - if [[ ${{ steps.semantic_release.outputs.new_release_version }} =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]]; then - echo "release=true" >> $GITHUB_OUTPUT - fi - go-lint: runs-on: ubuntu-latest steps: @@ -98,4 +59,25 @@ jobs: fail_ci_if_error: true file: coverage.out slug: ${{ github.repository }} - token: ${{ secrets.CODECOV_TOKEN }} \ No newline at end of file + token: ${{ secrets.CODECOV_TOKEN }} + + docker-hadolint: + runs-on: ubuntu-latest + permissions: + pull-requests: write + security-events: write + steps: + - uses: actions/checkout@v3 + - uses: hadolint/hadolint-action@v3.1.0 + continue-on-error: true # enforce scan upload to codeql + with: + format: sarif + output-file: hadolint-results.sarif + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: hadolint-results.sarif + category: docker-hadolint + - id: hadolint + uses: hadolint/hadolint-action@v3.1.0 + with: + format: tty \ No newline at end of file diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 650e81f..ac7664c 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -5,6 +5,11 @@ run-name: Release on: workflow_dispatch: + inputs: + dry_run: + description: Dry run + type: boolean + default: false jobs: @@ -72,30 +77,24 @@ jobs: - uses: actions/upload-artifact@v4 with: name: executables + # order is important to filter unwanted globs after the filter or desired globs path: | + dist/* !dist/*.json !dist/*.yaml !dist/*/ - checksums.txt - dist/* retention-days: 1 docker-build: runs-on: ubuntu-latest - environment: release - permissions: - packages: write needs: - version - env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }} steps: - uses: actions/checkout@v4 - id: meta uses: docker/metadata-action@v5 with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + images: ghcr.io/${{ github.repository }} labels: | org.opencontainers.image.created={{date 'YYYY-MM-DDTHH:mm:ssZ'}} org.opencontainers.image.ref.name="${{ github.ref_name }}" @@ -109,9 +108,9 @@ jobs: - uses: docker/setup-buildx-action@v3 - uses: docker/login-action@v3 with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} + registry: ghcr.io + username: ${{ github.repository_owner }} + password: ${{ secrets.REGISTRY_TOKEN }} - uses: docker/build-push-action@v5 with: context: . @@ -119,15 +118,41 @@ jobs: tags: ${{ steps.meta.outputs.tags }} labels: ${{ steps.meta.outputs.labels }} + docker-trivy: + runs-on: ubuntu-latest + permissions: + security-events: write + needs: + - version + - docker-build + steps: + - uses: actions/checkout@v4 + - uses: aquasecurity/trivy-action@master + continue-on-error: true # enforce scan upload to codeql + with: + image-ref: "ghcr.io/${{ github.repository }}:${{ needs.version.outputs.version }}" + exit-code: "1" + format: sarif + output: trivy-results.sarif + ignore-unfixed: false + severity: MEDIUM,HIGH,CRITICAL + env: + TRIVY_USERNAME: ${{ github.repository_owner }} + TRIVY_PASSWORD: ${{ secrets.REGISTRY_TOKEN }} + - uses: github/codeql-action/upload-sarif@v3 + with: + sarif_file: trivy-results.sarif + category: docker-trivy + release: runs-on: ubuntu-latest - environment: release if: github.ref_protected == true permissions: contents: write issues: write needs: - go-build + - docker-build env: GIT_AUTHOR_NAME: ${{ github.triggering_actor }} GIT_AUTHOR_EMAIL: ${{ github.triggering_actor }}@users.noreply.github.com @@ -152,6 +177,7 @@ jobs: @semantic-release/release-notes-generator conventional-changelog-conventionalcommits semantic-release-license + dry_run: ${{ inputs.dry_run }} tag_format: v${version} branches: | [ diff --git a/.golangci.yml b/.golangci.yml index 11a79db..eb124d1 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -185,7 +185,7 @@ linters-settings: - name: imports-blacklist - name: import-shadowing - name: max-public-structs - arguments: [6] + arguments: [8] - name: modifies-parameter - name: modifies-value-receiver - name: nested-structs diff --git a/Dockerfile b/Dockerfile index a406719..1a0e9fe 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ ############################# # STAGE BUILD # ############################# -FROM golang:latest AS build +FROM golang:1.22 AS build WORKDIR /app diff --git a/codecov.yml b/codecov.yml index dbff346..ce8889b 100644 --- a/codecov.yml +++ b/codecov.yml @@ -1,5 +1,29 @@ # Code generated by craft; DO NOT EDIT. +codecov: + require_ci_to_pass: true + notify: + wait_for_ci: true + +comment: + require_changes: true + +coverage: + status: + project: + default: + target: 85% + threshold: 10% + if_not_found: failure + informational: false + only_pulls: false + patch: + target: 85% + threshold: 10% + if_not_found: failure + informational: false + only_pulls: false + ignore: - "cmd" - "examples" diff --git a/go.mod b/go.mod index 1c14f7c..0a0d2e6 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/kilianpaquier/gitlab-storage-cleaner -go 1.22.0 +go 1.22 require ( github.com/ezian/pipe v0.1.0