-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Loading status checks…
Merge pull request #13 from British-Oceanographic-Data-Centre/feature…
…/shared-ci Shared CI configurations
Showing
20 changed files
with
384 additions
and
293 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,64 @@ | ||
name: Generic security scan | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
context: | ||
description: "Path to the Dockerfile directory to analyse" | ||
required: true | ||
default: "." | ||
type: string | ||
image-path: | ||
description: "Path of the docker image to analyse" | ||
default: "ghcr.io/${{ github.repository }}/app" | ||
type: string | ||
|
||
permissions: | ||
contents: read # for actions/checkout to fetch code | ||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | ||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | ||
|
||
jobs: | ||
security-dependency-trivy: | ||
name: Trivy dependency scan | ||
runs-on: ubuntu-latest | ||
steps: | ||
- name: Checkout code | ||
uses: actions/checkout@v3 | ||
# need to format as github.repository contains uppercase | ||
# and pull request workflow contains slashes | ||
- id: format | ||
name: Format proper image path and tag | ||
env: | ||
IMAGE_PATH: ${{ inputs.image-path }} | ||
run: | | ||
echo "image-tag=${GITHUB_REF_NAME/\//-}" >> $GITHUB_OUTPUT | ||
echo "image-path=${IMAGE_PATH@L}" >> $GITHUB_OUTPUT | ||
- name: Build Docker image | ||
uses: docker/build-push-action@v6 | ||
if: ${{ github.event_name != 'release' }} | ||
with: | ||
context: "{{defaultContext}}:${{ inputs.context }}" | ||
tags: "${{ steps.format.outputs.image-path }}:${{ steps.format.outputs.image-tag }}" | ||
push: false | ||
- name: Run Trivy vulnerability scanner | ||
uses: aquasecurity/[email protected] | ||
env: | ||
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db,aquasec/trivy-db,ghcr.io/aquasecurity/trivy-db | ||
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db,aquasec/trivy-java-db,ghcr.io/aquasecurity/trivy-java-db | ||
with: | ||
image-ref: "${{ steps.format.outputs.image-path }}:${{ steps.format.outputs.image-tag }}" | ||
format: 'sarif' | ||
output: 'trivy-results.sarif' | ||
vuln-type: "os,library" | ||
severity: "CRITICAL,HIGH" | ||
exit-code: "1" | ||
ignore-unfixed: true | ||
- name: Upload Trivy scan results to GitHub Security tab | ||
uses: github/codeql-action/upload-sarif@v3 | ||
if: always() | ||
with: | ||
sarif_file: 'trivy-results.sarif' | ||
- name: Inspect bandit SARIF report | ||
if: always() | ||
run: cat trivy-results.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,27 @@ | ||
name: Java Lint | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
context: | ||
description: "Path to the module to lint" | ||
default: "" | ||
type: string | ||
java-version: | ||
description: "Java version" | ||
default: "21" | ||
type: string | ||
|
||
jobs: | ||
java-linter-spotless: | ||
name: Lint with spotless | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- uses: actions/setup-java@v4 | ||
with: | ||
distribution: "temurin" | ||
java-version: ${{ inputs.java-version }} | ||
- name: Run Spotless lint | ||
working-directory: ./${{ inputs.context }} | ||
run: ./mvnw spotless:check |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,32 @@ | ||
name: Java Tests | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
context: | ||
description: "Path to the module to lint" | ||
default: "" | ||
type: string | ||
java-version: | ||
description: "Java version" | ||
default: "21" | ||
type: string | ||
|
||
jobs: | ||
java-test-maven: | ||
name: Test with Maven | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- uses: actions/setup-java@v4 | ||
with: | ||
distribution: "temurin" | ||
java-version: ${{ inputs.java-version }} | ||
- name: Run Maven run tests | ||
working-directory: ./${{ inputs.context }} | ||
run: ./mvnw clean test | ||
- name: Publish Test Report | ||
uses: mikepenz/action-junit-report@v5 | ||
if: always() | ||
with: | ||
report_paths: '**/target/**/TEST-*.xml' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -2,30 +2,30 @@ | |
name: Python Security | ||
|
||
on: | ||
push: | ||
branches: | ||
# Run on our main branch | ||
- main | ||
paths: | ||
- example-python/** | ||
pull_request: | ||
# Run for any pull requests | ||
paths: | ||
- example-python/** | ||
workflow_call: | ||
inputs: | ||
context: | ||
description: "Path to the module to lint" | ||
default: "" | ||
type: string | ||
|
||
permissions: | ||
contents: read # for actions/checkout to fetch code | ||
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | ||
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status | ||
|
||
jobs: | ||
# https://github.com/marketplace/actions/anchore-container-scan | ||
dependency-check: | ||
name: Grype & Pip Audit dependency scan | ||
runs-on: ubuntu-latest | ||
permissions: | ||
# Required for uploading sarif file | ||
security-events: write | ||
steps: | ||
- uses: actions/checkout@v4 # Checkout the current branch/merge state | ||
- name: Grype Scan | ||
uses: anchore/scan-action@v3 | ||
id: grype-scan | ||
with: | ||
path: example-python | ||
path: ${{ inputs.context }} | ||
- name: Upload grype sarif file | ||
if: always() | ||
uses: github/codeql-action/upload-sarif@v3 | ||
|
@@ -38,8 +38,9 @@ jobs: | |
- name: Pip Audit | ||
uses: pypa/[email protected] | ||
with: | ||
inputs: example-python | ||
inputs: ${{ inputs.context }} | ||
code-check: | ||
name: Bandit scan | ||
runs-on: ubuntu-latest | ||
strategy: | ||
matrix: | ||
|
@@ -54,21 +55,21 @@ jobs: | |
with: | ||
python-version: ${{ matrix.python-version }} | ||
- name: Install dependencies # Install bandit | ||
working-directory: ./example-python | ||
working-directory: ./${{ inputs.context }} | ||
run: | | ||
python -m pip install --upgrade pip | ||
python -m pip install bandit[toml,sarif] | ||
- name: Run Bandit | ||
working-directory: ./example-python | ||
working-directory: ./${{ inputs.context }} | ||
# Run bandit and output to sarif file | ||
run: | | ||
bandit -r . -c pyproject.toml -f sarif -o bandit.sarif | ||
- name: Upload bandit sarif file | ||
if: always() | ||
uses: github/codeql-action/upload-sarif@v3 | ||
with: | ||
sarif_file: example-python/bandit.sarif | ||
sarif_file: ${{ inputs.context }}/bandit.sarif | ||
category: bandit-python-analysis | ||
- name: Inspect bandit SARIF report | ||
if: always() | ||
run: cat example-python/bandit.sarif | ||
run: cat ${{ inputs.context }}/bandit.sarif |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
name: Typescript Lint | ||
|
||
on: | ||
workflow_call: | ||
inputs: | ||
context: | ||
description: "Path to the module to lint" | ||
default: "" | ||
type: string | ||
|
||
jobs: | ||
eslint: | ||
runs-on: ubuntu-latest | ||
steps: | ||
- uses: actions/checkout@v4 | ||
- name: Install modules | ||
working-directory: ./${{ inputs.context }} | ||
run: npm install | ||
- name: Run ESLint | ||
working-directory: ./${{ inputs.context }} | ||
run: npm run lint |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file was deleted.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
name: Java Workflow | ||
|
||
on: | ||
push: | ||
branches: | ||
# Run on our main branch | ||
- main | ||
paths: | ||
- java-demo/** | ||
pull_request: | ||
# Run for any pull requests | ||
paths: | ||
- java-demo/** | ||
release: | ||
types: [created] | ||
|
||
jobs: | ||
java-linting: | ||
uses: ./.github/workflows/component-java-lint.yml | ||
with: | ||
context: java-demo | ||
java-testing: | ||
uses: ./.github/workflows/component-java-test.yml | ||
with: | ||
context: java-demo | ||
container-image-build: | ||
needs: [java-linting, java-testing] | ||
uses: ./.github/workflows/component-container-image.yml | ||
with: | ||
context: java-demo | ||
image-path: ghcr.io/british-oceanographic-data-centre/amrit-repos/java/app | ||
container-image-security: | ||
needs: [container-image-build] | ||
uses: ./.github/workflows/component-container-image-security.yml | ||
with: | ||
context: java-demo | ||
image-path: ghcr.io/british-oceanographic-data-centre/amrit-repos/java/app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,37 @@ | ||
name: Python Workflow | ||
|
||
on: | ||
push: | ||
branches: | ||
# Run on our main branch | ||
- main | ||
paths: | ||
- example-python/** | ||
pull_request: | ||
# Run for any pull requests | ||
paths: | ||
- example-python/** | ||
release: | ||
types: [created] | ||
|
||
jobs: | ||
python-linting: | ||
uses: ./.github/workflows/component-python-lint.yml | ||
with: | ||
context: example-python | ||
python-security: | ||
uses: ./.github/workflows/component-python-security.yml | ||
with: | ||
context: example-python | ||
container-image-build: | ||
needs: [python-linting, python-security] | ||
uses: ./.github/workflows/component-container-image.yml | ||
with: | ||
context: example-python | ||
image-path: ghcr.io/british-oceanographic-data-centre/amrit-repos/python/app | ||
container-image-security: | ||
needs: [container-image-build] | ||
uses: ./.github/workflows/component-container-image-security.yml | ||
with: | ||
context: example-python | ||
image-path: ghcr.io/british-oceanographic-data-centre/amrit-repos/python/app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,41 @@ | ||
name: TypeScript Workflow | ||
|
||
on: | ||
push: | ||
branches: | ||
# Run on our main branch | ||
- main | ||
paths: | ||
- typescript-demo/** | ||
pull_request: | ||
# Run for any pull requests | ||
paths: | ||
- typescript-demo/** | ||
release: | ||
types: [created] | ||
|
||
jobs: | ||
ts-linting: | ||
uses: ./.github/workflows/component-ts-lint.yml | ||
with: | ||
context: typescript-demo | ||
ts-test: | ||
uses: ./.github/workflows/component-ts-test.yml | ||
with: | ||
context: typescript-demo | ||
ts-security: | ||
uses: ./.github/workflows/component-ts-security.yml | ||
with: | ||
context: typescript-demo | ||
container-image-build: | ||
needs: [ts-linting, ts-test, ts-security] | ||
uses: ./.github/workflows/component-container-image.yml | ||
with: | ||
context: typescript-demo | ||
image-path: ghcr.io/british-oceanographic-data-centre/amrit-repos/typescript/app | ||
container-image-security: | ||
needs: [container-image-build] | ||
uses: ./.github/workflows/component-container-image-security.yml | ||
with: | ||
context: typescript-demo | ||
image-path: ghcr.io/british-oceanographic-data-centre/amrit-repos/typescript/app |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters