Skip to content
This repository has been archived by the owner on Sep 30, 2024. It is now read-only.

Bump aquasecurity/trivy-action from 0.18.0 to 0.23.0 #640

Bump aquasecurity/trivy-action from 0.18.0 to 0.23.0

Bump aquasecurity/trivy-action from 0.18.0 to 0.23.0 #640

Workflow file for this run

name: "Application Container Builds"
on:
push:
tags:
- "[0-9]+.[0-9]+.[0-9]+"
- "[0-9]+.[0-9]+.[0-9]+-rc[0-9]+"
branches: [main]
# Path filters aren't evaluated for tags - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore
paths:
- "src/**/*.py"
- "src/**/*.html"
- "tests/**/*"
- ".github/workflows/**"
- ".github/scripts/**"
- "pyproject.toml"
- "poetry.lock"
- "docker/app/**"
- "docker/diag-etl/**"
pull_request:
paths:
- "src/**/*.py"
- "src/**/*.html"
- "tests/**/*"
- ".github/workflows/**"
- ".github/scripts/**"
- "pyproject.toml"
- "poetry.lock"
- "docker/app/**"
- "docker/diag-etl/**"
workflow_dispatch: # Manually
env:
REGISTRY: ghcr.io/noaa-gsl/unified-graphics
jobs:
lint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install poetry
run: pipx install poetry
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install dependencies
run: |
poetry env use 3.10
poetry install
- name: Lint with Black
run: poetry run black --check .
- name: Lint with Flake8
run: poetry run flake8 --count --show-source --statistics .
- name: Lint with isort
run: poetry run isort --check .
type-check:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- name: Install poetry
run: pipx install poetry
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install dependencies
run: |
poetry env use 3.10
poetry install
- name: Check Types with mypy
run: poetry run mypy src/
test:
runs-on: ubuntu-latest
permissions:
pull-requests: write
services:
postgres:
image: "postgres:15.2"
env:
POSTGRES_PASSWORD: postgres
options: >-
--health-cmd pg_isready
--health-interval 10s
--health-timeout 5s
--health-retries 5
ports:
- "5432:5432"
steps:
- uses: actions/checkout@v4
- name: Install poetry
run: pipx install poetry
- uses: actions/setup-python@v5
with:
python-version: "3.10"
- name: Install dependencies
run: |
poetry env use 3.10
poetry install
- name: Test
run: |
poetry run coverage run -m pytest tests/
poetry run coverage report
poetry run coverage xml
- name: Code Coverage Report
uses: irongut/[email protected]
with:
header: API Coverage
filename: coverage.xml
badge: true
fail_below_min: true
format: markdown
hide_branch_rate: false
hide_complexity: true
indicators: true
output: both
thresholds: "60 80"
- name: Add Coverage PR Comment
uses: marocchino/sticky-pull-request-comment@v2
if: github.event_name == 'pull_request'
with:
recreate: true
path: code-coverage-results.md
build_app:
runs-on: ubuntu-latest
needs: [lint, type-check, test]
permissions:
packages: write
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Build & tag image
run: |
docker build -t ${{ env.REGISTRY }}/api:${{ env.BRANCH }} -f docker/app/Dockerfile .
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image
run: |
docker push ${{ env.REGISTRY }}/api:${{ env.BRANCH }}
build_diag_etl:
runs-on: ubuntu-latest
needs: [lint, type-check, test]
permissions:
packages: write
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Build & tag image
run: |
docker build -t ${{ env.REGISTRY }}/data:${{ env.BRANCH }} -f docker/diag-etl/Dockerfile .
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Push image
run: |
docker push ${{ env.REGISTRY }}/data:${{ env.BRANCH }}
scan_app:
runs-on: ubuntu-latest
needs: build_app
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Scan image with Trivy
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY }}/api:${{ env.BRANCH }}"
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
limit-severities-for-sarif: true
exit-code: "1"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
scan_diag_etl:
runs-on: ubuntu-latest
needs: build_diag_etl
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Scan image with Trivy
uses: aquasecurity/[email protected]
with:
image-ref: "${{ env.REGISTRY }}/data:${{ env.BRANCH }}"
format: "sarif"
output: "trivy-results.sarif"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
limit-severities-for-sarif: true
exit-code: "1"
env:
TRIVY_USERNAME: ${{ github.actor }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
- name: Upload Trivy scan results to GitHub Security tab
if: always()
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: "trivy-results.sarif"
deploy:
if: ${{ github.actor != 'dependabot[bot]' }} # Don't deploy Dependabot changes
runs-on: ubuntu-latest
environment: vlab
concurrency: vlab
needs: [scan_app, scan_diag_etl]
steps:
- uses: actions/checkout@v4
- name: Extract branch/tag name
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH
- name: Login to GHCR
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: us-east-1
- name: Login to ECR
uses: aws-actions/amazon-ecr-login@v2
- name: retag image and push
run: |
docker pull ${{ env.REGISTRY }}/api:${{ env.BRANCH }}
docker tag ${{ env.REGISTRY }}/api:${{ env.BRANCH }} ${{ secrets.AWS_REGISTRY }}/api:${{ env.BRANCH }}
docker push ${{ secrets.AWS_REGISTRY }}/api:${{ env.BRANCH }}
docker pull ${{ env.REGISTRY }}/data:${{ env.BRANCH }}
docker tag ${{ env.REGISTRY }}/data:${{ env.BRANCH }} ${{ secrets.AWS_REGISTRY }}/data:${{ env.BRANCH }}
docker push ${{ secrets.AWS_REGISTRY }}/data:${{ env.BRANCH }}