Skip to content

Cleanup ci and add trivy #1887

Cleanup ci and add trivy

Cleanup ci and add trivy #1887

Workflow file for this run

name: CI
on:
pull_request:
pull_request_target:
workflow_call:
workflow_dispatch:
jobs:
check-signed-commits:
name: Check signed commits in PR
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
steps:
- name: Check signed commits in PR
uses: 1Password/check-signed-commits-action@v1
security_scan:
name: Security Scan
runs-on: ubuntu-22.04
timeout-minutes: 45
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-tags: true
fetch-depth: 0
- name: Run govulncheck
uses: golang/govulncheck-action@v1
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/[email protected]
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'table'
# output: 'trivy-results.sarif' # TODO(ale8k) Turn on when uploading to gh and change above line to sarif
severity: 'CRITICAL'
exit-code: '1'
# TODO(ale8k): Setup GH security
# - name: Upload Trivy scan results to GitHub Security tab
# uses: github/codeql-action/upload-sarif@v2
# with:
# sarif_file: 'trivy-results.sarif'
build_test:
name: Build and Test
runs-on: ubuntu-22.04
timeout-minutes: 45
needs: [security_scan]
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-tags: true
fetch-depth: 0
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version-file: 'go.mod'
- name: Install dependencies
run: sudo apt-get update -y && sudo apt-get install -y gcc git-core gnupg build-essential
- name: Install juju-db
run: sudo snap install juju-db --channel 4.4/stable
- name: Add volume files
run: |
touch ./local/vault/approle.json
touch ./local/vault/roleid.txt
touch ./local/vault/vault.env
- name: Create test certs
run: make certs
- name: Start test environment
run: docker compose up -d --wait
- name: Build and Test
run: go test -mod readonly ./... -timeout 1h -cover
env:
JIMM_DSN: postgresql://jimm:jimm@localhost:5432/jimm
JIMM_TEST_PGXDSN: postgresql://jimm:jimm@localhost:5432/jimm
PGHOST: localhost
PGPASSWORD: jimm
PGSSLMODE: disable
PGUSER: jimm
PGPORT: 5432
smoke_test:
name: Smoke Test
runs-on: ubuntu-22.04
needs: [security_scan]
# The docker compose has a healthcheck on the JIMM container.
# So if the compose returns with exit code 0 then the JIMM server successfully started.
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Setup Go
uses: actions/setup-go@v4
with:
go-version-file: 'go.mod'
- name: Add volume files
run: |
touch ./local/vault/approle.json
touch ./local/vault/roleid.txt
touch ./local/vault/vault.env
- name: Run Smoke Test
run: docker compose --profile dev up -d --wait --timestamps