Cleanup ci and add trivy (#1239)

* .

.github/workflows/assert-signed-commits.yaml → .github/workflows/check-signed-commits.yaml

@@ -1,7 +1,5 @@
-name: Check signed commits in PR 
-on: 
-    pull_request_target:
-    pull_request:
+name: Check signed commits
+on: pull_request_target
 
 jobs:
   check-signed-commits:
@@ -12,4 +10,4 @@ jobs:
       pull-requests: write
     steps:
       - name: Check signed commits in PR
-        uses: 1Password/check-signed-commits-action@v1
+        uses: 1Password/check-signed-commits-action@v1

.github/workflows/ci.yaml

@@ -4,48 +4,73 @@ on:
   workflow_call:
   workflow_dispatch:
 
-
 jobs:
-  # lint:
-  #   runs-on: ubuntu-20.04
-  #   continue-on-error: true
-  #   steps:
-  #     - uses: actions/checkout@v3
-  #     - uses: actions/setup-go@v4
-  #       with:
-  #         go-version-file: 'go.mod'
-  #     - name: golangci-lint
-  #       uses: golangci/golangci-lint-action@v3
-  #       with:
-  #         # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version
-  #         version: latest
-  #         skip-pkg-cache: true
-  #         skip-build-cache: true
+  security_scan:
+    name: Security Scan
+    runs-on: ubuntu-22.04
+    timeout-minutes: 45
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-tags: true
+          fetch-depth: 0
+
+      # TODO(ale8k): Currently hanging forever, not sure why?
+      # - name: Run govulncheck
+      #   uses: golang/govulncheck-action@v1
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/[email protected]
+        with:
+          scan-type: 'fs'
+          ignore-unfixed: true
+          format: 'table' 
+          # output: 'trivy-results.sarif' # TODO(ale8k) Turn on when uploading to gh and change above line to sarif
+          severity: 'CRITICAL'
+          exit-code: '1'
+
+      # TODO(ale8k): Setup GH security
+      # - name: Upload Trivy scan results to GitHub Security tab
+      #   uses: github/codeql-action/upload-sarif@v2
+      #   with:
+      #     sarif_file: 'trivy-results.sarif'
 
   build_test:
     name: Build and Test
     runs-on: ubuntu-22.04
     timeout-minutes: 45
+    needs: [security_scan]
     steps:
-      - uses: actions/checkout@v4
+      - name: Checkout
+        uses: actions/checkout@v4
         with:
           fetch-tags: true
           fetch-depth: 0
-      - uses: actions/setup-go@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
         with:
           go-version-file: 'go.mod'
+
       - name: Install dependencies
         run: sudo apt-get update -y && sudo apt-get install -y gcc git-core gnupg build-essential
-      - run: sudo snap install juju-db --channel 4.4/stable
+
+      - name: Install juju-db
+        run: sudo snap install juju-db --channel 4.4/stable
+
       - name: Add volume files
         run: |
           touch ./local/vault/approle.json
           touch ./local/vault/roleid.txt
           touch ./local/vault/vault.env
+
       - name: Create test certs
         run: make certs
+
       - name: Start test environment
         run: docker compose up -d --wait
+
       - name: Build and Test
         run: go test -mod readonly ./... -timeout 1h -cover
         env:
@@ -60,18 +85,23 @@ jobs:
   smoke_test:
     name: Smoke Test
     runs-on: ubuntu-22.04
+    needs: [security_scan]
     # The docker compose has a healthcheck on the JIMM container.
     # So if the compose returns with exit code 0 then the JIMM server successfully started.
     steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-go@v4
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Setup Go
+        uses: actions/setup-go@v4
         with:
           go-version-file: 'go.mod'
+
       - name: Add volume files
         run: |
           touch ./local/vault/approle.json
           touch ./local/vault/roleid.txt
           touch ./local/vault/vault.env
-      - run: go version
-      - run: go mod vendor
-      - run: docker compose --profile dev up -d --wait --timestamps
+
+      - name: Run Smoke Test
+        run: docker compose --profile dev up -d --wait --timestamps

.github/workflows/server-oci-release.yaml → .github/workflows/release-server-rock.yaml

@@ -1,5 +1,4 @@
-# Publish the OCI image to ghcr
-name: Publish server image
+name: Release Server ROCK
 
 on:
   # Note that when running via workflow_dispatch, the github.ref_name

.github/workflows/release-snaps.yaml

@@ -0,0 +1,31 @@
+name: Release Snaps
+
+on:
+  workflow_dispatch:
+  push:
+    tags:
+      - 'v3*'
+
+jobs:
+  build-and-release-jimmctl:
+    uses: ./.github/workflows/snap-release.yaml
+    with:
+      folder: jimmctl
+      release-channel: 3/edge
+    secrets: inherit
+
+  build-and-release-jaas-plugin:
+    uses: ./.github/workflows/snap-release.yaml
+    with:
+      folder: jaas
+      release-channel: 3/edge
+    secrets: inherit
+
+  build-and-release-jimm-server:
+    uses: ./.github/workflows/snap-release.yaml
+    with:
+      jobs: build # Only build, this snap isn't released to snapcraft
+      folder: jimm
+      release-channel: 3/edge # Not used for this snap
+    secrets: inherit
+

.github/workflows/snap-release.yaml

@@ -1,4 +1,6 @@
-name: Release snap
+# Release Snap is a composite workflow used within other workflows
+# to reuse the logic of building and publishing a snap in one.
+name: Release Snap
 
 on:
   workflow_call: