-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cleanup ci and add trivy #1239
Cleanup ci and add trivy #1239
Changes from 11 commits
c1e5121
b64de20
25143c4
0a49ab4
e394c50
b5d8d4b
31e64dd
1bab6b4
90c98d9
94253ac
377d44c
47ce85d
bb325cf
0daaa04
0852928
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,31 +1,55 @@ | ||
name: CI | ||
on: | ||
pull_request: | ||
pull_request_target: | ||
workflow_call: | ||
workflow_dispatch: | ||
|
||
|
||
jobs: | ||
# lint: | ||
# runs-on: ubuntu-20.04 | ||
# continue-on-error: true | ||
# steps: | ||
# - uses: actions/checkout@v3 | ||
# - uses: actions/setup-go@v4 | ||
# with: | ||
# go-version-file: 'go.mod' | ||
# - name: golangci-lint | ||
# uses: golangci/golangci-lint-action@v3 | ||
# with: | ||
# # Optional: version of golangci-lint to use in form of v1.2 or v1.2.3 or `latest` to use the latest version | ||
# version: latest | ||
# skip-pkg-cache: true | ||
# skip-build-cache: true | ||
check-signed-commits: | ||
name: Check signed commits in PR | ||
runs-on: ubuntu-latest | ||
permissions: | ||
contents: read | ||
pull-requests: write | ||
steps: | ||
- name: Check signed commits in PR | ||
uses: 1Password/check-signed-commits-action@v1 | ||
|
||
security_scan: | ||
name: Security Scan | ||
runs-on: ubuntu-22.04 | ||
timeout-minutes: 45 | ||
steps: | ||
- uses: actions/checkout@v4 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This one is missing a name There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. LOL |
||
with: | ||
fetch-tags: true | ||
fetch-depth: 0 | ||
|
||
- name: Run govulncheck | ||
uses: golang/govulncheck-action@v1 | ||
|
||
- name: Run Trivy vulnerability scanner in repo mode | ||
uses: aquasecurity/[email protected] | ||
with: | ||
scan-type: 'fs' | ||
ignore-unfixed: true | ||
format: 'table' | ||
# output: 'trivy-results.sarif' # TODO(ale8k) Turn on when uploading to gh and change above line to sarif | ||
severity: 'CRITICAL' | ||
exit-code: '1' | ||
|
||
# TODO(ale8k): Setup GH security | ||
# - name: Upload Trivy scan results to GitHub Security tab | ||
# uses: github/codeql-action/upload-sarif@v2 | ||
# with: | ||
# sarif_file: 'trivy-results.sarif' | ||
|
||
build_test: | ||
name: Build and Test | ||
runs-on: ubuntu-22.04 | ||
timeout-minutes: 45 | ||
needs: [security_scan] | ||
steps: | ||
- uses: actions/checkout@v4 | ||
with: | ||
|
@@ -60,6 +84,7 @@ jobs: | |
smoke_test: | ||
name: Smoke Test | ||
runs-on: ubuntu-22.04 | ||
needs: [security_scan] | ||
# The docker compose has a healthcheck on the JIMM container. | ||
# So if the compose returns with exit code 0 then the JIMM server successfully started. | ||
steps: | ||
|
This file was deleted.
This file was deleted.
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,31 @@ | ||
name: Release Snaps | ||
|
||
on: | ||
workflow_dispatch: | ||
push: | ||
tags: | ||
- 'v3*' | ||
|
||
jobs: | ||
build-and-release-jimmctl: | ||
uses: ./.github/workflows/snap-release.yaml | ||
ale8k marked this conversation as resolved.
Show resolved
Hide resolved
|
||
with: | ||
folder: jimmctl | ||
release-channel: 3/edge | ||
secrets: inherit | ||
|
||
build-and-release-jaas-plugin: | ||
uses: ./.github/workflows/snap-release.yaml | ||
ale8k marked this conversation as resolved.
Show resolved
Hide resolved
|
||
with: | ||
folder: jaas | ||
release-channel: 3/edge | ||
secrets: inherit | ||
|
||
build-and-release-jimm-server: | ||
uses: ./.github/workflows/snap-release.yaml | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. missing name There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. It's a composite workflow, cannot be named |
||
with: | ||
jobs: build # Only build, this snap isn't released to snapcraft | ||
folder: jimm | ||
release-channel: 3/edge # Not used for this snap | ||
secrets: inherit | ||
|
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Shouldn't this be moved to the actions folder like you suggested? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. no no, i was gonna break it into one actions but not really any point after looking at them, think composite workflow is fine .. if we break into one action we can't use "jobs" param to run up to a point as you know, it's just a single action... |
This file was deleted.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why have we removed this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't I just moved it into CI
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah it's in the CI job. I think that's a bad idea because of the
pull_request_target
keywordThere was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you think it's a bad idea?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Checkout this SO post https://stackoverflow.com/questions/74957218/what-is-the-difference-between-pull-request-and-pull-request-target-event-in-git
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How would moving it back protect us?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
actions/labeler#121 (comment) ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Idk if I'm understanding correctly, but if they made a pr regardless and it wanted to get secrets, doesn't seem to matter where the job is, it's just the fact you're using that trigger? So our solution is to remove the use of it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
From the SO post,
I believe this means that the CI job will not check the code from your fork, so the test will pass not because your code is necessarily correct but because the test will check out code from e.g.
v3
JIMM.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really sure what you mean? Let's move this to MM.