Bump aquasecurity/trivy-action from d9cd5b1c23aaf8cb31bb09141028215828364bbb to 97646fedde05bcd0961217c60b50e23f721e7ec7 #4075
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: CI | |
| on: | |
| push: | |
| branches: | |
| - master | |
| - release-* | |
| pull_request: {} | |
| workflow_dispatch: {} | |
| # Declare default permissions as read only. | |
| permissions: read-all | |
| env: | |
| # Common versions | |
| GO_VERSION: '1.20' | |
| GOLANGCI_VERSION: 'v1.55.2' | |
| DOCKER_BUILDX_VERSION: 'v0.4.2' | |
| # Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run | |
| # a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether | |
| # credentials have been provided before trying to run steps that need them. | |
| DOCKER_USR: ${{ secrets.DOCKER_USR }} | |
| AWS_USR: ${{ secrets.AWS_USR }} | |
| jobs: | |
| typos-check: | |
| name: Spell Check with Typos | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - name: Checkout Actions Repository | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| - name: Check spelling with custom config file | |
| uses: crate-ci/typos@b86466d268920e98b8f1acc7fbb6f08ec871d136 # v1.24.1 | |
| with: | |
| config: ./typos.toml | |
| golangci-lint: | |
| runs-on: ubuntu-20.04 | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| submodules: true | |
| - name: Setup Go | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Cache Go Dependencies | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: ${{ runner.os }}-go- | |
| - name: Code generate | |
| run: | | |
| make generate | |
| - name: Lint golang code | |
| uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0 | |
| with: | |
| version: ${{ env.GOLANGCI_VERSION }} | |
| args: --verbose | |
| skip-pkg-cache: true | |
| mod: readonly | |
| - name: Run Trivy vulnerability scanner in repo mode | |
| uses: aquasecurity/trivy-action@97646fedde05bcd0961217c60b50e23f721e7ec7 # master | |
| with: | |
| scan-type: 'fs' | |
| ignore-unfixed: true | |
| format: 'sarif' | |
| output: 'trivy-results.sarif' | |
| severity: 'CRITICAL' | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5 | |
| with: | |
| sarif_file: 'trivy-results.sarif' | |
| # markdownlint-misspell-shellcheck: | |
| # runs-on: ubuntu-20.04 | |
| # # this image is build from Dockerfile | |
| # # https://github.com/pouchcontainer/pouchlinter/blob/master/Dockerfile | |
| # container: pouchcontainer/pouchlinter:v0.1.2 | |
| # steps: | |
| # - name: Checkout | |
| # uses: actions/checkout@v3 | |
| # - name: Run misspell | |
| # run: find ./* -name "*" | grep -v vendor | xargs misspell -error | |
| # - name: Run shellcheck | |
| # run: find ./ -name "*.sh" | grep -v vendor | xargs shellcheck | |
| # - name: Lint markdown files | |
| # run: find ./ -name "*.md" | grep -v vendor | grep -v commandline | grep -v .github | grep -v swagger | grep -v api | xargs mdl -r ~MD010,~MD013,~MD014,~MD022,~MD024,~MD029,~MD031,~MD032,~MD033,~MD036 | |
| # - name: Check markdown links | |
| # run: | | |
| # set +e | |
| # for name in $(find . -name \*.md | grep -v vendor | grep -v CHANGELOG); do | |
| # if [ -f $name ]; then | |
| # markdown-link-check -q $name -c .github/workflows/markdown-link-check.config.json; | |
| # if [ $? -ne 0 ]; then | |
| # code=1 | |
| # fi | |
| # fi | |
| # done | |
| # bash -c "exit $code"; | |
| unit-tests: | |
| runs-on: ubuntu-20.04 | |
| steps: | |
| - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 | |
| with: | |
| submodules: true | |
| - name: Fetch History | |
| run: git fetch --prune --unshallow | |
| - name: Setup Go | |
| uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 | |
| with: | |
| go-version: ${{ env.GO_VERSION }} | |
| - name: Cache Go Dependencies | |
| uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2 | |
| with: | |
| path: ~/go/pkg/mod | |
| key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: ${{ runner.os }}-go- | |
| - name: Run Unit Tests | |
| run: | | |
| make test | |
| git status | |
| - name: Publish Unit Test Coverage | |
| uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0 | |
| with: | |
| flags: unittests | |
| file: cover.out | |
| - name: Check diff | |
| run: '[[ -z $(git status -s) ]] || (printf "Existing modified/untracked files.\nPlease run \"make generate manifests\" and push again.\n"; exit 1)' |