chore: update repository templates to ory/meta@000f213

ory · Dec 27, 2024 · d10f9bc · d10f9bc
1 parent c50326f
commit d10f9bc
Show file tree

Hide file tree

Showing 2 changed files with 69 additions and 24 deletions.
diff --git a/.github/workflows/conventional_commits.yml b/.github/workflows/conventional_commits.yml
@@ -18,11 +18,9 @@ on:
       - ready_for_review
       - reopened
   # pull_request: # for debugging, uses config in local branch but supports only Pull Requests from this repo
-  merge_group:
 
 jobs:
   main:
-    if: github.event_name != 'merge_group'
     name: Validate PR title
     runs-on: ubuntu-latest
     steps:

diff --git a/.github/workflows/cve-scan.yaml b/.github/workflows/cve-scan.yaml
@@ -1,5 +1,9 @@
+# AUTO-GENERATED, DO NOT EDIT!
+# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/server/.github/workflows/cve-scan.yaml
+
 name: Docker Image Scanners
 on:
+  workflow_dispatch:
   push:
     branches:
       - "master"
@@ -8,32 +12,70 @@ on:
   pull_request:
     branches:
       - "master"
-  merge_group:
+
+permissions:
+  contents: read
+  security-events: write
 
 jobs:
   scanners:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout
-        uses: actions/checkout@v3
+        uses: actions/checkout@v4
       - name: Setup Env
         id: vars
         shell: bash
         run: |
-          echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
+          # Store values in local variables
+          SHA_SHORT=$(git rev-parse --short HEAD)
+          REPO_NAME=${{ github.event.repository.name }}
+
+          # Append -sqlite to SHA_SHORT if repo is hydra
+          if [ "${REPO_NAME}" = "hydra" ]; then
+            echo "Repo is hydra, appending -sqlite to SHA_SHORT"
+            IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}-sqlite"
+          else
+            echo "Repo is not hydra, using default IMAGE_NAME"
+            IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}"
+          fi
+
+          # Output values for debugging
+          echo "Values to be set:"
+          echo "SHA_SHORT:  ${SHA_SHORT}"
+          echo "REPO_NAME:  ${REPO_NAME}"
+          echo "IMAGE_NAME: ${IMAGE_NAME}"
+
+          # Set GitHub Environment variables
+          echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}"
+          echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Build images
         shell: bash
         run: |
           IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Configure Trivy
+        run: |
+          mkdir -p $HOME/.cache/trivy
+          echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV
+          echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
+
       - name: Anchore Scanner
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@v5
         id: grype-scan
         with:
-          image: oryd/keto:${{ env.SHA_SHORT }}
+          image: ${{ env.IMAGE_NAME }}
           fail-build: true
           severity-cutoff: high
           add-cpes-if-none: true
@@ -46,34 +88,39 @@ jobs:
           echo "::endgroup::"
       - name: Anchore upload scan SARIF report
         if: always()
-        uses: github/codeql-action/upload-sarif@v2
+        uses: github/codeql-action/upload-sarif@v3
         with:
           sarif_file: ${{ steps.grype-scan.outputs.sarif }}
-      #      - name: Kubescape scanner
-      #        uses: kubescape/github-action@main
-      #        id: kubescape
-      #        with:
-      #          image: oryd/keto:${{ env.SHA_SHORT }}
-      #          verbose: true
-      #          format: pretty-printer
-      #          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
-      #          severityThreshold: critical
+      - name: Kubescape scanner
+        uses: kubescape/github-action@main
+        id: kubescape
+        with:
+          image: ${{ env.IMAGE_NAME }}
+          verbose: true
+          format: pretty-printer
+          # can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
+          severityThreshold: critical
       - name: Trivy Scanner
         uses: aquasecurity/trivy-action@master
         if: ${{ always() }}
         with:
-          image-ref: oryd/keto:${{ env.SHA_SHORT }}
+          image-ref: ${{ env.IMAGE_NAME }}
           format: "table"
           exit-code: "42"
           ignore-unfixed: true
           vuln-type: "os,library"
           severity: "CRITICAL,HIGH"
-          scanners: "vuln,secret,config"
+          scanners: "vuln,secret,misconfig"
+        env:
+          TRIVY_SKIP_JAVA_DB_UPDATE: "true"
+          TRIVY_DISABLE_VEX_NOTICE: "true"
+          TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db
+
       - name: Dockle Linter
-        uses: erzz/dockle-action@v1.3.2
+        uses: erzz/dockle-action@v1
         if: ${{ always() }}
         with:
-          image: oryd/keto:${{ env.SHA_SHORT }}
+          image: ${{ env.IMAGE_NAME }}
           exit-code: 42
           failure-threshold: high
       - name: Hadolint
@@ -90,5 +137,5 @@ jobs:
         shell: bash
         run: |
           echo "::group::Hadolint Scan Details"
-          echo "${HADOLINT_RESULTS}" | jq '.' 
+          echo "${HADOLINT_RESULTS}" | jq '.'
           echo "::endgroup::"