github actions and sbom update #191
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "1. Create app" | |
| on: | |
| push: | |
| branches: [dev,feature/*] | |
| tags: | |
| - '**' | |
| paths: | |
| - "go/src/app/**.go" | |
| - Dockerfile | |
| - ".github/workflows/*" | |
| # Avoid duplicate running | |
| # pull_request: | |
| # branches: [main] | |
| workflow_dispatch: | |
| env: | |
| GO_VERSION: 1.22.5 | |
| REGISTRY: ghcr.io | |
| IMAGE_NAME: ${{ github.repository }} | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GITHUB_SHA: ${{ github.sha }} | |
| jobs: | |
| build-app: | |
| runs-on: ubuntu-latest | |
| permissions: | |
| contents: read | |
| packages: write | |
| steps: | |
| - name: Log in to the Container registry | |
| uses: docker/[email protected] | |
| with: | |
| registry: ${{ env.REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| # Will create and boot a builder that can be used in the build-push action. | |
| - name: Set up QEMU | |
| uses: docker/[email protected] | |
| - name: Set up Docker Buildx | |
| uses: docker/[email protected] | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: meta | |
| uses: docker/[email protected] | |
| with: | |
| images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} | |
| tags: | | |
| type=ref,event=branch | |
| type=ref,event=pr | |
| type=ref,event=tag | |
| type=sha,format=long | |
| # Run the build and outputs a test coverage file | |
| - name: Build and push Docker image | |
| uses: docker/[email protected] | |
| with: | |
| file: Dockerfile | |
| push: false | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| target: test-coverage | |
| outputs: | | |
| type=local,dest=. | |
| - uses: codecov/codecov-action@v4 | |
| with: | |
| token: ${{ secrets.CODECOV_TOKEN }} | |
| files: ./coverage.out | |
| fail_ci_if_error: true # optional (default = false) | |
| verbose: true # optional (default = false) | |
| # Any file mutation in the steps that precede the build step will be ignored, | |
| # since the context is based on the Git reference. Use the Path context to remove this restriction. | |
| # https://github.com/marketplace/actions/build-and-push-docker-images#git-context | |
| - name: Build and push Docker image | |
| uses: docker/[email protected] | |
| with: | |
| file: Dockerfile | |
| push: true | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| image-scan: | |
| runs-on: ubuntu-latest | |
| needs: ['build-app'] | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/[email protected] | |
| # Security scanner | |
| # https://github.com/aquasecurity/trivy-action | |
| - name: Run container image vulnerability scanner | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| # image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} | |
| image-ref: '${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:sha-${{ github.sha }}' | |
| format: 'table' | |
| ignore-unfixed: true | |
| vuln-type: 'os' | |
| severity: 'CRITICAL,HIGH' | |
| timeout: 5m | |
| output: 'trivy-results.sarif' | |
| # Pages https://github.com/tuxerrante/kapparmor/settings/pages | |
| # https://helm.sh/docs/topics/chart_repository/#github-pages-example | |
| # https://helm.sh/docs/howto/chart_releaser_action/ | |
| release-chart: | |
| needs: ['build-app'] | |
| if: github.event_name == 'pull_request' || startsWith(github.event.ref, 'refs/tags/v') | |
| permissions: | |
| contents: write | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout | |
| uses: actions/[email protected] | |
| with: | |
| fetch-depth: 0 | |
| - name: Configure Git | |
| run: | | |
| git config user.name "$GITHUB_ACTOR" | |
| git config user.email "[email protected]" | |
| - name: Install Helm | |
| uses: azure/[email protected] | |
| - uses: actions/[email protected] | |
| with: | |
| python-version: '3.9' | |
| check-latest: true | |
| - name: Set up chart-testing | |
| uses: helm/[email protected] | |
| - name: Run chart-testing (list-changed) | |
| id: list-changed | |
| run: | | |
| changed=$(ct list-changed --config ct.yaml --target-branch ${{ github.event.repository.default_branch }}) | |
| if [[ -n "$changed" ]]; then | |
| echo "::set-output name=changed::true" | |
| fi | |
| - name: Run chart-testing (lint) | |
| run: ct lint --config ct.yaml --target-branch ${{ github.event.repository.default_branch }} | |
| - name: Create kind cluster | |
| uses: helm/[email protected] | |
| if: steps.list-changed.outputs.changed == 'true' | |
| - name: Run chart-testing (install) | |
| run: ct install --config ct.yaml --print-config --target-branch ${{ github.event.repository.default_branch }} --debug | |
| - name: Replace GITHUB_SHA in values.yaml file | |
| run: | | |
| sed -i "s/GITHUB_SHA/$GITHUB_SHA/" charts/kapparmor/values.yaml | |
| cat charts/kapparmor/values.yaml | |
| - name: Run chart-releaser | |
| uses: helm/[email protected] | |
| env: | |
| CR_TOKEN: "${{ env.GITHUB_TOKEN }}" | |
| with: | |
| config: cr.yaml |