Test running actions on AKS/GKE

3lvia · May 10, 2024 · da4cf83 · da4cf83
1 parent 6b668cf
commit da4cf83
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 65 deletions.
diff --git a/.github/gh-actions-docs/hie.yaml b/.github/gh-actions-docs/hie.yaml
@@ -1,4 +1,4 @@
 cradle:
   cabal:
-    - path: "app/Main.hs"
-      component: "gh-actions-docs:exe:gh-actions-docs"
+    - path: 'app/Main.hs'
+      component: 'gh-actions-docs:exe:gh-actions-docs'
diff --git a/.github/workflows/check-format.yml b/.github/workflows/check-format.yml
@@ -10,6 +10,7 @@ jobs:
   prettier_check:
     name: 'Prettier check'
     runs-on: ubuntu-latest
+    if: false
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml
@@ -9,7 +9,8 @@ on:
 jobs:
   set-env:
     name: Set environment variables
-    runs-on: ubuntu-latest
+    runs-on: 3lvia-runner-aks-dev
+    if: false
     outputs:
       image_name: ${{ steps.set-output.outputs.image_name }}
       image_tag: ${{ steps.set-output.outputs.image_tag }}
@@ -26,7 +27,8 @@ jobs:
 
   build-docs-image:
     name: Build image for gh-actions-docs
-    runs-on: ubuntu-latest
+    runs-on: 3lvia-runner-aks-dev
+    if: false
     permissions:
       contents: read
       packages: write
@@ -56,7 +58,8 @@ jobs:
 
   generate-docs:
     name: Generate action documentation
-    runs-on: ubuntu-latest
+    runs-on: 3lvia-runner-aks-dev
+    if: false
     needs: [build-docs-image, set-env]
     outputs:
       readme: ${{ steps.set-output.outputs.readme }}
@@ -90,11 +93,12 @@ jobs:
 
   commit-docs:
     name: Commit action documentation on push
-    runs-on: ubuntu-latest
+    runs-on: 3lvia-runner-aks-dev
     needs: [generate-docs]
     permissions:
       contents: write
-    if: github.event_name == 'push'
+  # if: github.event_name == 'push'
+    if: false
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml
@@ -13,7 +13,10 @@ env:
 jobs:
   unittests:
     name: Run unit tests
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runner-provider: [gke]
+    runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev'
     permissions:
       contents: read
       checks: write
@@ -29,7 +32,11 @@ jobs:
 
   analyze:
     name: Run CodeQL analysis
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runner-provider: [gke]
+    runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev'
+    if: false # TODO: fix, runs out of space
     permissions:
       actions: read
       contents: read
@@ -44,7 +51,10 @@ jobs:
 
   build:
     name: Build
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runner-provider: [gke]
+    runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev'
     permissions:
       contents: read
       id-token: write
@@ -65,7 +75,10 @@ jobs:
   deploy_aks_dev:
     name: Deploy to dev on AKS
     needs: [build]
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runner-provider: [gke]
+    runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev'
     permissions:
       contents: read
       id-token: write
@@ -86,7 +99,10 @@ jobs:
   deploy_gke_dev:
     name: Deploy to dev on GKE
     needs: [build]
-    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        runner-provider: [gke]
+    runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev'
     permissions:
       contents: read
       id-token: write
@@ -107,8 +123,11 @@ jobs:
           GC_WORKLOAD_IDENTITY_PROVIDER: ${{ vars.GC_WORKLOAD_IDENTITY_PROVIDER }}
 
   trivy_iac_scan:
-    runs-on: ubuntu-latest
     name: Scan IaC with Trivy
+    strategy:
+      matrix:
+        runner-provider: [gke]
+    runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev'
     permissions:
       actions: read
       contents: read
@@ -122,8 +141,11 @@ jobs:
           checkout: 'false'
 
   terraform_format_check:
-    runs-on: ubuntu-latest
     name: Check Terraform code formatting
+    strategy:
+      matrix:
+        runner-provider: [gke]
+    runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev'
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4

diff --git a/build/action.yml b/build/action.yml
@@ -54,9 +54,6 @@ runs:
       if: ${{ inputs.checkout == 'true' }}
       uses: actions/checkout@v4
 
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@v3
-
     - name: Parse input and set environment variables
       shell: bash
       run: |
@@ -65,6 +62,9 @@ runs:
         echo "IMAGE_NAME=$IMAGE_NAME" >> "$GITHUB_ENV"
         echo "IMAGE_LONG_NAME=$IMAGE_NAME:${{ github.sha }}-${{ github.run_number }}" >> "$GITHUB_ENV"
 
+        echo "TRIVY_SARIF=trivy.sarif" >> "$GITHUB_ENV"
+        echo "TRIVY_IGNORE=.trivyignore" >> "$GITHUB_ENV"
+
         if [[ -z "${{ inputs.docker-build-context }}" ]]; then
             export DOCKER_DIR=`dirname ${{ inputs.dockerfile }}` # default to the directory of the Dockerfile
         else
@@ -86,24 +86,24 @@ runs:
 
     - name: Login to ACR
       shell: bash
-      run: az acr login --name '${{ inputs.ACR_NAME }}'
+      run: az acr login --name '${{ inputs.ACR_NAME }}' --expose-token
 
-    - name: Build image
-      uses: docker/build-push-action@v5
-      with:
-        context: ${{ env.DOCKER_DIR }}
-        file: ${{ inputs.dockerfile }}
-        push: 'false'
-        load: 'true'
-        tags: '${{ env.IMAGE_LONG_NAME }},${{ env.IMAGE_NAME }}:latest-cache'
-        cache-from: 'type=registry,ref=${{ env.IMAGE_NAME }}:latest-cache'
-        cache-to: 'type=inline'
+    - name: Build image with podman
+      shell: bash
+      run: |
+        # Build image with podman
+        podman pull '${{ env.IMAGE_NAME }}:latest-cache' || true
+
+        podman build '${{ env.DOCKER_DIR }}' \
+          -f '${{ inputs.dockerfile }}' \
+          -t '${{ env.IMAGE_LONG_NAME }}' \
+          -t '${{ env.IMAGE_NAME }}:latest-cache'
 
     - name: Setup Trivy ignore file
       shell: bash
       run: |
         # Setup Trivy ignore file
-        touch .trivyignore
+        touch '${{ env.TRIVY_IGNORE }}'
 
         if [ -z "${{ inputs.trivy-cve-ignores }}" ]; then
           echo "No CVEs to ignore"
@@ -112,42 +112,39 @@ runs:
 
         echo "Ignoring CVEs: ${{ inputs.trivy-cve-ignores }}"
         for TRIVY_CVE in "$(echo ${{ inputs.trivy-cve-ignores }} | sed 's/,/ /g')"; do
-          echo "$TRIVY_CVE" >> .trivyignore
+          echo "$TRIVY_CVE" >> '${{ env.TRIVY_IGNORE }}'
         done
 
-    - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/[email protected]
-      with:
-        image-ref: ${{ env.IMAGE_LONG_NAME }}
-        exit-code: '1'
-        format: 'table'
-        severity: ${{ inputs.severity }}
-        trivyignores: '.trivyignore'
-        ignore-unfixed: true
-        scanners: ${{ inputs.trivy-enable-secret-scanner == 'true' && 'vuln,misconfig,secret' || 'vuln,misconfig' }}
-        skip-dirs: ${{ inputs.trivy-skip-dirs }}
+    - name: Run Trivy vulnerability scanner (PR)
+      shell: bash
       if: github.event_name == 'pull_request'
+      run: |
+        trivy image '${{ env.IMAGE_LONG_NAME }}' \
+          --format 'table' \
+          --exit-code '1' \
+          --severity '${{ inputs.severity }}' \
+          --ignorefile '${{ env.TRIVY_IGNORE }}' \
+          ${{ inputs.skip-dirs != '' && format('--skip-dirs {0}', inputs.skip-dirs) || '' }}
 
-    - name: Run Trivy vulnerability scanner
-      uses: aquasecurity/[email protected]
-      with:
-        image-ref: ${{ env.IMAGE_LONG_NAME }}
-        format: 'sarif'
-        output: 'trivy.sarif'
-        severity: ${{ inputs.severity }}
-        trivyignores: '.trivyignore'
-        ignore-unfixed: true
-        scanners: ${{ inputs.trivy-enable-secret-scanner == 'true' && 'vuln,misconfig,secret' || 'vuln,misconfig' }}
-        skip-dirs: ${{ inputs.trivy-skip-dirs }}
+    - name: Run Trivy vulnerability scanner (push)
+      shell: bash
       if: github.event_name == 'push'
+      run: |
+        trivy image '${{ env.IMAGE_LONG_NAME }}' \
+          --format 'sarif' \
+          --output '${{ env.TRIVY_SARIF }}' \
+          --exit-code '1' \
+          --severity '${{ inputs.severity }}' \
+          --ignorefile '${{ env.TRIVY_IGNORE }}' \
+          ${{ inputs.skip-dirs != '' && format('--skip-dirs {0}', inputs.skip-dirs) || '' }}
 
     - name: Upload Trivy scan results to GitHub Security tab
       uses: github/codeql-action/upload-sarif@v3
+      if: github.event_name == 'push' && failure()
       with:
-        sarif_file: trivy.sarif
+        sarif_file: ${{ env.TRIVY_SARIF }}
         category: 'Trivy'
-      if: github.event_name == 'push' && failure()
 
     - name: Push image
       shell: bash
-      run: docker push '${{ env.IMAGE_NAME }}' --all-tags
+      run: podman push '${{ env.IMAGE_NAME }}' --all-tags
diff --git a/trivy-iac-scan/action.yml b/trivy-iac-scan/action.yml
@@ -46,16 +46,16 @@ runs:
         echo "AVD-DS-0026" >> '${{ inputs.trivyignore }}'
 
     - name: Run Trivy vulnerability scanner in IaC mode
-      uses: aquasecurity/[email protected]
-      with:
-        scan-type: 'config'
-        format: 'sarif'
-        exit-code: '0'
-        output: ${{ env.TRIVY_SARIF }}
-        severity: ${{ inputs.severity }}
-        trivyignores: ${{ inputs.trivyignore }}
-        ignore-unfixed: 'true'
-        skip-dirs: ${{ inputs.skip-dirs }}
+      shell: bash
+      run: |
+        # Run Trivy
+        trivy config '${{ inputs.path }}' \
+          --format 'sarif' \
+          --output '${{ env.TRIVY_SARIF }}' \
+          --exit-code '0' \
+          --severity '${{ inputs.severity }}' \
+          --ignorefile '${{ inputs.trivyignore }}' \
+          ${{ inputs.skip-dirs != '' && format('--skip-dirs {0}', inputs.skip-dirs) || '' }}
 
     - name: Upload Trivy report to GitHub Security tab
       if: ${{ inputs.upload-report == 'true' }}