diff --git a/.github/gh-actions-docs/hie.yaml b/.github/gh-actions-docs/hie.yaml index 324872a..3661323 100644 --- a/.github/gh-actions-docs/hie.yaml +++ b/.github/gh-actions-docs/hie.yaml @@ -1,4 +1,4 @@ cradle: cabal: - - path: "app/Main.hs" - component: "gh-actions-docs:exe:gh-actions-docs" + - path: 'app/Main.hs' + component: 'gh-actions-docs:exe:gh-actions-docs' diff --git a/.github/workflows/check-format.yml b/.github/workflows/check-format.yml index b94b322..2135711 100644 --- a/.github/workflows/check-format.yml +++ b/.github/workflows/check-format.yml @@ -10,6 +10,7 @@ jobs: prettier_check: name: 'Prettier check' runs-on: ubuntu-latest + if: false steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/generate-docs.yml b/.github/workflows/generate-docs.yml index c72a9bf..ea0ba75 100644 --- a/.github/workflows/generate-docs.yml +++ b/.github/workflows/generate-docs.yml @@ -9,7 +9,8 @@ on: jobs: set-env: name: Set environment variables - runs-on: ubuntu-latest + runs-on: 3lvia-runner-aks-dev + if: false outputs: image_name: ${{ steps.set-output.outputs.image_name }} image_tag: ${{ steps.set-output.outputs.image_tag }} @@ -26,7 +27,8 @@ jobs: build-docs-image: name: Build image for gh-actions-docs - runs-on: ubuntu-latest + runs-on: 3lvia-runner-aks-dev + if: false permissions: contents: read packages: write @@ -56,7 +58,8 @@ jobs: generate-docs: name: Generate action documentation - runs-on: ubuntu-latest + runs-on: 3lvia-runner-aks-dev + if: false needs: [build-docs-image, set-env] outputs: readme: ${{ steps.set-output.outputs.readme }} @@ -90,11 +93,12 @@ jobs: commit-docs: name: Commit action documentation on push - runs-on: ubuntu-latest + runs-on: 3lvia-runner-aks-dev needs: [generate-docs] permissions: contents: write - if: github.event_name == 'push' + # if: github.event_name == 'push' + if: false steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/.github/workflows/test-actions.yml b/.github/workflows/test-actions.yml index 6aad81c..5f49d13 100644 --- a/.github/workflows/test-actions.yml +++ b/.github/workflows/test-actions.yml @@ -13,7 +13,10 @@ env: jobs: unittests: name: Run unit tests - runs-on: ubuntu-latest + strategy: + matrix: + runner-provider: [gke] + runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev' permissions: contents: read checks: write @@ -29,7 +32,11 @@ jobs: analyze: name: Run CodeQL analysis - runs-on: ubuntu-latest + strategy: + matrix: + runner-provider: [gke] + runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev' + if: false # TODO: fix, runs out of space permissions: actions: read contents: read @@ -44,7 +51,10 @@ jobs: build: name: Build - runs-on: ubuntu-latest + strategy: + matrix: + runner-provider: [gke] + runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev' permissions: contents: read id-token: write @@ -65,7 +75,10 @@ jobs: deploy_aks_dev: name: Deploy to dev on AKS needs: [build] - runs-on: ubuntu-latest + strategy: + matrix: + runner-provider: [gke] + runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev' permissions: contents: read id-token: write @@ -86,7 +99,10 @@ jobs: deploy_gke_dev: name: Deploy to dev on GKE needs: [build] - runs-on: ubuntu-latest + strategy: + matrix: + runner-provider: [gke] + runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev' permissions: contents: read id-token: write @@ -107,8 +123,11 @@ jobs: GC_WORKLOAD_IDENTITY_PROVIDER: ${{ vars.GC_WORKLOAD_IDENTITY_PROVIDER }} trivy_iac_scan: - runs-on: ubuntu-latest name: Scan IaC with Trivy + strategy: + matrix: + runner-provider: [gke] + runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev' permissions: actions: read contents: read @@ -122,8 +141,11 @@ jobs: checkout: 'false' terraform_format_check: - runs-on: ubuntu-latest name: Check Terraform code formatting + strategy: + matrix: + runner-provider: [gke] + runs-on: '3lvia-runner-${{ matrix.runner-provider }}-dev' steps: - name: Checkout repository uses: actions/checkout@v4 diff --git a/build/action.yml b/build/action.yml index 6381ba0..a3989b2 100644 --- a/build/action.yml +++ b/build/action.yml @@ -54,9 +54,6 @@ runs: if: ${{ inputs.checkout == 'true' }} uses: actions/checkout@v4 - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - name: Parse input and set environment variables shell: bash run: | @@ -65,6 +62,9 @@ runs: echo "IMAGE_NAME=$IMAGE_NAME" >> "$GITHUB_ENV" echo "IMAGE_LONG_NAME=$IMAGE_NAME:${{ github.sha }}-${{ github.run_number }}" >> "$GITHUB_ENV" + echo "TRIVY_SARIF=trivy.sarif" >> "$GITHUB_ENV" + echo "TRIVY_IGNORE=.trivyignore" >> "$GITHUB_ENV" + if [[ -z "${{ inputs.docker-build-context }}" ]]; then export DOCKER_DIR=`dirname ${{ inputs.dockerfile }}` # default to the directory of the Dockerfile else @@ -86,24 +86,24 @@ runs: - name: Login to ACR shell: bash - run: az acr login --name '${{ inputs.ACR_NAME }}' + run: az acr login --name '${{ inputs.ACR_NAME }}' --expose-token - - name: Build image - uses: docker/build-push-action@v5 - with: - context: ${{ env.DOCKER_DIR }} - file: ${{ inputs.dockerfile }} - push: 'false' - load: 'true' - tags: '${{ env.IMAGE_LONG_NAME }},${{ env.IMAGE_NAME }}:latest-cache' - cache-from: 'type=registry,ref=${{ env.IMAGE_NAME }}:latest-cache' - cache-to: 'type=inline' + - name: Build image with podman + shell: bash + run: | + # Build image with podman + podman pull '${{ env.IMAGE_NAME }}:latest-cache' || true + + podman build '${{ env.DOCKER_DIR }}' \ + -f '${{ inputs.dockerfile }}' \ + -t '${{ env.IMAGE_LONG_NAME }}' \ + -t '${{ env.IMAGE_NAME }}:latest-cache' - name: Setup Trivy ignore file shell: bash run: | # Setup Trivy ignore file - touch .trivyignore + touch '${{ env.TRIVY_IGNORE }}' if [ -z "${{ inputs.trivy-cve-ignores }}" ]; then echo "No CVEs to ignore" @@ -112,42 +112,39 @@ runs: echo "Ignoring CVEs: ${{ inputs.trivy-cve-ignores }}" for TRIVY_CVE in "$(echo ${{ inputs.trivy-cve-ignores }} | sed 's/,/ /g')"; do - echo "$TRIVY_CVE" >> .trivyignore + echo "$TRIVY_CVE" >> '${{ env.TRIVY_IGNORE }}' done - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: ${{ env.IMAGE_LONG_NAME }} - exit-code: '1' - format: 'table' - severity: ${{ inputs.severity }} - trivyignores: '.trivyignore' - ignore-unfixed: true - scanners: ${{ inputs.trivy-enable-secret-scanner == 'true' && 'vuln,misconfig,secret' || 'vuln,misconfig' }} - skip-dirs: ${{ inputs.trivy-skip-dirs }} + - name: Run Trivy vulnerability scanner (PR) + shell: bash if: github.event_name == 'pull_request' + run: | + trivy image '${{ env.IMAGE_LONG_NAME }}' \ + --format 'table' \ + --exit-code '1' \ + --severity '${{ inputs.severity }}' \ + --ignorefile '${{ env.TRIVY_IGNORE }}' \ + ${{ inputs.skip-dirs != '' && format('--skip-dirs {0}', inputs.skip-dirs) || '' }} - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.20.0 - with: - image-ref: ${{ env.IMAGE_LONG_NAME }} - format: 'sarif' - output: 'trivy.sarif' - severity: ${{ inputs.severity }} - trivyignores: '.trivyignore' - ignore-unfixed: true - scanners: ${{ inputs.trivy-enable-secret-scanner == 'true' && 'vuln,misconfig,secret' || 'vuln,misconfig' }} - skip-dirs: ${{ inputs.trivy-skip-dirs }} + - name: Run Trivy vulnerability scanner (push) + shell: bash if: github.event_name == 'push' + run: | + trivy image '${{ env.IMAGE_LONG_NAME }}' \ + --format 'sarif' \ + --output '${{ env.TRIVY_SARIF }}' \ + --exit-code '1' \ + --severity '${{ inputs.severity }}' \ + --ignorefile '${{ env.TRIVY_IGNORE }}' \ + ${{ inputs.skip-dirs != '' && format('--skip-dirs {0}', inputs.skip-dirs) || '' }} - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 + if: github.event_name == 'push' && failure() with: - sarif_file: trivy.sarif + sarif_file: ${{ env.TRIVY_SARIF }} category: 'Trivy' - if: github.event_name == 'push' && failure() - name: Push image shell: bash - run: docker push '${{ env.IMAGE_NAME }}' --all-tags + run: podman push '${{ env.IMAGE_NAME }}' --all-tags diff --git a/trivy-iac-scan/action.yml b/trivy-iac-scan/action.yml index 483527c..552a4df 100644 --- a/trivy-iac-scan/action.yml +++ b/trivy-iac-scan/action.yml @@ -46,16 +46,16 @@ runs: echo "AVD-DS-0026" >> '${{ inputs.trivyignore }}' - name: Run Trivy vulnerability scanner in IaC mode - uses: aquasecurity/trivy-action@0.20.0 - with: - scan-type: 'config' - format: 'sarif' - exit-code: '0' - output: ${{ env.TRIVY_SARIF }} - severity: ${{ inputs.severity }} - trivyignores: ${{ inputs.trivyignore }} - ignore-unfixed: 'true' - skip-dirs: ${{ inputs.skip-dirs }} + shell: bash + run: | + # Run Trivy + trivy config '${{ inputs.path }}' \ + --format 'sarif' \ + --output '${{ env.TRIVY_SARIF }}' \ + --exit-code '0' \ + --severity '${{ inputs.severity }}' \ + --ignorefile '${{ inputs.trivyignore }}' \ + ${{ inputs.skip-dirs != '' && format('--skip-dirs {0}', inputs.skip-dirs) || '' }} - name: Upload Trivy report to GitHub Security tab if: ${{ inputs.upload-report == 'true' }}