Fix preflight checks #1045
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Workflow | |
| on: | |
| push: | |
| branches: [ main ] | |
| pull_request: | |
| branches: [ main ] | |
| jobs: | |
| code-check: | |
| name: Check Go formatting, linting, vetting | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Run the formatter, linter, and vetter | |
| uses: dell/common-github-actions/go-code-formatter-linter-vetter@main | |
| with: | |
| directories: ./... | |
| sanitize: | |
| name: Check for forbidden words | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Run the forbidden words scan | |
| uses: dell/common-github-actions/code-sanitizer@main | |
| with: | |
| args: /github/workspace | |
| test: | |
| name: Run Go unit tests and check package coverage | |
| runs-on: ubuntu-latest | |
| container: node:20 | |
| services: | |
| # Label used to access the service container | |
| redis: | |
| # Docker Hub image | |
| image: redis | |
| # Set health checks to wait until redis has started | |
| options: >- | |
| --health-cmd "redis-cli ping" | |
| --health-interval 10s | |
| --health-timeout 5s | |
| --health-retries 5 | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Run unit tests and check package coverage | |
| uses: dell/common-github-actions/go-code-tester@main | |
| with: | |
| threshold: 90 | |
| skip-list: "karavi-authorization/deploy,karavi-authorization/internal/web,karavi-authorization/internal/tenantsvc,karavi-authorization/cmd/karavictl/cmd,karavi-authorization/cmd/proxy-server,karavi-authorization/cmd/tenant-service,karavi-authorization/internal/proxy,karavi-authorization/internal/tenantsvc,karavi-authorization/internal/token/jwx,karavi-authorization/internal/k8s,karavi-authorization/internal/role-service,karavi-authorization/internal/role-service/validate" | |
| env: | |
| # The hostname used to communicate with the Redis service container | |
| REDIS_HOST: redis | |
| # The default Redis port | |
| REDIS_PORT: 6379 | |
| go_security_scan: | |
| name: Go security | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Run Go Security | |
| uses: securego/gosec@master | |
| with: | |
| args: -exclude=G108,G402,G307 ./... | |
| malware_security_scan: | |
| name: Malware Scanner | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Run malware scan | |
| uses: dell/common-github-actions/malware-scanner@main | |
| with: | |
| directories: . | |
| options: -ri | |
| image_security_scan: | |
| name: Image Scanner | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Set up Go 1.22+ | |
| uses: actions/setup-go@v5 | |
| with: | |
| go-version: ^1.22 | |
| id: go | |
| - name: Checkout the code | |
| uses: actions/checkout@v4 | |
| - name: Install Mockgen | |
| run: go get github.com/golang/mock/[email protected] | |
| - name: Get dependencies | |
| run: go mod download | |
| - name: Build karavi-authorization Docker Images | |
| run: make builder | |
| - name: Get podman image tags for image scans | |
| run: | | |
| BUILDER_TAG=$(cat ${{ github.workspace }}/Makefile | grep 'export BUILDER_TAG ?=' | awk '{print $NF}') | |
| SIDECAR_TAG=$(cat ${{ github.workspace }}/Makefile | grep 'export SIDECAR_TAG ?=' | awk '{print $NF}') | |
| echo "podman_tag=$BUILDER_TAG" >> $GITHUB_ENV | |
| echo "sidecar_tag=$SIDECAR_TAG" >> $GITHUB_ENV | |
| - name: Re-tag podman images and push to Docker | |
| run: | | |
| podman tag localhost/proxy-server:${{ env.podman_tag }} docker.io/library/proxy-server:${{ env.podman_tag }} | |
| podman tag localhost/tenant-service:${{ env.podman_tag }} docker.io/library/tenant-service:${{ env.podman_tag }} | |
| podman tag localhost/storage-service:${{ env.podman_tag }} docker.io/library/storage-service:${{ env.podman_tag }} | |
| podman tag localhost/role-service:${{ env.podman_tag }} docker.io/library/role-service:${{ env.podman_tag }} | |
| podman tag localhost/sidecar-proxy:${{ env.podman_tag }} docker.io/library/sidecar-proxy:${{ env.podman_tag }} | |
| podman save -m -o /tmp/images.tar \ | |
| docker.io/library/proxy-server:${{ env.podman_tag }} \ | |
| docker.io/library/tenant-service:${{ env.podman_tag }} \ | |
| docker.io/library/storage-service:${{ env.podman_tag }} \ | |
| docker.io/library/role-service:${{ env.podman_tag }} \ | |
| docker.io/library/sidecar-proxy:${{ env.podman_tag }} | |
| docker load -i /tmp/images.tar | |
| - name: Scan Proxy Server | |
| uses: Azure/container-scan@v0 | |
| with: | |
| image-name: proxy-server:${{ env.podman_tag }} | |
| severity-threshold: HIGH | |
| env: | |
| DOCKLE_HOST: "unix:///var/run/docker.sock" | |
| - name: Scan Role Service | |
| uses: Azure/container-scan@v0 | |
| with: | |
| image-name: role-service:${{ env.podman_tag }} | |
| severity-threshold: HIGH | |
| env: | |
| DOCKLE_HOST: "unix:///var/run/docker.sock" | |
| - name: Scan Tenant Service | |
| uses: Azure/container-scan@v0 | |
| with: | |
| image-name: tenant-service:${{ env.podman_tag }} | |
| severity-threshold: HIGH | |
| env: | |
| DOCKLE_HOST: "unix:///var/run/docker.sock" | |
| - name: Scan SideCar Proxy | |
| uses: Azure/container-scan@v0 | |
| with: | |
| image-name: sidecar-proxy:${{ env.sidecar_tag }} | |
| severity-threshold: HIGH | |
| env: | |
| DOCKLE_HOST: "unix:///var/run/docker.sock" | |
| - name: Scan Storage Service | |
| uses: Azure/container-scan@v0 | |
| with: | |
| image-name: storage-service:${{ env.podman_tag }} | |
| severity-threshold: HIGH | |
| env: | |
| DOCKLE_HOST: "unix:///var/run/docker.sock" |