-
Notifications
You must be signed in to change notification settings - Fork 5
Commit
chore|fix(remoting): Enhance manual build trigger and fix docker glitches due to migrating from maven to github actions
- Loading branch information
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
--- | ||
# | ||
# Copyright (c) 2022, 2023 Contributors to the Eclipse Foundation | ||
# | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
--- | ||
# | ||
# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation | ||
# | ||
|
@@ -17,16 +18,15 @@ | |
# SPDX-License-Identifier: Apache-2.0 | ||
# | ||
|
||
--- | ||
name: "KICS" | ||
|
||
on: | ||
push: | ||
branches: | ||
- main | ||
- 'release/*' | ||
branches: | ||
- main | ||
- 'release/*' | ||
pull_request: | ||
branches: | ||
branches: | ||
- main | ||
- 'release/*' | ||
|
||
|
@@ -48,22 +48,22 @@ jobs: | |
steps: | ||
- uses: actions/[email protected] | ||
|
||
# | ||
# Take out | ||
# - the "Always" Image Pull Policy Rule (caa3479d-885d-4882-9aac-95e5e78ef5c2) because depending on the deployment/rollout scenarios, other policies are more reasonable. | ||
# - the "LimitRange" Namespace Rule (4a20ebac-1060-4c81-95d1-1f7f620e983b) because the target namespace may define that external to the Chart. | ||
# - the "ResourceQuota" Namespace Rule (48a5beba-e4c0-4584-a2aa-e6894e4cf424) because the target namespace may define that external to the Chart. | ||
# - the "Digest" Image Requirement (7c81d34c-8e5a-402b-9798-9f442630e678) can be realised for releases, but not the mainline | ||
# - the "AppArmorProfile" Requirement (8b36775e-183d-4d46-b0f7-96a6f34a723f) is still a beta functionality | ||
# - the "Administrative Boundaries" Info (e84eaf4d-2f45-47b2-abe8-e581b06deb66) would not be visible | ||
# | ||
# | ||
# Take out | ||
# - the "Always" Image Pull Policy Rule (caa3479d-885d-4882-9aac-95e5e78ef5c2) because depending on the deployment/rollout scenarios, other policies are more reasonable. | ||
# - the "LimitRange" Namespace Rule (4a20ebac-1060-4c81-95d1-1f7f620e983b) because the target namespace may define that external to the Chart. | ||
# - the "ResourceQuota" Namespace Rule (48a5beba-e4c0-4584-a2aa-e6894e4cf424) because the target namespace may define that external to the Chart. | ||
# - the "Digest" Image Requirement (7c81d34c-8e5a-402b-9798-9f442630e678) can be realised for releases, but not the mainline | ||
# - the "AppArmorProfile" Requirement (8b36775e-183d-4d46-b0f7-96a6f34a723f) is still a beta functionality | ||
# - the "Administrative Boundaries" Info (e84eaf4d-2f45-47b2-abe8-e581b06deb66) would not be visible | ||
# | ||
- name: KICS scan | ||
uses: checkmarx/[email protected] | ||
Check warning on line 61 in .github/workflows/kics.yml GitHub Actions / Analyze[MEDIUM] Unpinned Actions Full Length Commit SHA
|
||
with: | ||
path: "." | ||
fail_on: high | ||
disable_secrets: true | ||
output_path: kicsResults/ | ||
output_path: kicsResults/ | ||
exclude_queries: caa3479d-885d-4882-9aac-95e5e78ef5c2,4a20ebac-1060-4c81-95d1-1f7f620e983b,48a5beba-e4c0-4584-a2aa-e6894e4cf424,7c81d34c-8e5a-402b-9798-9f442630e678,8b36775e-183d-4d46-b0f7-96a6f34a723f,e84eaf4d-2f45-47b2-abe8-e581b06deb66 | ||
output_formats: "json,sarif" | ||
|
||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
--- | ||
# | ||
# Copyright (c) 2021, 2023 Contributors to the Eclipse Foundation | ||
# | ||
|
@@ -17,15 +18,14 @@ | |
# SPDX-License-Identifier: Apache-2.0 | ||
# | ||
|
||
--- | ||
name: "Trivy" | ||
|
||
on: | ||
schedule: | ||
- cron: "0 0 * * *" | ||
workflow_dispatch: | ||
workflow_run: | ||
workflows: [ "Build" ] | ||
workflows: ["Build"] | ||
branches: | ||
- main | ||
tags: | ||
|
@@ -71,43 +71,60 @@ jobs: | |
sarif_file: "trivy-results-config.sarif" | ||
|
||
trivy: | ||
needs: [ git-sha7 ] | ||
needs: [git-sha7] | ||
permissions: | ||
actions: read | ||
contents: read | ||
security-events: write | ||
runs-on: ubuntu-latest | ||
strategy: | ||
fail-fast: false # continue scanning other images although if the other has been vulnerable | ||
# continue scanning other images although if the other has been vulnerable | ||
fail-fast: false | ||
matrix: | ||
image: | ||
- provisioning-agent | ||
- remoting-agent | ||
- conforming-agent | ||
steps: | ||
|
||
# Determine the right target docker repo | ||
- name: Check github repository and set docker repo | ||
id: set-docker-repo | ||
run: | | ||
echo "REGISTRY=docker.io" >> $GITHUB_OUTPUT; | ||
echo "REPO=tractusx" >> $GITHUB_OUTPUT; | ||
if [ "${{ github.repository }}" != "eclipse-tractusx/knowledge-agents-edc" ]; | ||
then | ||
echo "REGISTRY=ghcr.io" >> $GITHUB_OUTPUT | ||
echo "REPO=ghcr.io/${{ github.repository }}" >> $GITHUB_OUTPUT | ||
fi | ||
exit 0 | ||
- uses: actions/[email protected] | ||
|
||
# We need to login | ||
# Enable repository access (on main branch and version tags only) | ||
- name: Login to GitHub Container Registry | ||
if: ${{ ( github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v') ) }} | ||
uses: docker/login-action@v2 | ||
Check warning on line 108 in .github/workflows/trivy.yml GitHub Actions / Analyze[MEDIUM] Unpinned Actions Full Length Commit SHA
Check warning on line 108 in .github/workflows/trivy.yml GitHub Actions / Analyze[MEDIUM] Unpinned Actions Full Length Commit SHA
Check warning on line 108 in .github/workflows/trivy.yml GitHub Actions / Analyze[MEDIUM] Unpinned Actions Full Length Commit SHA
|
||
with: | ||
registry: ${{ steps.set-docker-repo.outputs.REGISTRY }} | ||
# Use existing DockerHub credentials present as secrets | ||
username: ${{ secrets.DOCKER_HUB_USER }} | ||
password: ${{ secrets.DOCKER_HUB_TOKEN }} | ||
username: ${{ secrets.DOCKER_HUB_USER || github.actor }} | ||
password: ${{ secrets.DOCKER_HUB_TOKEN || secrets.GITHUB_TOKEN }} | ||
|
||
## This step will fail if the docker images is not found | ||
# This step will fail if the docker images is not found | ||
- name: "Check if image exists" | ||
id: imageCheck | ||
run: | | ||
docker manifest inspect tractusx/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }} | ||
docker manifest inspect ${{ steps.set-docker-repo.outputs.REPO }}/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }} | ||
continue-on-error: true | ||
|
||
## the next two steps will only execute if the image exists check was successful | ||
- name: Run Trivy vulnerability scanner | ||
if: success() && steps.imageCheck.outcome != 'failure' | ||
uses: aquasecurity/trivy-action@master | ||
Check warning on line 125 in .github/workflows/trivy.yml GitHub Actions / Analyze[MEDIUM] Unpinned Actions Full Length Commit SHA
Check warning on line 125 in .github/workflows/trivy.yml GitHub Actions / Analyze[MEDIUM] Unpinned Actions Full Length Commit SHA
Check warning on line 125 in .github/workflows/trivy.yml GitHub Actions / Analyze[MEDIUM] Unpinned Actions Full Length Commit SHA
Check warning on line 125 in .github/workflows/trivy.yml GitHub Actions / Analyze[MEDIUM] Unpinned Actions Full Length Commit SHA
|
||
with: | ||
image-ref: "tractusx/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }}" | ||
image-ref: "${{ steps.set-docker-repo.outputs.REPO }}/${{ matrix.image }}:${{ needs.git-sha7.outputs.value }}" | ||
format: "sarif" | ||
output: "trivy-results-${{ matrix.image }}.sarif" | ||
exit-code: "1" | ||
|