Skip to content

Bump aquasecurity/trivy-action from d9cd5b1c23aaf8cb31bb09141028215828364bbb to 97646fedde05bcd0961217c60b50e23f721e7ec7 #4075

Bump aquasecurity/trivy-action from d9cd5b1c23aaf8cb31bb09141028215828364bbb to 97646fedde05bcd0961217c60b50e23f721e7ec7

Bump aquasecurity/trivy-action from d9cd5b1c23aaf8cb31bb09141028215828364bbb to 97646fedde05bcd0961217c60b50e23f721e7ec7 #4075

Workflow file for this run

name: CI
on:
push:
branches:
- master
- release-*
pull_request: {}
workflow_dispatch: {}
# Declare default permissions as read only.
permissions: read-all
env:
# Common versions
GO_VERSION: '1.20'
GOLANGCI_VERSION: 'v1.55.2'
DOCKER_BUILDX_VERSION: 'v0.4.2'
# Common users. We can't run a step 'if secrets.AWS_USR != ""' but we can run
# a step 'if env.AWS_USR' != ""', so we copy these to succinctly test whether
# credentials have been provided before trying to run steps that need them.
DOCKER_USR: ${{ secrets.DOCKER_USR }}
AWS_USR: ${{ secrets.AWS_USR }}
jobs:
typos-check:
name: Spell Check with Typos
runs-on: ubuntu-20.04
steps:
- name: Checkout Actions Repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
- name: Check spelling with custom config file
uses: crate-ci/typos@b86466d268920e98b8f1acc7fbb6f08ec871d136 # v1.24.1
with:
config: ./typos.toml
golangci-lint:
runs-on: ubuntu-20.04
permissions:
security-events: write
steps:
- name: Checkout Code
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
submodules: true
- name: Setup Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ env.GO_VERSION }}
- name: Cache Go Dependencies
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-go-
- name: Code generate
run: |
make generate
- name: Lint golang code
uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86 # v6.1.0
with:
version: ${{ env.GOLANGCI_VERSION }}
args: --verbose
skip-pkg-cache: true
mod: readonly
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@97646fedde05bcd0961217c60b50e23f721e7ec7 # master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@2c779ab0d087cd7fe7b826087247c2c81f27bfa6 # v3.26.5
with:
sarif_file: 'trivy-results.sarif'
# markdownlint-misspell-shellcheck:
# runs-on: ubuntu-20.04
# # this image is build from Dockerfile
# # https://github.com/pouchcontainer/pouchlinter/blob/master/Dockerfile
# container: pouchcontainer/pouchlinter:v0.1.2
# steps:
# - name: Checkout
# uses: actions/checkout@v3
# - name: Run misspell
# run: find ./* -name "*" | grep -v vendor | xargs misspell -error
# - name: Run shellcheck
# run: find ./ -name "*.sh" | grep -v vendor | xargs shellcheck
# - name: Lint markdown files
# run: find ./ -name "*.md" | grep -v vendor | grep -v commandline | grep -v .github | grep -v swagger | grep -v api | xargs mdl -r ~MD010,~MD013,~MD014,~MD022,~MD024,~MD029,~MD031,~MD032,~MD033,~MD036
# - name: Check markdown links
# run: |
# set +e
# for name in $(find . -name \*.md | grep -v vendor | grep -v CHANGELOG); do
# if [ -f $name ]; then
# markdown-link-check -q $name -c .github/workflows/markdown-link-check.config.json;
# if [ $? -ne 0 ]; then
# code=1
# fi
# fi
# done
# bash -c "exit $code";
unit-tests:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
with:
submodules: true
- name: Fetch History
run: git fetch --prune --unshallow
- name: Setup Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2
with:
go-version: ${{ env.GO_VERSION }}
- name: Cache Go Dependencies
uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: ${{ runner.os }}-go-
- name: Run Unit Tests
run: |
make test
git status
- name: Publish Unit Test Coverage
uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
with:
flags: unittests
file: cover.out
- name: Check diff
run: '[[ -z $(git status -s) ]] || (printf "Existing modified/untracked files.\nPlease run \"make generate manifests\" and push again.\n"; exit 1)'