Build golang-terratest #134
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: golang-terratest | |
| run-name: Build golang-terratest | |
| on: | |
| pull_request: | |
| paths: | |
| - 'pipelines/dockerfiles/golang-terratest/**' | |
| - .github/workflows/golang-terratest.yml | |
| branches: [ master ] | |
| push: | |
| paths: | |
| - 'pipelines/dockerfiles/golang-terratest/**' | |
| - .github/workflows/golang-terratest.yml | |
| workflow_dispatch: | |
| defaults: | |
| run: | |
| shell: bash | |
| working-directory: pipelines/dockerfiles/golang-terratest | |
| jobs: | |
| get-version: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| contents: read | |
| outputs: | |
| version: ${{ steps.get-version.outputs.version }} | |
| steps: | |
| - name: Checkout source code | |
| uses: actions/checkout@v4 | |
| - name: Get version | |
| id: get-version | |
| run: | | |
| version="$(cat Makefile | grep TAG | head -n 1 | awk '{print $3}')" | |
| echo "version=${version}" >> "$GITHUB_OUTPUT" | |
| echo "::notice::Tag version: $version" | |
| checkov: | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout source code | |
| uses: actions/checkout@v4 | |
| - name: Run Checkov action | |
| uses: bridgecrewio/checkov-action@master | |
| with: | |
| directory: pipelines/dockerfiles/golang-terratest | |
| framework: dockerfile | |
| skip_check: CKV_DOCKER_2 | |
| output_format: sarif | |
| output_file_path: checkov-results.sarif | |
| soft_fail: true | |
| - name: Upload Checkov results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| with: | |
| sarif_file: checkov-results.sarif | |
| build: | |
| needs: [ get-version ] | |
| runs-on: ubuntu-22.04 | |
| permissions: | |
| security-events: write | |
| steps: | |
| - name: Checkout source code | |
| uses: actions/checkout@v4 | |
| - name: Docker login | |
| env: | |
| DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} | |
| DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} | |
| run: make login | |
| - name: Docker build | |
| run: make build | |
| - name: Run trivy scan (console output) | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: constantin07/golang-terratest:${{ needs.get-version.outputs.version }} | |
| ignore-unfixed: true | |
| severity: 'LOW,MEDIUM,HIGH,CRITICAL' | |
| format: table | |
| - name: Run trivy scan (report upload) | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: constantin07/golang-terratest:${{ needs.get-version.outputs.version }} | |
| ignore-unfixed: true | |
| severity: 'LOW,MEDIUM,HIGH,CRITICAL' | |
| format: sarif | |
| output: trivy-results.sarif | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@v3 | |
| if: always() | |
| with: | |
| sarif_file: trivy-results.sarif | |
| - name: Docker publish | |
| run: make publish |