89 upgrade GitHub actions workflow (IntelLabs#99)

* replace gasp runners becasue unstable; add noproxy to python snyk
cwlacewe · Mar 27, 2023 · 5cb0431 · 5cb0431
1 parent c005611
commit 5cb0431
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 12 deletions.
diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml
@@ -56,8 +56,10 @@ jobs:
 
     # Steps represent a sequence of tasks that will be executed as part of the job
     steps:
-      - name: Clean workspace if git module is found
-        run: rm -rf ${GITHUB_WORKSPACE}/*
+      # - name: Clean workspace if git module is found
+      #   run: |
+      #     sudo chown -R $USER:$USER $GITHUB_WORKSPACE
+      #     rm -rf ${GITHUB_WORKSPACE}/*
 
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - name: Checkout ${{ matrix.coverage_type }} Branch
@@ -118,7 +120,7 @@ jobs:
         if: always()
         run: |
           rm /tmp/tmp-* || true
-          rm -rf ${{ env.ARTIFACT_DIR }}|| true
+          rm -rf /tmp/tmp-* ${{ env.ARTIFACT_DIR }} ${GITHUB_WORKSPACE}/* || true
           docker ps -aqf "name=${{ matrix.container_name }}" | xargs docker stop
           docker rmi $(docker images | grep '<none>' | awk '{print $3}') || true
 

diff --git a/.github/workflows/sdl_req.yml b/.github/workflows/sdl_req.yml
@@ -75,9 +75,12 @@ jobs:
 
   Bandit:
     name: Run Bandit
-    runs-on: gasp
+    runs-on:
+      group: intellabs-generic-runners
+      labels: vdms-check-in
+    # runs-on: gasp (unstable)
     container:
-      image: cache-registry.caas.intel.com/cache/library/python:3.8-slim
+      image: python:3.8-slim
     steps:
       - name: Checkout Branch
         uses: actions/checkout@v3
@@ -131,11 +134,14 @@ jobs:
           docker rmi $(docker images | grep '<none>' | awk '{print $3}') || true
 
   BDBA:
-    runs-on: gasp
+    runs-on:
+      group: intellabs-generic-runners
+      labels: vdms-check-in
+    # runs-on: gasp (unstable)
     name: BDBA
     needs: BuildLatest
     container:
-      image: cache-registry.caas.intel.com/cache/library/python:3.8-slim
+      image: python:3.8-slim
     steps:
       - name: Download Docker Image
         uses: actions/download-artifact@v3
@@ -202,6 +208,8 @@ jobs:
           docker run --rm -i --env SNYK_TOKEN=${{ env.SNYK_TOKEN}} \
             --env SNYK_API=${{ env.SNYK_API}} --env SNYK_DISABLE_ANALYTICS=1 \
             --env COMMAND="pip install -r /app/requirements.txt --proxy $HTTP_PROXY" \
+            --env NO_PROXY=${{ secrets.NO_PROXY }} --env HTTP_PROXY="" --env HTTPS_PROXY="" \
+            --env no_proxy=${{ secrets.NO_PROXY }} --env http_proxy="" --env https_proxy="" \
             -v /var/run/docker.sock:/var/run/docker.sock \
             -v ${PWD}:/app/ \
             snyk/snyk:python-3.8 snyk test -d --file=/app/requirements.txt --package-manager=pip --exclude-base-image-vulns \
@@ -237,10 +245,10 @@ jobs:
       group: intellabs-generic-runners
       labels: vdms-check-in
     steps:
-      - name: Checkout Branch
-        uses: actions/checkout@v3
-        with:
-          submodules: true
+      # - name: Checkout Branch
+      #   uses: actions/checkout@v3
+      #   with:
+      #     submodules: true
           # ref: ${{ env.CHECKOUT_REF }}
       - name: Download Docker Image
         uses: actions/download-artifact@v3
@@ -293,7 +301,7 @@ jobs:
         # cf. https://github.com/actions/upload-artifact/issues/256
         if: always()
         run: |
-          rm /tmp/tmp-* ${{ env.DOCKER_ARTIFACT_DIR }} ${{ env.ARTIFACT_DIR }} ${GITHUB_WORKSPACE}/* || true
+          rm /tmp/tmp-* ${{ env.DOCKER_ARTIFACT_DIR }} ${{ env.ARTIFACT_DIR }} ${GITHUB_WORKSPACE}/docker-bench-security || true
           docker stop vdms_test-CIS && docker rm vdms_test-CIS
           docker rmi $(docker images | grep '<none>' | awk '{print $3}') || true