-
Notifications
You must be signed in to change notification settings - Fork 4
155 lines (153 loc) · 6.06 KB
/
actions.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
name: Workflow
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
code-check:
name: Check Go formatting and vetting
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v4
- name: Run the formatter and vetter
uses: dell/common-github-actions/go-code-formatter-vetter@main
with:
directories: ./...
sanitize:
name: Check for forbidden words
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v4
- name: Run the forbidden words scan
uses: dell/common-github-actions/code-sanitizer@main
with:
args: /github/workspace
test:
name: Run Go unit tests and check package coverage
runs-on: ubuntu-latest
container: node:20
services:
# Label used to access the service container
redis:
# Docker Hub image
image: redis
# Set health checks to wait until redis has started
options: >-
--health-cmd "redis-cli ping"
--health-interval 10s
--health-timeout 5s
--health-retries 5
steps:
- name: Checkout the code
uses: actions/checkout@v4
- name: Run unit tests and check package coverage
uses: dell/common-github-actions/go-code-tester@main
with:
threshold: 90
skip-list: "karavi-authorization/deploy,karavi-authorization/internal/web,karavi-authorization/internal/tenantsvc,karavi-authorization/cmd/karavictl/cmd,karavi-authorization/cmd/proxy-server,karavi-authorization/cmd/tenant-service,karavi-authorization/internal/proxy,karavi-authorization/internal/tenantsvc,karavi-authorization/internal/token/jwx,karavi-authorization/internal/k8s,karavi-authorization/internal/role-service,karavi-authorization/internal/role-service/validate,karavi-authorization/cmd/sidecar-proxy"
env:
# The hostname used to communicate with the Redis service container
REDIS_HOST: redis
# The default Redis port
REDIS_PORT: 6379
go_security_scan:
name: Go security
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v4
- name: Run Go Security
uses: securego/gosec@master
with:
args: -exclude=G108,G402,G307 ./...
malware_security_scan:
name: Malware Scanner
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v4
- name: Run malware scan
uses: dell/common-github-actions/malware-scanner@main
with:
directories: .
options: -ri
image_security_scan:
name: Image Scanner
runs-on: ubuntu-latest
steps:
- name: Set up Go 1.22+
uses: actions/setup-go@v5
with:
go-version: "1.23"
id: go
- name: Checkout the code
uses: actions/checkout@v4
- name: Install Mockgen
run: go get github.com/golang/mock/[email protected]
- name: Get dependencies
run: go mod download
- name: Build karavi-authorization Docker Images
run: make builder
- name: Get podman image tags for image scans
run: |
BUILDER_TAG=$(cat ${{ github.workspace }}/Makefile | grep 'export BUILDER_TAG ?=' | awk '{print $NF}')
SIDECAR_TAG=$(cat ${{ github.workspace }}/Makefile | grep 'export SIDECAR_TAG ?=' | awk '{print $NF}')
echo "podman_tag=$BUILDER_TAG" >> $GITHUB_ENV
echo "sidecar_tag=$SIDECAR_TAG" >> $GITHUB_ENV
- name: Re-tag podman images and push to Docker
run: |
podman tag localhost/proxy-server:${{ env.podman_tag }} docker.io/library/proxy-server:${{ env.podman_tag }}
podman tag localhost/tenant-service:${{ env.podman_tag }} docker.io/library/tenant-service:${{ env.podman_tag }}
podman tag localhost/storage-service:${{ env.podman_tag }} docker.io/library/storage-service:${{ env.podman_tag }}
podman tag localhost/role-service:${{ env.podman_tag }} docker.io/library/role-service:${{ env.podman_tag }}
podman tag localhost/sidecar-proxy:${{ env.podman_tag }} docker.io/library/sidecar-proxy:${{ env.podman_tag }}
podman save -m -o /tmp/images.tar \
docker.io/library/proxy-server:${{ env.podman_tag }} \
docker.io/library/tenant-service:${{ env.podman_tag }} \
docker.io/library/storage-service:${{ env.podman_tag }} \
docker.io/library/role-service:${{ env.podman_tag }} \
docker.io/library/sidecar-proxy:${{ env.podman_tag }}
docker load -i /tmp/images.tar
- name: Scan Proxy Server
uses: aquasecurity/trivy-action@master
with:
image-ref: proxy-server:${{ env.podman_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'
- name: Scan Role Service
uses: aquasecurity/trivy-action@master
with:
image-ref: role-service:${{ env.podman_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'
- name: Scan Tenant Service
uses: aquasecurity/trivy-action@master
with:
image-ref: tenant-service:${{ env.podman_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'
- name: Scan SideCar Proxy
uses: aquasecurity/trivy-action@master
with:
image-ref: sidecar-proxy:${{ env.sidecar_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'
- name: Scan Storage Service
uses: aquasecurity/trivy-action@master
with:
image-ref: storage-service:${{ env.podman_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'