Merge pull request #11 from garethahealy/renovate/aquasecurity-trivy-… #39
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Build, Analyze and Test" | |
on: [push, pull_request] | |
# Declare default permissions as read only. | |
permissions: read-all | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
- uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4 | |
with: | |
distribution: "temurin" | |
java-version: 21 | |
- uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3 | |
with: | |
path: ~/.m2/repository | |
key: ${{ runner.os }}-maven | |
restore-keys: | | |
${{ runner.os }}-maven | |
- name: Build | |
run: ./mvnw clean install --batch-mode | |
- name: Build native | |
run: ./mvnw clean install -Pnative --batch-mode | |
- name: Run help | |
run: target/github-stats-*-runner help | |
- name: Upload target | |
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4 | |
with: | |
name: target | |
path: target/ | |
if-no-files-found: error | |
- name: Upload runner binary | |
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4 | |
with: | |
name: runner | |
path: target/github-stats-*-runner | |
if-no-files-found: error | |
- name: Generate hashes | |
shell: bash | |
id: hash | |
run: | | |
echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT" | |
- name: Get image tags | |
id: image_tags | |
uses: redhat-cop/github-actions/get-image-version@main | |
with: | |
IMAGE_CONTEXT_DIR: src/main/docker | |
- name: Build image | |
id: build_image | |
uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2 | |
with: | |
dockerfiles: src/main/docker/Dockerfile.native-micro | |
image: github-stats | |
oci: true | |
tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}" | |
- name: Push to ghcr.io | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2 | |
id: push_image | |
with: | |
image: ${{ steps.build_image.outputs.image }} | |
registry: ghcr.io/${{ github.repository }} | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
tags: ${{ steps.build_image.outputs.tags }} | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}" | |
image_digest: "${{ steps.push_image.outputs.digest }}" | |
image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}" | |
analyze: | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
- uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4 | |
with: | |
distribution: "temurin" | |
java-version: 21 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3 | |
with: | |
languages: java | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3 | |
with: | |
category: "/language:java" | |
test: | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout | |
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4 | |
- name: Download target | |
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4 | |
with: | |
name: target | |
- name: Make github-stats-*-runner executable | |
run: chmod +x github-stats-*-runner | |
- name: Run collect-stats for UKI | |
env: | |
GITHUB_LOGIN: ${{ github.repository_owner }} | |
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
run: ./github-stats-*-runner collect-stats --organization=RedHat-Consulting-UK --validate-org-config=false | |
- name: Upload github-output.csv | |
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4 | |
with: | |
name: github-output.csv | |
path: github-output.csv | |
if-no-files-found: error | |
- name: Run create-who-are-you-issues for UKI | |
env: | |
GITHUB_LOGIN: ${{ github.repository_owner }} | |
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
run: ./github-stats-*-runner create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --members-csv=tests/members.csv --supplementary-csv=tests/supplementary.csv --permission=write --fail-if-no-vpn=false | |
sign-image: | |
needs: [ build ] | |
permissions: | |
id-token: write | |
packages: write | |
if: startsWith(github.ref, 'refs/tags/') | |
env: | |
image_uri: ${{ needs.build.outputs.image_uri }} # todo | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup cosign | |
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3 | |
- name: Cosign login | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io | |
- name: Sign Image | |
run: | | |
cosign sign --yes ${image_uri} | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 | |
env: | |
TRIVY_USERNAME: ${{ github.repository_owner }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
scan-type: image | |
image-ref: ${{ env.image_uri }} | |
format: "cosign-vuln" | |
output: "cosign-vuln.json" | |
- name: Run Trivy SBOM generator | |
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1 | |
env: | |
TRIVY_USERNAME: ${{ github.repository_owner }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
scan-type: image | |
image-ref: ${{ env.image_uri }} | |
format: "spdx-json" | |
output: "spdx-json.json" | |
- name: Attach attestations | |
run: | | |
cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri} | |
cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri} | |
provenance_binary: | |
needs: [ build ] | |
if: startsWith(github.ref, 'refs/tags/') | |
permissions: | |
actions: read | |
id-token: write | |
contents: write | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
base64-subjects: "${{ needs.build.outputs.hashes }}" | |
upload-assets: true | |
provenance_image: | |
needs: [ build ] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] | |
with: | |
image: ${{ needs.build.outputs.image_repo }} | |
digest: ${{ needs.build.outputs.image_digest }} | |
registry-username: ${{ github.repository_owner }} | |
secrets: | |
registry-password: ${{ secrets.GITHUB_TOKEN }} | |
release: | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/') | |
permissions: | |
contents: write | |
steps: | |
- name: Download runner | |
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4 | |
with: | |
name: runner | |
- name: Upload assets to release | |
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15 | |
with: | |
files: | | |
github-stats-*-runner |