Skip to content

Merge pull request #11 from garethahealy/renovate/aquasecurity-trivy-… #39

Merge pull request #11 from garethahealy/renovate/aquasecurity-trivy-…

Merge pull request #11 from garethahealy/renovate/aquasecurity-trivy-… #39

Workflow file for this run

name: "Build, Analyze and Test"
on: [push, pull_request]
# Declare default permissions as read only.
permissions: read-all
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4
with:
distribution: "temurin"
java-version: 21
- uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3
with:
path: ~/.m2/repository
key: ${{ runner.os }}-maven
restore-keys: |
${{ runner.os }}-maven
- name: Build
run: ./mvnw clean install --batch-mode
- name: Build native
run: ./mvnw clean install -Pnative --batch-mode
- name: Run help
run: target/github-stats-*-runner help
- name: Upload target
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4
with:
name: target
path: target/
if-no-files-found: error
- name: Upload runner binary
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4
with:
name: runner
path: target/github-stats-*-runner
if-no-files-found: error
- name: Generate hashes
shell: bash
id: hash
run: |
echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Get image tags
id: image_tags
uses: redhat-cop/github-actions/get-image-version@main
with:
IMAGE_CONTEXT_DIR: src/main/docker
- name: Build image
id: build_image
uses: redhat-actions/buildah-build@b4dc19b4ba891854660ab1f88a097d45aa158f76 # v2
with:
dockerfiles: src/main/docker/Dockerfile.native-micro
image: github-stats
oci: true
tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"
- name: Push to ghcr.io
if: startsWith(github.ref, 'refs/tags/')
uses: redhat-actions/push-to-registry@9986a6552bc4571882a4a67e016b17361412b4df # v2
id: push_image
with:
image: ${{ steps.build_image.outputs.image }}
registry: ghcr.io/${{ github.repository }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
tags: ${{ steps.build_image.outputs.tags }}
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}"
image_digest: "${{ steps.push_image.outputs.digest }}"
image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}"
analyze:
needs: [ build ]
runs-on: ubuntu-latest
permissions:
security-events: write
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- uses: actions/setup-java@387ac29b308b003ca37ba93a6cab5eb57c8f5f93 # v4
with:
distribution: "temurin"
java-version: 21
- name: Initialize CodeQL
uses: github/codeql-action/init@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3
with:
languages: java
- name: Autobuild
uses: github/codeql-action/autobuild@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@012739e5082ff0c22ca6d6ab32e07c36df03c4a4 # v3
with:
category: "/language:java"
test:
needs: [ build ]
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
- name: Download target
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4
with:
name: target
- name: Make github-stats-*-runner executable
run: chmod +x github-stats-*-runner
- name: Run collect-stats for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: ./github-stats-*-runner collect-stats --organization=RedHat-Consulting-UK --validate-org-config=false
- name: Upload github-output.csv
uses: actions/upload-artifact@c7d193f32edcb7bfad88892161225aeda64e9392 # v4
with:
name: github-output.csv
path: github-output.csv
if-no-files-found: error
- name: Run create-who-are-you-issues for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: ./github-stats-*-runner create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --members-csv=tests/members.csv --supplementary-csv=tests/supplementary.csv --permission=write --fail-if-no-vpn=false
sign-image:
needs: [ build ]
permissions:
id-token: write
packages: write
if: startsWith(github.ref, 'refs/tags/')
env:
image_uri: ${{ needs.build.outputs.image_uri }} # todo
runs-on: ubuntu-latest
steps:
- name: Setup cosign
uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3
- name: Cosign login
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io
- name: Sign Image
run: |
cosign sign --yes ${image_uri}
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "cosign-vuln"
output: "cosign-vuln.json"
- name: Run Trivy SBOM generator
uses: aquasecurity/trivy-action@d43c1f16c00cfd3978dde6c07f4bbcf9eb6993ca # 0.16.1
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "spdx-json"
output: "spdx-json.json"
- name: Attach attestations
run: |
cosign attest --yes --type vuln --predicate cosign-vuln.json ${image_uri}
cosign attest --yes --type cyclonedx --predicate spdx-json.json ${image_uri}
provenance_binary:
needs: [ build ]
if: startsWith(github.ref, 'refs/tags/')
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
provenance_image:
needs: [ build ]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected]
with:
image: ${{ needs.build.outputs.image_repo }}
digest: ${{ needs.build.outputs.image_digest }}
registry-username: ${{ github.repository_owner }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
release:
needs: [ build ]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: write
steps:
- name: Download runner
uses: actions/download-artifact@f44cd7b40bfd40b6aa1cc1b9b5b7bf03d3c67110 # v4
with:
name: runner
- name: Upload assets to release
uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # v0.1.15
with:
files: |
github-stats-*-runner