Skip to content

Update actions

Update actions #1129

Workflow file for this run

name: Workflow
on: # yamllint disable-line rule:truthy
push:
branches: [ main ]
pull_request:
branches: [ main ]
jobs:
sanitize:
name: Check for forbidden words
runs-on: ubuntu-latest
steps:
- name: Checkout the code
uses: actions/checkout@v4
- name: Run the forbidden words scan
uses: dell/common-github-actions/code-sanitizer@main
with:
args: /github/workspace
image_security_scan:
name: Image Scanner
runs-on: ubuntu-latest
steps:
- name: Set up Go 1.22+
uses: actions/setup-go@v5
with:
go-version: "1.23"
id: go
- name: Checkout the code
uses: actions/checkout@v4
- name: Install Mockgen
run: go get github.com/golang/mock/[email protected]
- name: Get dependencies
run: go mod download
- name: Build karavi-authorization Docker Images
run: make builder
- name: Get podman image tags for image scans
run: |
BUILDER_TAG=$(cat ${{ github.workspace }}/Makefile | grep 'export BUILDER_TAG ?=' | awk '{print $NF}')
SIDECAR_TAG=$(cat ${{ github.workspace }}/Makefile | grep 'export SIDECAR_TAG ?=' | awk '{print $NF}')
echo "podman_tag=$BUILDER_TAG" >> $GITHUB_ENV
echo "sidecar_tag=$SIDECAR_TAG" >> $GITHUB_ENV
- name: Re-tag podman images and push to Docker
run: |
podman tag localhost/proxy-server:${{ env.podman_tag }} docker.io/library/proxy-server:${{ env.podman_tag }}
podman tag localhost/tenant-service:${{ env.podman_tag }} docker.io/library/tenant-service:${{ env.podman_tag }}
podman tag localhost/storage-service:${{ env.podman_tag }} docker.io/library/storage-service:${{ env.podman_tag }}
podman tag localhost/role-service:${{ env.podman_tag }} docker.io/library/role-service:${{ env.podman_tag }}
podman tag localhost/sidecar-proxy:${{ env.podman_tag }} docker.io/library/sidecar-proxy:${{ env.podman_tag }}
podman save -m -o /tmp/images.tar \
docker.io/library/proxy-server:${{ env.podman_tag }} \
docker.io/library/tenant-service:${{ env.podman_tag }} \
docker.io/library/storage-service:${{ env.podman_tag }} \
docker.io/library/role-service:${{ env.podman_tag }} \
docker.io/library/sidecar-proxy:${{ env.podman_tag }}
docker load -i /tmp/images.tar
- name: Scan Proxy Server
uses: aquasecurity/trivy-action@master
with:
image-ref: proxy-server:${{ env.podman_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'
- name: Scan Role Service
uses: aquasecurity/trivy-action@master
with:
image-ref: role-service:${{ env.podman_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'
- name: Scan Tenant Service
uses: aquasecurity/trivy-action@master
with:
image-ref: tenant-service:${{ env.podman_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'
- name: Scan SideCar Proxy
uses: aquasecurity/trivy-action@master
with:
image-ref: sidecar-proxy:${{ env.sidecar_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'
- name: Scan Storage Service
uses: aquasecurity/trivy-action@master
with:
image-ref: storage-service:${{ env.podman_tag }}
severity: 'HIGH,CRITICAL'
ignore-unfixed: true
exit-code: '1'
trivyignores: '.github/workflows/.trivyignore'