Update actions #1130
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Workflow | |
on: # yamllint disable-line rule:truthy | |
push: | |
branches: [ main ] | |
pull_request: | |
branches: [ main ] | |
jobs: | |
sanitize: | |
name: Check for forbidden words | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout the code | |
uses: actions/checkout@v4 | |
- name: Run the forbidden words scan | |
uses: dell/common-github-actions/code-sanitizer@main | |
with: | |
args: /github/workspace | |
image_security_scan: | |
name: Image Scanner | |
runs-on: ubuntu-latest | |
steps: | |
- name: Set up Go 1.22+ | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.23" | |
id: go | |
- name: Checkout the code | |
uses: actions/checkout@v4 | |
- name: Install Mockgen | |
run: go get github.com/golang/mock/[email protected] | |
- name: Get dependencies | |
run: go mod download | |
- name: Build karavi-authorization Docker Images | |
run: make builder | |
- name: Get podman image tags for image scans | |
run: | | |
BUILDER_TAG=$(cat ${{ github.workspace }}/Makefile | grep 'export BUILDER_TAG ?=' | awk '{print $NF}') | |
SIDECAR_TAG=$(cat ${{ github.workspace }}/Makefile | grep 'export SIDECAR_TAG ?=' | awk '{print $NF}') | |
echo "podman_tag=$BUILDER_TAG" >> $GITHUB_ENV | |
echo "sidecar_tag=$SIDECAR_TAG" >> $GITHUB_ENV | |
- name: Re-tag podman images and push to Docker | |
run: | | |
podman tag localhost/proxy-server:${{ env.podman_tag }} docker.io/library/proxy-server:${{ env.podman_tag }} | |
podman tag localhost/tenant-service:${{ env.podman_tag }} docker.io/library/tenant-service:${{ env.podman_tag }} | |
podman tag localhost/storage-service:${{ env.podman_tag }} docker.io/library/storage-service:${{ env.podman_tag }} | |
podman tag localhost/role-service:${{ env.podman_tag }} docker.io/library/role-service:${{ env.podman_tag }} | |
podman tag localhost/sidecar-proxy:${{ env.podman_tag }} docker.io/library/sidecar-proxy:${{ env.podman_tag }} | |
podman save -m -o /tmp/images.tar \ | |
docker.io/library/proxy-server:${{ env.podman_tag }} \ | |
docker.io/library/tenant-service:${{ env.podman_tag }} \ | |
docker.io/library/storage-service:${{ env.podman_tag }} \ | |
docker.io/library/role-service:${{ env.podman_tag }} \ | |
docker.io/library/sidecar-proxy:${{ env.podman_tag }} | |
docker load -i /tmp/images.tar | |
- name: Scan Proxy Server | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: proxy-server:${{ env.podman_tag }} | |
severity: 'HIGH,CRITICAL' | |
ignore-unfixed: true | |
exit-code: '1' | |
trivyignores: '.github/workflows/.trivyignore' | |
- name: Scan Role Service | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: role-service:${{ env.podman_tag }} | |
severity: 'HIGH,CRITICAL' | |
ignore-unfixed: true | |
exit-code: '1' | |
trivyignores: '.github/workflows/.trivyignore' | |
- name: Scan Tenant Service | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: tenant-service:${{ env.podman_tag }} | |
severity: 'HIGH,CRITICAL' | |
ignore-unfixed: true | |
exit-code: '1' | |
trivyignores: '.github/workflows/.trivyignore' | |
- name: Scan SideCar Proxy | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: sidecar-proxy:${{ env.sidecar_tag }} | |
severity: 'HIGH,CRITICAL' | |
ignore-unfixed: true | |
exit-code: '1' | |
trivyignores: '.github/workflows/.trivyignore' | |
- name: Scan Storage Service | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: storage-service:${{ env.podman_tag }} | |
severity: 'HIGH,CRITICAL' | |
ignore-unfixed: true | |
exit-code: '1' | |
trivyignores: '.github/workflows/.trivyignore' |