feat: config migration and graph repo client (#1889) #813
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "Vulnerability scan" | |
| on: | |
| push: | |
| branches: [ "main" ] | |
| pull_request: | |
| branches: [ "main" ] | |
| paths: | |
| - pom.xml | |
| - '**/pom.xml' | |
| - Dockerfile | |
| schedule: | |
| - cron: '0 0 * * MON' | |
| permissions: | |
| contents: read | |
| env: | |
| TEST_IMAGE_NAME: 'local/openrouteservice:test' | |
| jobs: | |
| prepare_environment: | |
| name: Prepare the environment variables | |
| runs-on: ubuntu-latest | |
| outputs: | |
| test_image_name: ${{ env.TEST_IMAGE_NAME }} | |
| steps: | |
| - run: | | |
| echo "Publish environment variables" | |
| Anchore-Jar-War-Build-Scan: | |
| name: Grype scan jar and war file | |
| runs-on: ubuntu-latest | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| - name: Cache Maven packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.m2 | |
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: ${{ runner.os }}-m2 | |
| - name: Download maven dependencies | |
| run: mvn package -Dmaven.test.skip=true -B dependency:go-offline dependency:resolve-plugins dependency:resolve -q | |
| - name: Build jar and war file | |
| run: | | |
| mvn -B package -DskipTests -DCI=true | |
| # Copy the .jar file to a custom location where grype can find it | |
| mkdir -p ors-api/target/grype | |
| cp ors-api/target/ors.jar ors-api/target/grype/ors.jar | |
| mvn -B package -DskipTests -PbuildWar -DCI=true | |
| cp ors-api/target/ors.war ors-api/target/grype/ors.war | |
| - name: Run the Anchore Grype scan action to console | |
| uses: anchore/scan-action@v3 | |
| with: | |
| path: "ors-api/target/grype/" | |
| fail-build: false | |
| output-format: table | |
| - name: Run the Anchore Grype scan action to SARIF | |
| uses: anchore/scan-action@v3 | |
| id: scan | |
| with: | |
| path: "ors-api/target/grype/" | |
| fail-build: false | |
| output-format: sarif | |
| - name: Upload vulnerability report | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| category: Grype-War-Scan | |
| Anchore-Docker-Image-Scan: | |
| name: Grype scan ${{ matrix.platform }} image | |
| runs-on: ${{ matrix.image }} | |
| needs: | |
| - prepare_environment | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| strategy: | |
| matrix: | |
| platform: [ linux/amd64,linux/arm64/v8 ] | |
| image: [ ubuntu-latest ] | |
| # linux/arm64/v8 is emulated with qemu and takes ages to build the graph. | |
| # Only run linux/arm64/v8 tests on ready PR and main. | |
| isDraftPR: | |
| - ${{ github.event_name == 'pull_request' && github.event.pull_request.draft == true }} | |
| exclude: | |
| - isDraftPR: true | |
| platform: linux/arm64/v8 | |
| steps: | |
| - name: Checkout repository | |
| uses: actions/checkout@v4 | |
| - name: Set up QEMU for ${{ matrix.platform }} | |
| uses: docker/setup-qemu-action@v3 | |
| with: | |
| platforms: ${{ matrix.platform }} | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| id: buildx | |
| with: | |
| install: true | |
| - name: Set up JDK 17 | |
| uses: actions/setup-java@v4 | |
| with: | |
| distribution: 'temurin' | |
| java-version: '17' | |
| - name: Cache Maven packages | |
| uses: actions/cache@v4 | |
| with: | |
| path: ~/.m2 | |
| key: ${{ runner.os }}-m2-${{ hashFiles('**/pom.xml') }} | |
| restore-keys: ${{ runner.os }}-m2 | |
| - name: Prepare the maven cache dependencies | |
| run: | | |
| echo "Sync the maven dependencies" | |
| mvn package -Dmaven.test.skip=true -B dependency:go-offline dependency:resolve-plugins dependency:resolve -q | |
| # Replace all RUN mvn with RUN --mount=type=cache,target=/root/.m2 mvn | |
| sed -i 's/RUN mvn /RUN --mount=type=cache,target=\/root\/.m2 mvn /g' Dockerfile | |
| - name: inject maven-build-cache into docker | |
| uses: reproducible-containers/[email protected] | |
| with: | |
| cache-map: | | |
| { | |
| "/home/runner/.m2": "/root/.m2" | |
| } | |
| - name: Build image for ${{ matrix.platform }} | |
| uses: docker/build-push-action@v4 | |
| with: | |
| context: . | |
| push: false | |
| load: true | |
| tags: ${{ needs.prepare_environment.outputs.test_image_name }} | |
| platforms: ${{ matrix.platform }} | |
| cache-from: type=gha | |
| - name: Run the Anchore Grype scan action to console | |
| uses: anchore/scan-action@v3 | |
| with: | |
| image: ${{ needs.prepare_environment.outputs.test_image_name }} | |
| fail-build: false | |
| output-format: table | |
| - name: Run the Anchore Grype scan action to SARIF | |
| uses: anchore/scan-action@v3 | |
| id: scan | |
| with: | |
| image: ${{ needs.prepare_environment.outputs.test_image_name }} | |
| fail-build: false | |
| output-format: sarif | |
| - name: Upload vulnerability report | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: ${{ steps.scan.outputs.sarif }} | |
| category: Grype-Docker-Image-${{ matrix.platform }} |