This repository has been archived by the owner on Sep 30, 2024. It is now read-only.
Bump aquasecurity/trivy-action from 0.16.1 to 0.17.0 #612
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Application Container Builds" | |
on: | |
push: | |
tags: | |
- "[0-9]+.[0-9]+.[0-9]+" | |
- "[0-9]+.[0-9]+.[0-9]+-rc[0-9]+" | |
branches: [main] | |
# Path filters aren't evaluated for tags - https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#onpushpull_requestpull_request_targetpathspaths-ignore | |
paths: | |
- "src/**/*.py" | |
- "src/**/*.html" | |
- "tests/**/*" | |
- ".github/workflows/**" | |
- ".github/scripts/**" | |
- "pyproject.toml" | |
- "poetry.lock" | |
- "docker/app/**" | |
- "docker/diag-etl/**" | |
pull_request: | |
paths: | |
- "src/**/*.py" | |
- "src/**/*.html" | |
- "tests/**/*" | |
- ".github/workflows/**" | |
- ".github/scripts/**" | |
- "pyproject.toml" | |
- "poetry.lock" | |
- "docker/app/**" | |
- "docker/diag-etl/**" | |
workflow_dispatch: # Manually | |
env: | |
REGISTRY: ghcr.io/noaa-gsl/unified-graphics | |
jobs: | |
lint: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install poetry | |
run: pipx install poetry | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Install dependencies | |
run: | | |
poetry env use 3.10 | |
poetry install | |
- name: Lint with Black | |
run: poetry run black --check . | |
- name: Lint with Flake8 | |
run: poetry run flake8 --count --show-source --statistics . | |
- name: Lint with isort | |
run: poetry run isort --check . | |
type-check: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install poetry | |
run: pipx install poetry | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Install dependencies | |
run: | | |
poetry env use 3.10 | |
poetry install | |
- name: Check Types with mypy | |
run: poetry run mypy src/ | |
test: | |
runs-on: ubuntu-latest | |
permissions: | |
pull-requests: write | |
services: | |
postgres: | |
image: "postgres:15.2" | |
env: | |
POSTGRES_PASSWORD: postgres | |
options: >- | |
--health-cmd pg_isready | |
--health-interval 10s | |
--health-timeout 5s | |
--health-retries 5 | |
ports: | |
- "5432:5432" | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Install poetry | |
run: pipx install poetry | |
- uses: actions/setup-python@v5 | |
with: | |
python-version: "3.10" | |
- name: Install dependencies | |
run: | | |
poetry env use 3.10 | |
poetry install | |
- name: Test | |
run: | | |
poetry run coverage run -m pytest tests/ | |
poetry run coverage report | |
poetry run coverage xml | |
- name: Code Coverage Report | |
uses: irongut/[email protected] | |
with: | |
header: API Coverage | |
filename: coverage.xml | |
badge: true | |
fail_below_min: true | |
format: markdown | |
hide_branch_rate: false | |
hide_complexity: true | |
indicators: true | |
output: both | |
thresholds: "60 80" | |
- name: Add Coverage PR Comment | |
uses: marocchino/sticky-pull-request-comment@v2 | |
if: github.event_name == 'pull_request' | |
with: | |
recreate: true | |
path: code-coverage-results.md | |
build_app: | |
runs-on: ubuntu-latest | |
needs: [lint, type-check, test] | |
permissions: | |
packages: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Extract branch/tag name | |
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
- name: Build & tag image | |
run: | | |
docker build -t ${{ env.REGISTRY }}/api:${{ env.BRANCH }} -f docker/app/Dockerfile . | |
- name: Login to GHCR | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push image | |
run: | | |
docker push ${{ env.REGISTRY }}/api:${{ env.BRANCH }} | |
build_diag_etl: | |
runs-on: ubuntu-latest | |
needs: [lint, type-check, test] | |
permissions: | |
packages: write | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Extract branch/tag name | |
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
- name: Build & tag image | |
run: | | |
docker build -t ${{ env.REGISTRY }}/data:${{ env.BRANCH }} -f docker/diag-etl/Dockerfile . | |
- name: Login to GHCR | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Push image | |
run: | | |
docker push ${{ env.REGISTRY }}/data:${{ env.BRANCH }} | |
scan_app: | |
runs-on: ubuntu-latest | |
needs: build_app | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Extract branch/tag name | |
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
- name: Scan image with Trivy | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "${{ env.REGISTRY }}/api:${{ env.BRANCH }}" | |
format: "sarif" | |
output: "trivy-results.sarif" | |
ignore-unfixed: true | |
severity: "CRITICAL,HIGH" | |
limit-severities-for-sarif: true | |
exit-code: "1" | |
env: | |
TRIVY_USERNAME: ${{ github.actor }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload Trivy scan results to GitHub Security tab | |
if: always() | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "trivy-results.sarif" | |
scan_diag_etl: | |
runs-on: ubuntu-latest | |
needs: build_diag_etl | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Extract branch/tag name | |
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
- name: Scan image with Trivy | |
uses: aquasecurity/[email protected] | |
with: | |
image-ref: "${{ env.REGISTRY }}/data:${{ env.BRANCH }}" | |
format: "sarif" | |
output: "trivy-results.sarif" | |
ignore-unfixed: true | |
severity: "CRITICAL,HIGH" | |
limit-severities-for-sarif: true | |
exit-code: "1" | |
env: | |
TRIVY_USERNAME: ${{ github.actor }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
- name: Upload Trivy scan results to GitHub Security tab | |
if: always() | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: "trivy-results.sarif" | |
deploy: | |
if: ${{ github.actor != 'dependabot[bot]' }} # Don't deploy Dependabot changes | |
runs-on: ubuntu-latest | |
environment: vlab | |
concurrency: vlab | |
needs: [scan_app, scan_diag_etl] | |
steps: | |
- uses: actions/checkout@v4 | |
- name: Extract branch/tag name | |
run: python3 ./.github/scripts/extract_git_ref.py # Provides env.BRANCH | |
- name: Login to GHCR | |
uses: docker/login-action@v3 | |
with: | |
registry: ghcr.io | |
username: ${{ github.actor }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
- name: Configure AWS credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: us-east-1 | |
- name: Login to ECR | |
uses: aws-actions/amazon-ecr-login@v2 | |
- name: retag image and push | |
run: | | |
docker pull ${{ env.REGISTRY }}/api:${{ env.BRANCH }} | |
docker tag ${{ env.REGISTRY }}/api:${{ env.BRANCH }} ${{ secrets.AWS_REGISTRY }}/api:${{ env.BRANCH }} | |
docker push ${{ secrets.AWS_REGISTRY }}/api:${{ env.BRANCH }} | |
docker pull ${{ env.REGISTRY }}/data:${{ env.BRANCH }} | |
docker tag ${{ env.REGISTRY }}/data:${{ env.BRANCH }} ${{ secrets.AWS_REGISTRY }}/data:${{ env.BRANCH }} | |
docker push ${{ secrets.AWS_REGISTRY }}/data:${{ env.BRANCH }} |