Skip to content

Update github/codeql-action digest to b6a472f #10275

Update github/codeql-action digest to b6a472f

Update github/codeql-action digest to b6a472f #10275

Workflow file for this run

---
name: main
on:
push:
branches: [ main ]
pull_request:
branches: [ main ]
env:
DATREE_TOKEN: ${{ secrets.DATREE_TOKEN }}
jobs:
env:
uses: devxp-tech/.github/.github/workflows/env.yaml@main
yaml-linter:
name: Yaml Linter 🧹
runs-on: ubuntu-latest
needs:
- env
steps:
- name: Checkout πŸ›ŽοΈ
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Yaml Lint
uses: ibiqlik/action-yamllint@2576378a8e339169678f9939646ee3ee325e845c # v3
with:
no_warnings: true
kube-linter:
name: Kube Linter 🧹
runs-on: ubuntu-latest
needs:
- env
steps:
- name: Checkout πŸ›ŽοΈ
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Scan repo
id: kube-lint-repo
uses: stackrox/kube-linter-action@5792edc6a03735d592b13c08201711327a935735 # v1.0.5
with:
directory: apps
format: sarif
output-file: kube-linter.sarif
continue-on-error: true
secret-find:
name: Secrets Find πŸ”
runs-on: ubuntu-latest
needs:
- env
steps:
- name: Checkout πŸ›ŽοΈ
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Find Secrets πŸ”
shell: bash
run: |
if find apps/ -name '*.yaml' | xargs grep -q "kind: Secret"; then
echo "Fail, secret found! :("
exit 1
else
echo "Success, secret not found! :)"
exit 0
fi
# datree-check:
# name: Datree Check πŸ”’
# runs-on: ubuntu-latest
# needs:
# - env
# steps:
# - name: Checkout πŸ›ŽοΈ
# uses: actions/checkout@v3
# - name: Run Datree Policy Check
# uses: datreeio/action-datree@main
# with:
# path: 'apps/*/base/*.yaml'
# cliArguments: '--only-k8s-files --ignore-missing-schemas'
trivy-scan:
name: Trivy Vulnerability Scanner πŸ”’
needs:
- env
runs-on: ubuntu-22.04
steps:
- name: Checkout code πŸ›ŽοΈ
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4
- name: Run Trivy vulnerability scanner in IaC mode πŸ”Ž
uses: aquasecurity/trivy-action@master
with:
scan-type: 'config'
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
exit-code: '0'
ignore-unfixed: true
severity: 'CRITICAL,HIGH'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@aa578102511db1f4524ed59b8cc2bae4f6e88195 # v3
if: always()
with:
sarif_file: 'trivy-results.sarif'
# quality-gate:
# uses: devxp-tech/.github/.github/workflows/sonarqube.yaml@main
# secrets: inherit
# needs:
# - env
# - yaml-linter
# - kube-linter
# - secret-find
# # - datree-check
# - trivy-scan
tools-version:
name: Update TOOLING.md πŸ”’
runs-on: ubuntu-latest
needs:
- env
steps:
- name: Checkout Repository
uses: actions/checkout@v4
- name: Install yq
run: |
sudo add-apt-repository -y ppa:rmescandon/yq
sudo apt-get update
sudo apt-get install -y yq
- name: Find and Process kustomization.yaml Files
run: bash .github/version.sh
- name: Commit and Push Changes πŸ“
run: |
if [[ $(git diff) ]];
then
git config --global user.name 'github-actions[bot]'
git config --global user.email 'github-actions[bot]@users.noreply.github.com'
git add docs/tooling/versions.md
git commit -m "[ci skip] :robot: [github actions actor] - update versions.md"
git push
else
echo "nothing to do!!!"
fi
notify:
uses: devxp-tech/.github/.github/workflows/notify.yaml@main
if: always()
secrets: inherit
needs:
- env
- yaml-linter
- kube-linter
- secret-find
# - datree-check
# - quality-gate
- tools-version
- trivy-scan