Skip to content

Merge pull request #228 from garethahealy/renovate/registry.access.re… #887

Merge pull request #228 from garethahealy/renovate/registry.access.re…

Merge pull request #228 from garethahealy/renovate/registry.access.re… #887

Workflow file for this run

name: "Build, Analyze and Test"
on: [ push, pull_request ]
# Declare default permissions as read only.
permissions: read-all
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: true
jobs:
build:
runs-on: ubuntu-latest
permissions:
packages: write
steps:
- name: Harden Runner
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2
with:
egress-policy: audit
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
with:
distribution: "temurin"
java-version: 21
cache: "maven"
- name: Dependency Review
if: github.event_name == 'pull_request'
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4
- name: Collect dependencies
run: |
./mvnw dependency:go-offline --batch-mode
./mvnw verify --fail-never --batch-mode
./mvnw dependency:resolve-sources dependency:resolve -Dclassifier=javadoc --batch-mode
- name: Build
run: ./mvnw clean install --batch-mode
- name: Build native
run: ./mvnw clean install -Pnative --batch-mode
- name: Run help
id: runner
run: |
runners=(target/github-stats-*-runner)
echo "cmd=$(basename ${runners[0]})" >> "$GITHUB_OUTPUT"
"${runners[0]}" help
- name: Upload target
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: target
path: target/
if-no-files-found: error
- name: Upload runner binary
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: runner
path: target/github-stats-*-runner
if-no-files-found: error
- name: Generate hashes
shell: bash
id: hash
run: |
echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT"
- name: Get image tags
id: image_tags
uses: redhat-cop/github-actions/get-image-version@e4729075dcd3f34946b80df6b1bfb952b9fee166 # v4
with:
IMAGE_CONTEXT_DIR: src/main/docker
- name: Build image
id: build_image
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2
with:
dockerfiles: src/main/docker/Dockerfile.native
image: github-stats
oci: true
tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}"
- name: Push to ghcr.io
if: startsWith(github.ref, 'refs/tags/')
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2
id: push_image
with:
image: ${{ steps.build_image.outputs.image }}
registry: ghcr.io/${{ github.repository }}
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
tags: ${{ steps.build_image.outputs.tags }}
outputs:
hashes: ${{ steps.hash.outputs.hashes }}
image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}"
image_digest: "${{ steps.push_image.outputs.digest }}"
image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}"
runner: "${{ steps.runner.outputs.cmd }}"
analyze:
needs: [ build ]
runs-on: ubuntu-latest
permissions:
security-events: write
contents: write
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4
with:
distribution: "temurin"
java-version: 21
- name: Initialize CodeQL
uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
with:
languages: java
- name: Autobuild
uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5
with:
category: "/language:java"
- name: Submit Dependency Snapshot
uses: advanced-security/maven-dependency-submission-action@4f64ddab9d742a4806eeb588d238e4c311a8397d # v4
test:
needs: [ build ]
runs-on: ubuntu-latest
env:
RUNNER: "${{ needs.build.outputs.runner }}"
steps:
- name: Checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
- name: Download target
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: target
- name: Make github-stats-*-runner executable
run: chmod +x ${{ env.RUNNER }}
- name: Run 'collect-stats' for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: |
touch /tmp/stats.csv
./${{ env.RUNNER }} stats collect-stats --organization=RedHat-Consulting-UK --csv-output=/tmp/stats.csv --validate-org-config=false --required-limit=400
- name: Run 'collect-members-from-ldap' for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: |
touch /tmp/members.csv
./${{ env.RUNNER }} users collect-members-from-ldap --organization=RedHat-Consulting-UK --csv-output=/tmp/members.csv --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --fail-if-no-vpn=false --guess=false
- name: Run 'create-who-are-you-issues' for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: ./${{ env.RUNNER }} users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=admin --guess=false --fail-if-no-vpn=false
- name: Upload /tmp/*.csv
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4
with:
name: outputs.csv
path: /tmp/*.csv
if-no-files-found: error
- name: Run create-who-are-you-issues for UKI
env:
GITHUB_LOGIN: ${{ github.repository_owner }}
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }}
run: ./${{ env.RUNNER }} users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=write --guess=false --fail-if-no-vpn=false
sign-image:
needs: [ build ]
permissions:
id-token: write
packages: write
if: startsWith(github.ref, 'refs/tags/')
env:
image_uri: ${{ needs.build.outputs.image_uri }}
runs-on: ubuntu-latest
steps:
- name: Setup cosign
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3
- name: Cosign login
run: |
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io
- name: Sign Image
run: |
cosign sign --yes "${image_uri}"
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "cosign-vuln"
output: "cosign-vuln.json"
- name: Run Trivy SBOM generator
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0
env:
TRIVY_USERNAME: ${{ github.repository_owner }}
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }}
with:
scan-type: image
image-ref: ${{ env.image_uri }}
format: "spdx-json"
output: "spdx-json.json"
- name: Attach attestations
run: |
cosign attest --yes --type vuln --predicate cosign-vuln.json "${image_uri}"
cosign attest --yes --type cyclonedx --predicate spdx-json.json "${image_uri}"
provenance_binary:
needs: [ build ]
if: startsWith(github.ref, 'refs/tags/')
permissions:
actions: read
id-token: write
contents: write
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
with:
base64-subjects: "${{ needs.build.outputs.hashes }}"
upload-assets: true
provenance_image:
needs: [ build ]
permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
if: startsWith(github.ref, 'refs/tags/')
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0
with:
image: ${{ needs.build.outputs.image_repo }}
digest: ${{ needs.build.outputs.image_digest }}
registry-username: ${{ github.repository_owner }}
secrets:
registry-password: ${{ secrets.GITHUB_TOKEN }}
release:
needs: [ build ]
runs-on: ubuntu-latest
if: startsWith(github.ref, 'refs/tags/')
permissions:
contents: write
steps:
- name: Download runner
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4
with:
name: runner
- name: Upload assets to release
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0
with:
files: |
github-stats-*-runner