Merge pull request #228 from garethahealy/renovate/registry.access.re… #887
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "Build, Analyze and Test" | |
on: [ push, pull_request ] | |
# Declare default permissions as read only. | |
permissions: read-all | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@0080882f6c36860b6ba35c610c98ce87d4e2f26f # v2.10.2 | |
with: | |
egress-policy: audit | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4 | |
with: | |
distribution: "temurin" | |
java-version: 21 | |
cache: "maven" | |
- name: Dependency Review | |
if: github.event_name == 'pull_request' | |
uses: actions/dependency-review-action@3b139cfc5fae8b618d3eae3675e383bb1769c019 # v4 | |
- name: Collect dependencies | |
run: | | |
./mvnw dependency:go-offline --batch-mode | |
./mvnw verify --fail-never --batch-mode | |
./mvnw dependency:resolve-sources dependency:resolve -Dclassifier=javadoc --batch-mode | |
- name: Build | |
run: ./mvnw clean install --batch-mode | |
- name: Build native | |
run: ./mvnw clean install -Pnative --batch-mode | |
- name: Run help | |
id: runner | |
run: | | |
runners=(target/github-stats-*-runner) | |
echo "cmd=$(basename ${runners[0]})" >> "$GITHUB_OUTPUT" | |
"${runners[0]}" help | |
- name: Upload target | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
with: | |
name: target | |
path: target/ | |
if-no-files-found: error | |
- name: Upload runner binary | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
with: | |
name: runner | |
path: target/github-stats-*-runner | |
if-no-files-found: error | |
- name: Generate hashes | |
shell: bash | |
id: hash | |
run: | | |
echo "hashes=$(sha256sum target/github-stats-*-runner | base64 -w0)" >> "$GITHUB_OUTPUT" | |
- name: Get image tags | |
id: image_tags | |
uses: redhat-cop/github-actions/get-image-version@e4729075dcd3f34946b80df6b1bfb952b9fee166 # v4 | |
with: | |
IMAGE_CONTEXT_DIR: src/main/docker | |
- name: Build image | |
id: build_image | |
uses: redhat-actions/buildah-build@7a95fa7ee0f02d552a32753e7414641a04307056 # v2 | |
with: | |
dockerfiles: src/main/docker/Dockerfile.native | |
image: github-stats | |
oci: true | |
tags: "${{ steps.image_tags.outputs.IMAGE_TAGS }}" | |
- name: Push to ghcr.io | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: redhat-actions/push-to-registry@5ed88d269cf581ea9ef6dd6806d01562096bee9c # v2 | |
id: push_image | |
with: | |
image: ${{ steps.build_image.outputs.image }} | |
registry: ghcr.io/${{ github.repository }} | |
username: ${{ github.repository_owner }} | |
password: ${{ secrets.GITHUB_TOKEN }} | |
tags: ${{ steps.build_image.outputs.tags }} | |
outputs: | |
hashes: ${{ steps.hash.outputs.hashes }} | |
image_repo: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}" | |
image_digest: "${{ steps.push_image.outputs.digest }}" | |
image_uri: "ghcr.io/${{ github.repository }}/${{ steps.build_image.outputs.image }}@${{ steps.push_image.outputs.digest }}" | |
runner: "${{ steps.runner.outputs.cmd }}" | |
analyze: | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
permissions: | |
security-events: write | |
contents: write | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- uses: actions/setup-java@8df1039502a15bceb9433410b1a100fbe190c53b # v4 | |
with: | |
distribution: "temurin" | |
java-version: 21 | |
- name: Initialize CodeQL | |
uses: github/codeql-action/init@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 | |
with: | |
languages: java | |
- name: Autobuild | |
uses: github/codeql-action/autobuild@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 | |
- name: Perform CodeQL Analysis | |
uses: github/codeql-action/analyze@f09c1c0a94de965c15400f5634aa42fac8fb8f88 # v3.27.5 | |
with: | |
category: "/language:java" | |
- name: Submit Dependency Snapshot | |
uses: advanced-security/maven-dependency-submission-action@4f64ddab9d742a4806eeb588d238e4c311a8397d # v4 | |
test: | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
env: | |
RUNNER: "${{ needs.build.outputs.runner }}" | |
steps: | |
- name: Checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4 | |
- name: Download target | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
with: | |
name: target | |
- name: Make github-stats-*-runner executable | |
run: chmod +x ${{ env.RUNNER }} | |
- name: Run 'collect-stats' for UKI | |
env: | |
GITHUB_LOGIN: ${{ github.repository_owner }} | |
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
run: | | |
touch /tmp/stats.csv | |
./${{ env.RUNNER }} stats collect-stats --organization=RedHat-Consulting-UK --csv-output=/tmp/stats.csv --validate-org-config=false --required-limit=400 | |
- name: Run 'collect-members-from-ldap' for UKI | |
env: | |
GITHUB_LOGIN: ${{ github.repository_owner }} | |
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
run: | | |
touch /tmp/members.csv | |
./${{ env.RUNNER }} users collect-members-from-ldap --organization=RedHat-Consulting-UK --csv-output=/tmp/members.csv --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --fail-if-no-vpn=false --guess=false | |
- name: Run 'create-who-are-you-issues' for UKI | |
env: | |
GITHUB_LOGIN: ${{ github.repository_owner }} | |
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
run: ./${{ env.RUNNER }} users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=admin --guess=false --fail-if-no-vpn=false | |
- name: Upload /tmp/*.csv | |
uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4 | |
with: | |
name: outputs.csv | |
path: /tmp/*.csv | |
if-no-files-found: error | |
- name: Run create-who-are-you-issues for UKI | |
env: | |
GITHUB_LOGIN: ${{ github.repository_owner }} | |
GITHUB_OAUTH: ${{ secrets.RHUKI_READ_PAT }} | |
run: ./${{ env.RUNNER }} users create-who-are-you-issues --dry-run=true --organization=RedHat-Consulting-UK --issue-repo=helm3 --ldap-members-csv=tests/ldap-members.csv --supplementary-csv=tests/supplementary.csv --permission=write --guess=false --fail-if-no-vpn=false | |
sign-image: | |
needs: [ build ] | |
permissions: | |
id-token: write | |
packages: write | |
if: startsWith(github.ref, 'refs/tags/') | |
env: | |
image_uri: ${{ needs.build.outputs.image_uri }} | |
runs-on: ubuntu-latest | |
steps: | |
- name: Setup cosign | |
uses: sigstore/cosign-installer@dc72c7d5c4d10cd6bcb8cf6e3fd625a9e5e537da # v3 | |
- name: Cosign login | |
run: | | |
echo "${{ secrets.GITHUB_TOKEN }}" | cosign login --username ${{ github.repository_owner }} --password-stdin ghcr.io | |
- name: Sign Image | |
run: | | |
cosign sign --yes "${image_uri}" | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | |
env: | |
TRIVY_USERNAME: ${{ github.repository_owner }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
scan-type: image | |
image-ref: ${{ env.image_uri }} | |
format: "cosign-vuln" | |
output: "cosign-vuln.json" | |
- name: Run Trivy SBOM generator | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 # 0.29.0 | |
env: | |
TRIVY_USERNAME: ${{ github.repository_owner }} | |
TRIVY_PASSWORD: ${{ secrets.GITHUB_TOKEN }} | |
with: | |
scan-type: image | |
image-ref: ${{ env.image_uri }} | |
format: "spdx-json" | |
output: "spdx-json.json" | |
- name: Attach attestations | |
run: | | |
cosign attest --yes --type vuln --predicate cosign-vuln.json "${image_uri}" | |
cosign attest --yes --type cyclonedx --predicate spdx-json.json "${image_uri}" | |
provenance_binary: | |
needs: [ build ] | |
if: startsWith(github.ref, 'refs/tags/') | |
permissions: | |
actions: read | |
id-token: write | |
contents: write | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0 | |
with: | |
base64-subjects: "${{ needs.build.outputs.hashes }}" | |
upload-assets: true | |
provenance_image: | |
needs: [ build ] | |
permissions: | |
actions: read # for detecting the Github Actions environment. | |
id-token: write # for creating OIDC tokens for signing. | |
packages: write # for uploading attestations. | |
if: startsWith(github.ref, 'refs/tags/') | |
uses: slsa-framework/slsa-github-generator/.github/workflows/[email protected] # v2.0.0 | |
with: | |
image: ${{ needs.build.outputs.image_repo }} | |
digest: ${{ needs.build.outputs.image_digest }} | |
registry-username: ${{ github.repository_owner }} | |
secrets: | |
registry-password: ${{ secrets.GITHUB_TOKEN }} | |
release: | |
needs: [ build ] | |
runs-on: ubuntu-latest | |
if: startsWith(github.ref, 'refs/tags/') | |
permissions: | |
contents: write | |
steps: | |
- name: Download runner | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4 | |
with: | |
name: runner | |
- name: Upload assets to release | |
uses: softprops/action-gh-release@01570a1f39cb168c169c802c3bceb9e93fb10974 # v2.1.0 | |
with: | |
files: | | |
github-stats-*-runner |