ci: use explicit relay version tag in Trivy Scan step #119
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: [ 'v8' ] | |
paths-ignore: | |
- '**.md' # Don't run CI on markdown changes. | |
pull_request: | |
branches: [ 'v8', 'feat/**' ] | |
paths-ignore: | |
- '**.md' | |
jobs: | |
go-versions: | |
uses: ./.github/workflows/go-versions.yml | |
# Runs the common tasks (unit tests, lint, benchmarks, installation test) | |
# against each Go version in the matrix. | |
go-matrix: | |
name: ${{ format('Go {0}', matrix.go-version) }} | |
needs: go-versions | |
strategy: | |
# Let jobs fail independently, in case it's a single version that's broken. | |
fail-fast: false | |
matrix: | |
go-version: ${{ fromJSON(needs.go-versions.outputs.matrix) }} | |
uses: ./.github/workflows/common_ci.yml | |
with: | |
go-version: ${{ matrix.go-version }} | |
# Integration tests run only on the latest Go version since they are more | |
# time intensive, and we'd likely be rate-limited by LaunchDarkly SaaS if we | |
# ran them in parallel for multiple Go versions. | |
integration-test: | |
needs: go-versions | |
uses: ./.github/workflows/integration-test.yml | |
with: | |
environment: 'staging' | |
go-version: ${{ needs.go-versions.outputs.latest }} | |
security-scan: | |
needs: go-versions | |
runs-on: ubuntu-latest | |
name: "Trivy Scan of Docker Image" | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
fetch-tags: 'true' | |
- name: Setup Go ${{ inputs.go-version }} | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ needs.go-versions.outputs.latest }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Setup Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386 | |
- name: Build Docker Images | |
run: make products-for-release | |
- name: Get current Relay version | |
id: image-tag | |
run: | |
echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT | |
- uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64 | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true |