DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

CI updates (#9440)

Browse source 
* add labels to dependabot prs

Signed-off-by: cpanato <ctadeu@gmail.com>

* sync hashes and versions dependabot can update the version comment now

Signed-off-by: cpanato <ctadeu@gmail.com>

Signed-off-by: cpanato <ctadeu@gmail.com>
This commit is contained in:
Carlos Tadeu Panato Junior 2022-12-22 16:37:26 +01:00 committed by GitHub
parent 21aa7f55a3
commit bb60e02e96
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 125 additions and 119 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
.github/dependabot.yml vendored
View file

@ -5,7 +5,15 @@ updates:
directory: "/" directory: "/"
schedule: schedule:
interval: "weekly" interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"
- package-ecosystem: "github-actions" - package-ecosystem: "github-actions"
directory: "/" directory: "/"
schedule: schedule:
interval: "weekly" interval: "weekly"
labels:
- "area/dependency"
- "release-note-none"
- "ok-to-test"

71
.github/workflows/ci.yaml vendored
View file

@ -33,9 +33,9 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter id: filter
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -59,10 +59,10 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Run Gosec Security Scanner - name: Run Gosec Security Scanner
uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # master uses: securego/gosec@1af1d5bb49259b62e45c505db397dd2ada5d74f8 # v2.14.0
with: with:
# G601 for zz_generated.deepcopy.go # G601 for zz_generated.deepcopy.go
# G306 TODO: Expect WriteFile permissions to be 0600 or less # G306 TODO: Expect WriteFile permissions to be 0600 or less
@ -76,24 +76,23 @@ jobs:
if: | if: |
(needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }} (needs.changes.outputs.go == 'true') || (needs.changes.outputs.charts == 'true') || ${{ inputs.run_e2e }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Set up Go 1.19.4 - name: Set up Go
id: go id: go
uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with: with:
go-version: '1.19.4' go-version: '1.19'
check-latest: true
- name: Set up QEMU - name: Set up QEMU
uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 #v2.0.0 uses: docker/setup-qemu-action@e81a89b1732b9c48d79cd809d8d81d79c4647a18 # v2.1.0
- name: Set up Docker Buildx - name: Set up Docker Buildx
id: buildx id: buildx
uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.0.0 uses: docker/setup-buildx-action@8c0edbc76e98fa90f69d9a2c020dcb50019dc325 # v2.2.1
with: with:
version: latest version: latest
@ -104,7 +103,7 @@ jobs:
run: | run: |
sudo apt-get -qq update || true sudo apt-get -qq update || true
sudo apt-get install -y pigz sudo apt-get install -y pigz
curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.17.0/bin/linux/amd64/kubectl curl -LO https://storage.googleapis.com/kubernetes-release/release/v1.25.5/bin/linux/amd64/kubectl
chmod +x ./kubectl chmod +x ./kubectl
sudo mv ./kubectl /usr/local/bin/kubectl sudo mv ./kubectl /usr/local/bin/kubectl
@ -145,17 +144,17 @@ jobs:
k8s: [v1.23.13, v1.24.7, v1.25.3] k8s: [v1.23.13, v1.24.7, v1.25.3]
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Setup Go - name: Setup Go
uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with: with:
go-version: '1.19.4' go-version: '1.19'
check-latest: true
- name: cache - name: cache
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3 uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
with: with:
name: docker.tar.gz name: docker.tar.gz
@ -192,7 +191,7 @@ jobs:
run: | run: |
kind create cluster --image=kindest/node:${{ matrix.k8s }} kind create cluster --image=kindest/node:${{ matrix.k8s }}
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1 - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
with: with:
name: docker.tar.gz name: docker.tar.gz
failOnError: false failOnError: false
@ -211,7 +210,6 @@ jobs:
kind get kubeconfig > $HOME/.kube/kind-config-kind kind get kubeconfig > $HOME/.kube/kind-config-kind
make kind-e2e-chart-tests make kind-e2e-chart-tests
kubernetes: kubernetes:
name: Kubernetes name: Kubernetes
runs-on: ubuntu-latest runs-on: ubuntu-latest
@ -226,12 +224,11 @@ jobs:
k8s: [v1.23.13, v1.24.7, v1.25.3] k8s: [v1.23.13, v1.24.7, v1.25.3]
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: cache - name: cache
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v2 uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
with: with:
name: docker.tar.gz name: docker.tar.gz
@ -240,7 +237,7 @@ jobs:
run: | run: |
kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v1 - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
with: with:
name: docker.tar.gz name: docker.tar.gz
failOnError: false failOnError: false
@ -260,7 +257,7 @@ jobs:
make kind-e2e-test make kind-e2e-test
- name: Uplaod e2e junit-reports - name: Uplaod e2e junit-reports
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
if: success() || failure() if: success() || failure()
with: with:
name: e2e-test-reports-${{ matrix.k8s }} name: e2e-test-reports-${{ matrix.k8s }}
@ -282,10 +279,10 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: cache - name: cache
uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 uses: actions/download-artifact@9782bd6a9848b53b110e712e20e42d89988822b7 # v3.0.1
with: with:
name: docker.tar.gz name: docker.tar.gz
@ -294,7 +291,7 @@ jobs:
run: | run: |
kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml kind create cluster --image=kindest/node:${{ matrix.k8s }} --config test/e2e/kind.yaml
- uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af - uses: geekyeggo/delete-artifact@54ab544f12cdb7b71613a16a2b5a37a9ade990af # v2.0.0
with: with:
name: docker.tar.gz name: docker.tar.gz
failOnError: false failOnError: false
@ -315,7 +312,7 @@ jobs:
make kind-e2e-test make kind-e2e-test
- name: Uplaod e2e junit-reports - name: Uplaod e2e junit-reports
uses: actions/upload-artifact@v3 uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
if: success() || failure() if: success() || failure()
with: with:
name: e2e-test-reports-chroot-${{ matrix.k8s }} name: e2e-test-reports-chroot-${{ matrix.k8s }}
@ -331,9 +328,9 @@ jobs:
PLATFORMS: linux/amd64,linux/arm64 PLATFORMS: linux/amd64,linux/arm64
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter-images id: filter-images
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -388,7 +385,6 @@ jobs:
run: | run: |
cd images/ext-auth-example-authsvc && make build cd images/ext-auth-example-authsvc && make build
test-image: test-image:
permissions: permissions:
contents: read # for dorny/paths-filter to fetch a list of changed files contents: read # for dorny/paths-filter to fetch a list of changed files
@ -405,9 +401,9 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter-images id: filter-images
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -421,12 +417,13 @@ jobs:
run: | run: |
kind create cluster --image=kindest/node:${{ matrix.k8s }} kind create cluster --image=kindest/node:${{ matrix.k8s }}
- name: Set up Go 1.19.4 - name: Set up Go
id: go id: go
if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}
uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with: with:
go-version: '1.19.4' go-version: '1.19'
check-latest: true
- name: kube-webhook-certgen image build - name: kube-webhook-certgen image build
if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }} if: ${{ steps.filter-images.outputs.kube-webhook-certgen == 'true' }}

4
.github/workflows/depreview.yaml vendored
View file

@ -9,6 +9,6 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: 'Checkout Repository' - name: 'Checkout Repository'
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: 'Dependency Review' - name: 'Dependency Review'
uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 #v2.0.2 uses: actions/dependency-review-action@0ff3da6f81b812d4ec3cf37a04e2308c7a723730 # v3.0.2

8
.github/workflows/docs.yaml vendored
View file

@ -22,11 +22,10 @@ jobs:
charts: ${{ steps.filter.outputs.charts }} charts: ${{ steps.filter.outputs.charts }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter id: filter
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -47,9 +46,8 @@ jobs:
contents: write # needed to write releases contents: write # needed to write releases
steps: steps:
- name: Checkout master - name: Checkout master
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b #v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Deploy - name: Deploy
uses: ./.github/actions/mkdocs uses: ./.github/actions/mkdocs

10
.github/workflows/helm.yaml vendored
View file

@ -22,11 +22,10 @@ jobs:
charts: ${{ steps.filter.outputs.charts }} charts: ${{ steps.filter.outputs.charts }}
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.10.2 - uses: dorny/paths-filter@4512585405083f25c027a35db413c2b3b9006d50 # v2.11.1
id: filter id: filter
with: with:
token: ${{ secrets.GITHUB_TOKEN }} token: ${{ secrets.GITHUB_TOKEN }}
@ -49,9 +48,8 @@ jobs:
(needs.changes.outputs.charts == 'true') (needs.changes.outputs.charts == 'true')
steps: steps:
- name: Checkout master - name: Checkout master
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with: with:
# Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896 # Fetch entire history. Required for chart-releaser; see https://github.com/helm/chart-releaser-action/issues/13#issuecomment-602063896
fetch-depth: 0 fetch-depth: 0
@ -63,7 +61,7 @@ jobs:
git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com" git config --global user.email "$GITHUB_ACTOR@users.noreply.github.com"
- name: Helm Chart Releaser - name: Helm Chart Releaser
uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f #v1.4.1 uses: helm/chart-releaser-action@98bccfd32b0f76149d188912ac8e45ddd3f8695f # v1.4.1
env: env:
CR_SKIP_EXISTING: "false" CR_SKIP_EXISTING: "false"
CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}" CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"

13
.github/workflows/junit-reports.yaml vendored
View file

@ -1,4 +1,5 @@
name: 'E2E Test Report' name: 'E2E Test Report'
on: on:
workflow_run: workflow_run:
workflows: ['CI'] # runs after CI workflow workflows: ['CI'] # runs after CI workflow
@ -8,9 +9,9 @@ jobs:
report: report:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- uses: dorny/test-reporter@v1 - uses: dorny/test-reporter@c9b3d0e2bd2a4e96aaf424dbaa31c46b42318226 # v1.6.0
with: with:
artifact: /e2e-test-reports-(.*)/ artifact: /e2e-test-reports-(.*)/
name: JEST Tests $1 # Name of the check run which will be created name: JEST Tests $1 # Name of the check run which will be created
path: 'report*.xml' # Path to test results (inside artifact .zip) path: 'report*.xml' # Path to test results (inside artifact .zip)
reporter: jest-junit # Format of test results reporter: jest-junit # Format of test results

3
.github/workflows/perftest.yaml vendored
View file

@ -1,4 +1,5 @@
name: Performance Test name: Performance Test
on: on:
workflow_dispatch: workflow_dispatch:
inputs: inputs:
@ -18,7 +19,7 @@ jobs:
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- name: Install K6 - name: Install K6
run: | run: |

9
.github/workflows/plugin.yaml vendored
View file

@ -17,17 +17,18 @@ jobs:
runs-on: ubuntu-latest runs-on: ubuntu-latest
steps: steps:
- name: Checkout - name: Checkout
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.2 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with: with:
fetch-depth: 0 fetch-depth: 0
- name: Set up Go - name: Set up Go
uses: actions/setup-go@d0a58c1c4d2b25278816e339b944508c875f3613 # v3.2.0 uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with: with:
go-version: 1.19.4 go-version: 1.19
check-latest: true
- name: Run GoReleaser - name: Run GoReleaser
uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v3.0.0 uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1 # v4.1.0
with: with:
version: latest version: latest
args: release --rm-dist args: release --rm-dist

2
.github/workflows/project.yml vendored
View file

@ -13,7 +13,7 @@ jobs:
repository-projects: write repository-projects: write
issues: write issues: write
steps: steps:
- uses: actions/add-to-project@960fbad431afda394cfcf8743445e741acd19e85 #v0.4.0 - uses: actions/add-to-project@960fbad431afda394cfcf8743445e741acd19e85 # v0.4.0
with: with:
project-url: https://github.com/orgs/kubernetes/projects/104 project-url: https://github.com/orgs/kubernetes/projects/104
github-token: ${{ secrets.PROJECT_WRITER }} github-token: ${{ secrets.PROJECT_WRITER }}

12
.github/workflows/scorecards.yml vendored
View file

@ -1,11 +1,13 @@
name: Scorecards supply-chain security name: Scorecards supply-chain security
on: on:
# Only the default branch is supported. # Only the default branch is supported.
branch_protection_rule: branch_protection_rule:
schedule: schedule:
- cron: '20 11 * * 5' - cron: '20 11 * * 5'
push: push:
branches: [ "main" ] branches:
- "main"
# Declare default permissions as read only. # Declare default permissions as read only.
permissions: read-all permissions: read-all
@ -25,12 +27,12 @@ jobs:
steps: steps:
- name: "Checkout code" - name: "Checkout code"
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.0.0 uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with: with:
persist-credentials: false persist-credentials: false
- name: "Run analysis" - name: "Run analysis"
uses: ossf/scorecard-action@937ffa90d79c7d720498178154ad4c7ba1e4ad8c # v1.1.1 uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86 # v2.1.2
with: with:
results_file: results.sarif results_file: results.sarif
results_format: sarif results_format: sarif
@ -49,7 +51,7 @@ jobs:
# Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF # Upload the results as artifacts (optional). Commenting out will disable uploads of run results in SARIF
# format to the repository Actions tab. # format to the repository Actions tab.
- name: "Upload artifact" - name: "Upload artifact"
uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.0.0 uses: actions/upload-artifact@83fd05a356d7e2593de66fc9913b3002723633cb # v3.1.1
with: with:
name: SARIF file name: SARIF file
path: results.sarif path: results.sarif
@ -57,6 +59,6 @@ jobs:
# Upload the results to GitHub's code scanning dashboard. # Upload the results to GitHub's code scanning dashboard.
- name: "Upload to code-scanning" - name: "Upload to code-scanning"
uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 # v2.1.14 uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37
with: with:
sarif_file: results.sarif sarif_file: results.sarif

72
.github/workflows/vulnerability-scans.yaml vendored
View file

@ -22,7 +22,7 @@ jobs:
versions: ${{ steps.version.outputs.TAGS }} versions: ${{ steps.version.outputs.TAGS }}
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
with: with:
fetch-depth: 0 fetch-depth: 0
@ -46,47 +46,47 @@ jobs:
scan: scan:
runs-on: ubuntu-latest runs-on: ubuntu-latest
needs: version needs: version
strategy: strategy:
matrix: matrix:
versions: ${{ fromJSON(needs.version.outputs.versions) }} versions: ${{ fromJSON(needs.version.outputs.versions) }}
steps: steps:
- name: Checkout code - name: Checkout code
uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b uses: actions/checkout@755da8c3cf115ac066823e79a1e1788f8940201b # v3.2.0
- shell: bash - shell: bash
id: test id: test
run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" run: echo "Scanning registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}"
- name: Scan image with AquaSec/Trivy - name: Scan image with AquaSec/Trivy
id: scan id: scan
uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 #v0.5.1 uses: aquasecurity/trivy-action@9ab158e8597f3b310480b9a69402b419bc03dbd5 # v0.8.0
with: with:
image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }} image-ref: registry.k8s.io/ingress-nginx/controller:${{ matrix.versions }}
format: 'sarif' format: 'sarif'
output: trivy-results-${{ matrix.versions }}.sarif output: trivy-results-${{ matrix.versions }}.sarif
exit-code: 0 exit-code: 0
vuln-type: 'os,library' vuln-type: 'os,library'
severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN' severity: 'CRITICAL,HIGH,MEDIUM,LOW,UNKNOWN'
- name: Output Sarif File - name: Output Sarif File
shell: bash shell: bash
run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif run: cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
# This step checks out a copy of your repository. # This step checks out a copy of your repository.
- name: Upload SARIF file - name: Upload SARIF file
uses: github/codeql-action/upload-sarif@959cbb7472c4d4ad70cdfe6f4976053fe48ab394 uses: github/codeql-action/upload-sarif@896079047b4bb059ba6f150a5d87d47dde99e6e5 # v2.1.37
with: with:
token: ${{ github.token }} token: ${{ github.token }}
# Path to SARIF file relative to the root of the repository # Path to SARIF file relative to the root of the repository
sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif sarif_file: ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif
- name: Vulz Count - name: Vulz Count
shell: bash shell: bash
run: | run: |
TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length') TRIVY_COUNT=$(cat ${{ github.workspace }}/trivy-results-${{ matrix.versions }}.sarif | jq '.runs[0].results | length')
echo "TRIVY_COUNT: $TRIVY_COUNT" echo "TRIVY_COUNT: $TRIVY_COUNT"
echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY echo "Image Vulnerability scan output" >> $GITHUB_STEP_SUMMARY
echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY echo "Image ID: registry.k8s.io/ingress-nginx/controller@${{ matrix.versions }}" >> $GITHUB_STEP_SUMMARY
echo "" >> $GITHUB_STEP_SUMMARY echo "" >> $GITHUB_STEP_SUMMARY
echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY echo "Trivy Count: $TRIVY_COUNT" >> $GITHUB_STEP_SUMMARY