/
envoy.istio
/
crossplane
GigaCode
beta
ОбзорЦентр заботыВойти

crossplane

Форк
0
Ветки: 48Коммиты: 6497Теги: 121
crossplane
/.github
/workflows
/
scan.yaml 
130 строк · 4.7 Кб
1
name: Trivy Scan
2
on:
3
  workflow_dispatch: {}
4
  schedule:
5
    # run every day at 3:07am UTC
6
    - cron: '7 3 * * *'
7


8
env:
9
  DOCKER_USR: ${{ secrets.DOCKER_USR }}
10


11
jobs:
12
  generate-matrix:
13
    runs-on: ubuntu-latest
14
    if: github.repository == 'crossplane/crossplane'
15
    outputs:
16
      versions: ${{ steps.get-releases.outputs.versions}}
17
      supported_releases: ${{ steps.get-releases.outputs.supported_releases }}
18
    steps:
19
      - name: Checkout
20
        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
21
        with:
22
          fetch-depth: 0
23


24
      - name: Get Last 3 Releases
25
        id: get-releases
26
        shell: bash
27
        ## find the 3 latest supported releases and their latest patch releases, storing them in the steps' outputs
28
        run: |
29
          # get the last 3 releases in "vX.Y" form
30
          supported_releases="$(git for-each-ref --sort='-committerdate' --format='%(refname:short)' --count=3 'refs/remotes/origin/release-*' | sed 's/.*release-/v/g')"
31
          if [ -z "$supported_releases" ]
32
          then
33
            echo "DEBUG: No supported releases found"
34
            echo "DEBUG: $(git for-each-ref 'refs/remotes')"
35
            exit 1
36
          fi
37


38
          echo "DEBUG: ${supported_releases}"
39


40
          # get the latest non-rc tag for each release
41
          tags=""
42
          while IFS= read -r version; do
43
            tag="$(git for-each-ref --sort=-taggerdate --count=1 'refs/tags/'${version}'.[\!-rc.*]' --format='%(tag)')"
44
            if [ -z "$tag" ]
45
            then
46
              echo "No tags found for version ${version}, ${tag}"
47
              echo "DEBUG: $(git for-each-ref 'refs/tags')"
48
              exit 1
49
            fi
50
            tags="${tags} ${version}=${tag}"
51
          done <<< "${supported_releases}"
52


53
          echo "DEBUG: ${tags}"
54


55
          # build a JSON formatted list of all the supported releases for crossplane/crossplane
56
          supported_releases=$(echo $supported_releases | jq -R .| jq -s -c '.[] | split(" ")')
57
          ## build a map of all the supported releases and their latest tags for later usage
58
          versions=$(echo $tags | jq -R .| jq -s -c '.[] | split(" ") | [.[] | select(length > 0) | [split("=")] | map({key: .[0], value: .[1]}) | .[] ] | from_entries' )
59


60
          # store everything as outputs
61
          echo "versions=${versions}" >> $GITHUB_OUTPUT
62
          echo "supported_releases=${supported_releases}" >> $GITHUB_OUTPUT
63


64
          echo "DEBUG: GITHUB_OUTPUT:"
65
          cat $GITHUB_OUTPUT
66


67
  check-matrix:
68
    # this job is just to check the matrix definition is valid and helps debugging it if not valid
69
    runs-on: ubuntu-latest
70
    needs:
71
      - generate-matrix
72
    steps:
73
      - name: Check Matrix Definition
74
        shell: bash
75
        run: |
76
          supported_releases='${{ needs.generate-matrix.outputs.supported_releases }}'
77
          echo $supported_releases
78
          echo $supported_releases | jq .
79


80
  scan:
81
    needs:
82
      - check-matrix
83
      - generate-matrix
84
    strategy:
85
      fail-fast: false
86
      matrix:
87
        release: ${{ fromJSON(needs.generate-matrix.outputs.supported_releases) }}
88
        image:
89
          - crossplane/crossplane
90


91
    runs-on: ubuntu-latest
92
    steps:
93
      - name: Get Release Tag
94
        run: |
95
          echo "${{ matrix.release }}"
96
          tag="$(echo '${{ needs.generate-matrix.outputs.versions }}' | jq --raw-output ".[\"${{ matrix.release }}\"]")"
97
          echo "tag=${tag}" >> $GITHUB_ENV
98
          echo "escaped_filename=$(echo ${{ matrix.image }}/$tag | sed 's/[\/.:]/_/g')" >> $GITHUB_ENV
99


100
      # we log to DockerHub to avoid rate limiting
101
      - name: Login To DockerHub
102
        uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
103
        if: env.DOCKER_USR != ''
104
        with:
105
          username: ${{ secrets.DOCKER_USR }}
106
          password: ${{ secrets.DOCKER_PSW }}
107


108
      # we pull the image to be sure we're scanning the latest sha available
109
      - name: Pull Latest Image
110
        run: docker pull ${{ matrix.image }}:${{ env.tag }}
111


112
      - name: Run Trivy Vulnerability Scanner
113
        uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0
114
        with:
115
          image-ref: ${{ matrix.image }}:${{ env.tag }}
116
          format: 'sarif'
117
          output: 'trivy-results.sarif'
118


119
      - name: Upload Artifact
120
        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
121
        with:
122
          name: trivy-${{ env.escaped_filename }}.sarif
123
          path: trivy-results.sarif
124
          retention-days: 3
125


126
      - name: Upload Trivy Scan Results To GitHub Security Tab
127
        uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3
128
        with:
129
          sarif_file: 'trivy-results.sarif'
130
          category: ${{ matrix.image }}:${{ env.tag }}
131


132

Использование cookies

Мы используем файлы cookie в соответствии с Политикой конфиденциальности и Политикой использования cookies.

Нажимая кнопку «Принимаю», Вы даете АО «СберТех» согласие на обработку Ваших персональных данных в целях совершенствования нашего веб-сайта и Сервиса GitVerse, а также повышения удобства их использования.

Запретить использование cookies Вы можете самостоятельно в настройках Вашего браузера.