crossplane
130 строк · 4.7 Кб
1name: Trivy Scan
2on:
3workflow_dispatch: {}
4schedule:
5# run every day at 3:07am UTC
6- cron: '7 3 * * *'
7
8env:
9DOCKER_USR: ${{ secrets.DOCKER_USR }}
10
11jobs:
12generate-matrix:
13runs-on: ubuntu-latest
14if: github.repository == 'crossplane/crossplane'
15outputs:
16versions: ${{ steps.get-releases.outputs.versions}}
17supported_releases: ${{ steps.get-releases.outputs.supported_releases }}
18steps:
19- name: Checkout
20uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4
21with:
22fetch-depth: 0
23
24- name: Get Last 3 Releases
25id: get-releases
26shell: bash
27## find the 3 latest supported releases and their latest patch releases, storing them in the steps' outputs
28run: |
29# get the last 3 releases in "vX.Y" form
30supported_releases="$(git for-each-ref --sort='-committerdate' --format='%(refname:short)' --count=3 'refs/remotes/origin/release-*' | sed 's/.*release-/v/g')"
31if [ -z "$supported_releases" ]
32then
33echo "DEBUG: No supported releases found"
34echo "DEBUG: $(git for-each-ref 'refs/remotes')"
35exit 1
36fi
37
38echo "DEBUG: ${supported_releases}"
39
40# get the latest non-rc tag for each release
41tags=""
42while IFS= read -r version; do
43tag="$(git for-each-ref --sort=-taggerdate --count=1 'refs/tags/'${version}'.[\!-rc.*]' --format='%(tag)')"
44if [ -z "$tag" ]
45then
46echo "No tags found for version ${version}, ${tag}"
47echo "DEBUG: $(git for-each-ref 'refs/tags')"
48exit 1
49fi
50tags="${tags} ${version}=${tag}"
51done <<< "${supported_releases}"
52
53echo "DEBUG: ${tags}"
54
55# build a JSON formatted list of all the supported releases for crossplane/crossplane
56supported_releases=$(echo $supported_releases | jq -R .| jq -s -c '.[] | split(" ")')
57## build a map of all the supported releases and their latest tags for later usage
58versions=$(echo $tags | jq -R .| jq -s -c '.[] | split(" ") | [.[] | select(length > 0) | [split("=")] | map({key: .[0], value: .[1]}) | .[] ] | from_entries' )
59
60# store everything as outputs
61echo "versions=${versions}" >> $GITHUB_OUTPUT
62echo "supported_releases=${supported_releases}" >> $GITHUB_OUTPUT
63
64echo "DEBUG: GITHUB_OUTPUT:"
65cat $GITHUB_OUTPUT
66
67check-matrix:
68# this job is just to check the matrix definition is valid and helps debugging it if not valid
69runs-on: ubuntu-latest
70needs:
71- generate-matrix
72steps:
73- name: Check Matrix Definition
74shell: bash
75run: |
76supported_releases='${{ needs.generate-matrix.outputs.supported_releases }}'
77echo $supported_releases
78echo $supported_releases | jq .
79
80scan:
81needs:
82- check-matrix
83- generate-matrix
84strategy:
85fail-fast: false
86matrix:
87release: ${{ fromJSON(needs.generate-matrix.outputs.supported_releases) }}
88image:
89- crossplane/crossplane
90
91runs-on: ubuntu-latest
92steps:
93- name: Get Release Tag
94run: |
95echo "${{ matrix.release }}"
96tag="$(echo '${{ needs.generate-matrix.outputs.versions }}' | jq --raw-output ".[\"${{ matrix.release }}\"]")"
97echo "tag=${tag}" >> $GITHUB_ENV
98echo "escaped_filename=$(echo ${{ matrix.image }}/$tag | sed 's/[\/.:]/_/g')" >> $GITHUB_ENV
99
100# we log to DockerHub to avoid rate limiting
101- name: Login To DockerHub
102uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3
103if: env.DOCKER_USR != ''
104with:
105username: ${{ secrets.DOCKER_USR }}
106password: ${{ secrets.DOCKER_PSW }}
107
108# we pull the image to be sure we're scanning the latest sha available
109- name: Pull Latest Image
110run: docker pull ${{ matrix.image }}:${{ env.tag }}
111
112- name: Run Trivy Vulnerability Scanner
113uses: aquasecurity/trivy-action@84384bd6e777ef152729993b8145ea352e9dd3ef # 0.17.0
114with:
115image-ref: ${{ matrix.image }}:${{ env.tag }}
116format: 'sarif'
117output: 'trivy-results.sarif'
118
119- name: Upload Artifact
120uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3 # v4
121with:
122name: trivy-${{ env.escaped_filename }}.sarif
123path: trivy-results.sarif
124retention-days: 3
125
126- name: Upload Trivy Scan Results To GitHub Security Tab
127uses: github/codeql-action/upload-sarif@e8893c57a1f3a2b659b6b55564fdfdbbd2982911 # v3
128with:
129sarif_file: 'trivy-results.sarif'
130category: ${{ matrix.image }}:${{ env.tag }}
131
132