Add trivy GHA workflow for scanning rke2-runtime image #20
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
on: | |
push: | |
paths-ignore: | |
- "**.md" | |
- "channel.yaml" | |
- "install.sh" | |
- "!.github/workflows/test-suite.yaml" | |
branches: | |
- master | |
- release-** | |
name: Branch Merge Build | |
permissions: | |
contents: write | |
id-token: write | |
jobs: | |
build-amd64: | |
runs-on: runs-on,runner=8cpu-linux-x64,run-id=${{ github.run_id }},image=ubuntu22-full-x64,hdd=64 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Install Dapper | |
run: | | |
curl -sL https://releases.rancher.com/dapper/latest/dapper-$(uname -s)-$(uname -m) > /usr/local/bin/dapper | |
chmod +x /usr/local/bin/dapper | |
- name: "Read secrets" | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/aws/rke2-ci-uploader/credentials AWS_ACCESS_KEY_ID ; | |
secret/data/github/repo/${{ github.repository }}/aws/rke2-ci-uploader/credentials AWS_SECRET_ACCESS_KEY ; | |
- name: Build | |
run: dapper -f Dockerfile --target dapper make dapper-ci | |
env: | |
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} | |
- name: Test | |
run: dapper -f Dockerfile --target dapper make test | |
- name: Prepare Test Logs on Failure | |
if: ${{ failure() }} | |
run: | | |
sudo cp -r /tmp/rke2-logs ~/rke2-logs | |
sudo chown -R $USER:$USER ~/rke2-logs | |
- name: Upload Test Logs on Failure | |
if: ${{ failure() }} | |
uses: actions/upload-artifact@v4 | |
with: | |
name: rke2-test-logs | |
path: ~/rke2-logs/ | |
build-arm64: | |
runs-on: runs-on,runner=8cpu-linux-arm64,run-id=${{ github.run_id }},image=ubuntu22-full-arm64,hdd=64 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
- name: Install Dapper | |
run: | | |
curl -sL https://releases.rancher.com/dapper/latest/dapper-$(uname -s)-$(uname -m) > /usr/local/bin/dapper | |
chmod +x /usr/local/bin/dapper | |
- name: "Read secrets" | |
uses: rancher-eio/read-vault-secrets@main | |
with: | |
secrets: | | |
secret/data/github/repo/${{ github.repository }}/aws/rke2-ci-uploader/credentials AWS_ACCESS_KEY_ID ; | |
secret/data/github/repo/${{ github.repository }}/aws/rke2-ci-uploader/credentials AWS_SECRET_ACCESS_KEY ; | |
- name: Build | |
run: | | |
dapper -f Dockerfile --target dapper make dapper-ci | |
env: | |
AWS_ACCESS_KEY_ID: ${{ env.AWS_ACCESS_KEY_ID }} | |
AWS_SECRET_ACCESS_KEY: ${{ env.AWS_SECRET_ACCESS_KEY }} | |