Migration of dependency check, and pcf tile build job from CircleCI t…

…o GitHub Actions (signalfx#2055) * Migration of dependency check, and pcf tile build job * Making suggested changes. * Update .github/workflows/build_and_test.yml Co-authored-by: Jeff Cheng <[email protected]> * Triggering build-and test workflow for tags Co-authored-by: Jeff Cheng <[email protected]>
dloucasfx · Jan 18, 2022 · 9a42fd5 · 9a42fd5
1 parent 9139169
commit 9a42fd5
Show file tree

Hide file tree

Showing 3 changed files with 89 additions and 66 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -377,46 +377,6 @@ jobs:
           fi
           make check-links
 
-  dependency_check:
-    docker:
-      - image: owasp/dependency-check:6.5.0
-        user: root
-    steps:
-      - checkout
-      - attach_workspace:
-          at: /tmp/workspace
-      - restore_cache:
-          key: v2-dependency-check-nvd-{{ checksum ".circleci/scripts/run-dependency-check.sh" }}
-      - run: .circleci/scripts/run-dependency-check.sh
-      - save_cache:
-          key: v2-dependency-check-nvd-{{ checksum ".circleci/scripts/run-dependency-check.sh" }}
-          paths:
-            - /usr/share/dependency-check/data
-      - save_test_results:
-          dir: /root/project/reports
-
-  pcf_tile_build:
-    executor: tile_generator
-    steps:
-      - run: |
-          if ! command -v git; then
-            apt-get update
-            apt-get install -y git
-          fi
-      - checkout
-      - attach_workspace:
-          at: /tmp/workspace
-      - run: |
-          if [[ "$CIRCLE_BRANCH" != "main" && -z "$CIRCLE_TAG" ]] && ! scripts/changes-include-dir deployments/cloudfoundry; then
-              echo "No changes in deployments/cloudfoundry, skipping build."
-              exit 0
-          fi
-          AGENT_VERSION=$(./scripts/current-version) AGENT_BUNDLE=/tmp/workspace/signalfx-agent-latest.tar.gz deployments/cloudfoundry/tile/make-latest-tile
-          mkdir -p /tmp/pcf_tile
-          mv deployments/cloudfoundry/tile/product/signalfx-monitoring-*.pivotal /tmp/pcf_tile
-      - store_artifacts:
-          path: /tmp/pcf_tile
-
 workflows:
   build_test:
     jobs:
@@ -468,13 +428,3 @@ workflows:
       - installer_tests
       - helm_check
       - check_links
-      - dependency_check:
-          requires:
-            - build
-      - pcf_tile_build:
-          filters:
-            tags:
-              only:
-                - /^v\d+\.\d+\.\d+.*/
-          requires:
-            - build
diff --git a/.circleci/scripts/run-dependency-check.sh b/.circleci/scripts/run-dependency-check.sh
diff --git a/.github/workflows/build_and_test.yml b/.github/workflows/build_and_test.yml
@@ -2,6 +2,7 @@ name: build_and_test
 
 on: 
   push:
+    tags: ['v[0-9]+.[0-9]+.[0-9]+']
     branches:
       - main
   pull_request:
@@ -91,3 +92,91 @@ jobs:
           path: |
             ~/${{ env.RESULT_PATH }}/results.html
             ~/${{ env.RESULT_PATH }}/results.xml
+
+  dependency_check:
+    name: dependency_check
+    runs-on: ubuntu-latest
+    needs: [build]
+    container:
+      image: owasp/dependency-check:6.5.0
+      options: --user root
+    steps:
+      - name: Check out the codebase.
+        uses: actions/checkout@v2
+
+      - name: Downloading bundle
+        uses: actions/download-artifact@v2
+        with:
+          name: bundle
+          path: ./dist
+
+      - name: Setup dependency check
+        run: |
+          mkdir -p ./bundle
+          mkdir -p ./reports
+          apk --no-cache add tar
+          tar -C ./bundle -xf ./dist/signalfx-agent-latest.tar.gz
+
+      - name: Get Date
+        id: get-date
+        run: |
+          echo "::set-output name=date::$(/bin/date -u "+%Y%m%d")"
+
+      - name: Caching dependency
+        uses: actions/cache@v2
+        with:
+          path: |
+            /usr/share/dependency-check/data
+          key: v2-dependency-check-nvd-${{ steps.get-date.outputs.date }}-${{ hashFiles('./.github/workflows/build_and_test.yml') }}
+
+      - name: Run Dependency Check
+        run: |
+          /usr/share/dependency-check/bin/dependency-check.sh \
+            --scan ./bundle \
+            --project "signalfx-agent-latest.tar.gz" \
+            --suppression ./scripts/dependency-check/suppression.xml \
+            --out ./reports/ \
+            --format HTML \
+            --format JUNIT \
+            --junitFailOnCVSS 9 \
+            --failOnCVSS 9 || \
+            (echo -e "\nOne or more critical vulnerabilities were found in the agent bundle.\nCheck the report artifact, fix the issues, run 'make bundle && make dependency-check', and commit the changes when the issues are resolved." && exit 1)
+      
+      - name: Uploading test result artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: dependency-check-result
+          path: reports
+
+  pcf_tile_build:
+    name: pcf_tile_build
+    runs-on: ubuntu-latest
+    needs: [build]
+    container:
+      image: cfplatformeng/tile-generator:v14.0.3
+    steps:
+      - name: Installing git
+        run: |
+          apt-get update
+          apt-get install -y git
+      
+      - name: Check out the codebase.
+        uses: actions/checkout@v2
+        with:
+          fetch-depth: 0
+
+      - name: Downloading bundle
+        uses: actions/download-artifact@v2
+        with:
+          name: bundle
+          path: ./dist
+
+      - name: Run PCF tile build
+        run: |
+          AGENT_VERSION=$(./scripts/current-version) AGENT_BUNDLE=$(pwd)/dist/signalfx-agent-latest.tar.gz deployments/cloudfoundry/tile/make-latest-tile
+      
+      - name: Uploading PCF tile build result artifacts
+        uses: actions/upload-artifact@v2
+        with:
+          name: pcf-tile-build-result
+          path: deployments/cloudfoundry/tile/product/signalfx-monitoring-*.pivotal