Skip to content

Merge pull request #50 from kube-HPC/HKube101Changes #43

Merge pull request #50 from kube-HPC/HKube101Changes

Merge pull request #50 from kube-HPC/HKube101Changes #43

Workflow file for this run

# This is a basic workflow to help you get started with Actions
name: CI-MAIN
# Controls when the action will run.
on:
# Triggers the workflow on push or pull request events but only for the master branch
push:
branches: [ source ]
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
build:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
- uses: actions/checkout@v2
- uses: actions/setup-node@v1
with:
node-version: 10.x
- run: |
npm ci
- run: npm run build
- run: ./resources/publish.sh
env:
GH_TOKEN: ${{ secrets.GH_TOKEN }}
- name: setup git
run: |
git config --local user.email "[email protected]"
git config --local user.name "GitHub Action"
- name: version
run: |
git checkout -f -b version-branch
npm version patch -m "$(git log -1 --pretty=%B) .... bump version [skip ci]"
git push origin version-branch:source --follow-tags
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: build site docker
run: |
echo "Before running 'npm run docker' , package ver is: ${npm_package_version}"
docker login --username yehiyam --password ${DOCKER_HUB_PASS}
export IMAGE_NAME=$(PRIVATE_REGISTRY=docker.io/hkube npm run docker | tail -1 | awk '{print $NF}')
echo "IMAGE_NAME=$IMAGE_NAME" >> $GITHUB_ENV
echo "IMAGE_NAME: $IMAGE_NAME"
env:
DOCKER_HUB_PASS: ${{ secrets.DOCKER_PASSWORD }}
- name: Install Trivy
run: |
wget https://github.com/aquasecurity/trivy/releases/download/v0.43.0/trivy_0.43.0_Linux-64bit.deb
sudo dpkg -i trivy_0.43.0_Linux-64bit.deb
- name: Run Trivy license scan on repo
run: trivy fs /home/runner/work --scanners license --license-full --severity 'HIGH,CRITICAL' > trivy_license_filesystem.txt
- name: Run Trivy vulnerability scanner on the repo
run: trivy fs /home/runner/work --severity 'HIGH,CRITICAL' --format sarif --output trivy_vuln_filesystem.sarif
- name: Run Trivy license scan on image
run: trivy image --scanners license --license-full --severity 'HIGH,CRITICAL' '${{ env.IMAGE_NAME }}' > trivy_license_image.txt
- name: Run Trivy vulnerability scanner on image
run: trivy image --severity 'HIGH,CRITICAL' --format sarif --output trivy_vuln_image.sarif '${{ env.IMAGE_NAME }}'
- name: Upload Trivy image vulnerability results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy_vuln_image.sarif'
category: 'Trivy-Vulnerability-Image'
- name: Upload Trivy repo vulnerability results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy_vuln_filesystem.sarif'
category: 'Trivy-Vulnerability-Repo'
- name: Update a branch with scan results
run: |
git config --global user.email "[email protected]"
git config --global user.name "GitHub Action"
existed_in_remote=$(git ls-remote --heads origin trivy-scan-results)
if [[ ${existed_in_remote} ]]; then
echo "branch exists in remote"
git fetch origin trivy-scan-results
echo "branch fetched"
git checkout trivy-scan-results
echo "origin branch swapped"
else
git checkout -b trivy-scan-results
echo "new branch swapped"
fi
mkdir -p TrivyScans
TIMESTAMP=$(date +"%Y-%m-%d %H:%M:%S")
echo "$TIMESTAMP" > ScanTimeStamp.txt
cp ScanTimeStamp.txt TrivyScans/
cp trivy_license_filesystem.txt TrivyScans/
cp trivy_license_image.txt TrivyScans/
git add TrivyScans/trivy_license_filesystem.txt
git add TrivyScans/trivy_license_image.txt
git add TrivyScans/ScanTimeStamp.txt
git commit -m "Add trivy scan result files to the folder 'TrivyScans'"
git push origin trivy-scan-results
- name: Display branch and file path link
run: echo "Results uploaded to [trivy-scan-results branch](https://github.com/$GITHUB_REPOSITORY/tree/trivy-scan-results/TrivyScans/)"
- name: trigger site docker
id: trigger
uses: octokit/[email protected]
with:
route: POST /repos/kube-HPC/release-manager/dispatches
event_type: trigger
env:
GITHUB_TOKEN: '${{ secrets.GH_TOKEN }}'