Skip to content

Commit

Permalink
Merge branch 'master' into master
Browse files Browse the repository at this point in the history
  • Loading branch information
wei840222 authored Jan 30, 2025
2 parents fd550a9 + 5a385d4 commit eb3406d
Show file tree
Hide file tree
Showing 21 changed files with 754 additions and 282 deletions.
2 changes: 1 addition & 1 deletion .docker/Dockerfile-alpine
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
FROM alpine:3.20.0
FROM alpine:3.21.2

RUN addgroup -S ory; \
adduser -S ory -G ory -D -H -s /bin/nologin
Expand Down
4 changes: 2 additions & 2 deletions .docker/Dockerfile-build
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,8 @@ RUN apt-get update && apt-get upgrade -y
COPY go.mod go.mod
COPY go.sum go.sum

ENV CGO_ENABLED 0
ENV GO111MODULE on
ENV CGO_ENABLED=0
ENV GO111MODULE=on

RUN go mod download

Expand Down
2 changes: 1 addition & 1 deletion .github/CODEOWNERS
Original file line number Diff line number Diff line change
@@ -1 +1 @@
* @aeneasr
* @aeneasr @ory/product-development
67 changes: 54 additions & 13 deletions .github/workflows/cve-scan.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# AUTO-GENERATED, DO NOT EDIT!
# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/server/.github/workflows/cve-scan.yaml

name: Docker Image Scanners
on:
workflow_dispatch:
push:
branches:
- "master"
Expand All @@ -9,30 +13,62 @@ on:
branches:
- "master"

permissions:
contents: read
security-events: write

jobs:
scanners:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Setup Env
id: vars
shell: bash
run: |
echo "SHA_SHORT=$(git rev-parse --short HEAD)" >> "${GITHUB_ENV}"
# Store values in local variables
SHA_SHORT=$(git rev-parse --short HEAD)
REPO_NAME=${{ github.event.repository.name }}
IMAGE_NAME="oryd/${REPO_NAME}:${SHA_SHORT}"
# Output values for debugging
echo "Values to be set:"
echo "SHA_SHORT: ${SHA_SHORT}"
echo "REPO_NAME: ${REPO_NAME}"
echo "IMAGE_NAME: ${IMAGE_NAME}"
# Set GitHub Environment variables
echo "SHA_SHORT=${SHA_SHORT}" >> "${GITHUB_ENV}"
echo "IMAGE_NAME=${IMAGE_NAME}" >> "${GITHUB_ENV}"
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
uses: docker/setup-buildx-action@v3
- name: Build images
shell: bash
run: |
IMAGE_TAG="${{ env.SHA_SHORT }}" make docker
- name: Login to GitHub Container Registry
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}

- name: Configure Trivy
run: |
mkdir -p $HOME/.cache/trivy
echo "TRIVY_USERNAME=${{ github.actor }}" >> $GITHUB_ENV
echo "TRIVY_PASSWORD=${{ secrets.GITHUB_TOKEN }}" >> $GITHUB_ENV
- name: Anchore Scanner
uses: anchore/scan-action@v3
uses: anchore/scan-action@v5
id: grype-scan
with:
image: oryd/oathkeeper:${{ env.SHA_SHORT }}
image: ${{ env.IMAGE_NAME }}
fail-build: true
severity-cutoff: high
add-cpes-if-none: true
Expand All @@ -45,14 +81,14 @@ jobs:
echo "::endgroup::"
- name: Anchore upload scan SARIF report
if: always()
uses: github/codeql-action/upload-sarif@v2
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: ${{ steps.grype-scan.outputs.sarif }}
- name: Kubescape scanner
uses: kubescape/github-action@main
id: kubescape
with:
image: oryd/oathkeeper:${{ env.SHA_SHORT }}
image: ${{ env.IMAGE_NAME }}
verbose: true
format: pretty-printer
# can't whitelist CVE yet: https://github.com/kubescape/kubescape/pull/1568
Expand All @@ -61,18 +97,23 @@ jobs:
uses: aquasecurity/trivy-action@master
if: ${{ always() }}
with:
image-ref: oryd/oathkeeper:${{ env.SHA_SHORT }}
image-ref: ${{ env.IMAGE_NAME }}
format: "table"
exit-code: "42"
ignore-unfixed: true
vuln-type: "os,library"
severity: "CRITICAL,HIGH"
scanners: "vuln,secret,config"
scanners: "vuln,secret,misconfig"
env:
TRIVY_SKIP_JAVA_DB_UPDATE: "true"
TRIVY_DISABLE_VEX_NOTICE: "true"
TRIVY_DB_REPOSITORY: ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db

- name: Dockle Linter
uses: erzz/dockle-action@v1.3.2
uses: erzz/dockle-action@v1
if: ${{ always() }}
with:
image: oryd/oathkeeper:${{ env.SHA_SHORT }}
image: ${{ env.IMAGE_NAME }}
exit-code: 42
failure-threshold: high
- name: Hadolint
Expand All @@ -89,5 +130,5 @@ jobs:
shell: bash
run: |
echo "::group::Hadolint Scan Details"
echo "${HADOLINT_RESULTS}" | jq '.'
echo "${HADOLINT_RESULTS}" | jq '.'
echo "::endgroup::"
28 changes: 21 additions & 7 deletions .github/workflows/licenses.yml
Original file line number Diff line number Diff line change
@@ -1,21 +1,35 @@
# AUTO-GENERATED, DO NOT EDIT!
# Please edit the original at https://github.com/ory/meta/blob/master/templates/repository/common/.github/workflows/licenses.yml

name: Licenses

on:
pull_request:
push:
branches:
- main
- v3
- master

jobs:
check:
licenses:
name: License compliance
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: actions/setup-go@v2
- name: Install script
uses: ory/ci/licenses/setup@master
with:
go-version: "1.22"
- uses: actions/setup-node@v2
token: ${{ secrets.ORY_BOT_PAT || secrets.GITHUB_TOKEN }}
- name: Check licenses
uses: ory/ci/licenses/check@master
- name: Write, commit, push licenses
uses: ory/ci/licenses/write@master
if:
${{ github.ref == 'refs/heads/main' || github.ref ==
'refs/heads/master' || github.ref == 'refs/heads/v3' }}
with:
node-version: "18"
- run: make licenses
author-email:
${{ secrets.ORY_BOT_PAT &&
'[email protected]' ||
format('{0}@users.noreply.github.com', github.actor) }}
author-name: ${{ secrets.ORY_BOT_PAT && 'ory-bot' || github.actor }}
2 changes: 1 addition & 1 deletion .github/workflows/milestone.yml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v2
uses: actions/checkout@v4
with:
token: ${{ secrets.TOKEN_PRIVILEGED }}
- name: Milestone Documentation Generator
Expand Down
2 changes: 2 additions & 0 deletions .goreleaser.yml
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
version: 2

includes:
- from_url:
url: https://raw.githubusercontent.com/ory/xgoreleaser/master/build.tmpl.yml
Expand Down
2 changes: 0 additions & 2 deletions .orycli.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,5 +2,3 @@ project: oathkeeper

pre_release_hooks:
- ./scripts/render-schemas.sh
- git config --unset user.email
- git config --unset user.name
Loading

0 comments on commit eb3406d

Please sign in to comment.