Bump aquasecurity/trivy-action from 0.11.2 to 0.12.0 (#393) #1159
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: tests | |
on: | |
push: | |
branches: [master, main] | |
paths-ignore: ['**.md'] | |
tags-ignore: ['**'] | |
pull_request: | |
paths-ignore: ['**.md'] | |
concurrency: | |
group: ${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
gitleaks: | |
name: π Check for GitLeaks | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: {fetch-depth: 0} | |
- uses: gacts/gitleaks@v1 | |
validate-openapi: | |
name: π§ͺ Validate OpenAPI schemas | |
runs-on: ubuntu-latest | |
container: stoplight/spectral:5.9 | |
steps: | |
- uses: actions/checkout@v3 | |
- run: spectral lint --verbose --fail-severity warn ./api/*.y*ml # Tool page: <https://github.com/stoplightio/spectral> | |
build-frontend: | |
name: π§ͺ Lint and build the frontend | |
runs-on: ubuntu-latest | |
env: {FORCE_COLOR: 'true'} | |
defaults: {run: {working-directory: ./web}} | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: gacts/setup-node-with-cache@v1 | |
with: {node-version: 19} | |
- run: npm ci --no-audit --prefer-offline && npm run generate | |
env: {NPM_CONFIG_UPDATE_NOTIFIER: false} | |
- run: npm run lint | |
- run: npm run build | |
- uses: actions/upload-artifact@v3 | |
with: {path: ./web/dist, name: frontend-dist, if-no-files-found: error, retention-days: 1} | |
golangci-lint: | |
name: π§ͺ Run GolangCI-lint | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: gacts/setup-go-with-cache@v1 | |
with: {go-version: 1.19} | |
- run: | | |
mkdir ./web/dist && touch ./web/dist/index.html # is needed for go:embed | |
go install "github.com/deepmap/oapi-codegen/cmd/[email protected]" | |
go generate ./... | |
- uses: golangci/golangci-lint-action@v3 | |
with: {skip-pkg-cache: true, skip-build-cache: true} | |
go-test: | |
name: π§ͺ Run unit-tests (Go) | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@v3 | |
with: {fetch-depth: 2} # Fixes codecov error 'Issue detecting commit SHA' | |
- uses: gacts/setup-go-with-cache@v1 | |
with: {go-version-file: go.mod} | |
- run: | | |
mkdir ./web/dist && touch ./web/dist/index.html # is needed for go:embed | |
go install "github.com/deepmap/oapi-codegen/cmd/[email protected]" | |
go generate ./... | |
- run: go test -race -covermode=atomic -coverprofile /tmp/coverage.txt ./... | |
- uses: codecov/codecov-action@v3 | |
continue-on-error: true | |
with: | |
token: ${{ secrets.CODECOV_TOKEN }} | |
file: /tmp/coverage.txt | |
build-app: | |
name: ποΈ Build the app (${{ matrix.os }} / ${{ matrix.arch }}) | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
os: [linux, windows, darwin] # linux, freebsd, darwin, windows | |
arch: [amd64] # amd64, 386 | |
needs: [validate-openapi, golangci-lint, go-test, build-frontend] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: gacts/setup-go-with-cache@v1 | |
with: {go-version-file: go.mod} | |
- uses: actions/download-artifact@v3 | |
with: {path: web/dist, name: frontend-dist} | |
- run: | | |
go install "github.com/deepmap/oapi-codegen/cmd/[email protected]" | |
go generate ./... | |
- {uses: gacts/github-slug@v1, id: slug} | |
- env: | |
GOOS: ${{ matrix.os }} | |
GOARCH: ${{ matrix.arch }} | |
CGO_ENABLED: 0 | |
LDFLAGS: -s -w -X gh.tarampamp.am/webhook-tester/internal/version.version=${{ steps.slug.outputs.commit-hash-short }} | |
run: go build -trimpath -ldflags "$LDFLAGS" -o /tmp/webhook-tester ./cmd/webhook-tester/ | |
- name: Try to execute | |
if: matrix.os == 'linux' | |
run: /tmp/webhook-tester --version && /tmp/webhook-tester -h | |
- uses: actions/upload-artifact@v3 | |
with: | |
name: webhook-tester-${{ matrix.os }}-${{ matrix.arch }} | |
path: /tmp/webhook-tester | |
if-no-files-found: error | |
retention-days: 3 | |
build-docker-image: | |
name: ποΈ Build the docker image | |
runs-on: ubuntu-latest | |
#needs: [validate-openapi, golangci-lint, go-test, build-frontend] # speed up tests pipeline | |
steps: | |
- uses: actions/checkout@v3 | |
- {uses: gacts/github-slug@v1, id: slug} | |
- uses: docker/build-push-action@v5 | |
with: | |
context: . | |
push: false | |
build-args: "APP_VERSION=${{ steps.slug.outputs.commit-hash-short }}" | |
tags: app:local | |
- run: docker run --rm app:local --version | |
- run: docker save app:local > ./docker-image.tar | |
- name: Upload artifact | |
uses: actions/upload-artifact@v3 | |
with: {path: ./docker-image.tar, name: docker-image, retention-days: 1} | |
scan-docker-image: | |
name: π Scan the docker image | |
runs-on: ubuntu-latest | |
needs: [build-docker-image] | |
steps: | |
- uses: actions/checkout@v3 # is needed for `upload-sarif` action | |
- uses: actions/download-artifact@v3 | |
with: {name: docker-image} | |
- uses: aquasecurity/[email protected] | |
with: | |
input: docker-image.tar | |
format: sarif | |
severity: MEDIUM,HIGH,CRITICAL | |
exit-code: 1 | |
output: trivy-results.sarif | |
- uses: github/codeql-action/upload-sarif@v2 | |
if: always() | |
continue-on-error: true | |
with: {sarif_file: trivy-results.sarif} | |
e2e-test-app: | |
name: π§ͺ End-to-End tests (${{ matrix.storage-driver }} storage, ${{ matrix.pubsub-driver }} pubsub) | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
storage-driver: [memory, redis] | |
pubsub-driver: [memory, redis] | |
services: | |
redis: | |
image: redis:7-alpine | |
ports: ['6379:6379/tcp'] | |
options: --health-cmd "redis-cli ping" --health-interval 3s --health-timeout 2s --health-retries 3 | |
needs: [build-app] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/download-artifact@v3 | |
with: {name: webhook-tester-linux-amd64} | |
- run: | | |
chmod +x ./webhook-tester | |
./webhook-tester serve --port 8081 \ | |
--storage-driver "${{ matrix.storage-driver }}" \ | |
--pubsub-driver "${{ matrix.pubsub-driver }}" \ | |
--redis-dsn "redis://127.0.0.1:6379/0" & | |
- uses: gacts/install-hurl@v1 | |
- run: hurl --color --test --fail-at-end --variable host=127.0.0.1 --variable port=8081 ./test/hurl/*/*.hurl | |
e2e-docker-image: | |
name: π§ͺ Docker image End-to-End tests | |
runs-on: ubuntu-latest | |
services: | |
redis: | |
image: redis:7-alpine | |
ports: ['6379:6379/tcp'] | |
options: --health-cmd "redis-cli ping" --health-interval 3s --health-timeout 2s --health-retries 3 | |
needs: [build-docker-image] | |
steps: | |
- uses: actions/checkout@v3 | |
- uses: actions/download-artifact@v3 | |
with: {name: docker-image} | |
- name: Load the image with the app | |
run: docker load < docker-image.tar | |
- name: Run docker image with app | |
run: | | |
docker run --rm -d \ | |
--network host \ | |
--name app \ | |
-p "8081:8081/tcp" \ | |
-e "STORAGE_DRIVER=redis" \ | |
-e "PUBSUB_DRIVER=redis" \ | |
-e "REDIS_DSN=redis://127.0.0.1:6379/0" \ | |
-e "LISTEN_PORT=8081" \ | |
app:local | |
- uses: gacts/install-hurl@v1 | |
- run: hurl --color --test --fail-at-end --variable host=127.0.0.1 --variable port=8081 ./test/hurl/*/*.hurl | |
- if: always() | |
run: docker kill app |