Skip to content

chore: only upload trivy results for main branch #287

chore: only upload trivy results for main branch

chore: only upload trivy results for main branch #287

Workflow file for this run

name: ci
on:
push:
branches:
- main
pull_request:
workflow_dispatch:
permissions:
actions: read
checks: none
contents: read
deployments: none
issues: none
packages: write
pull-requests: none
repository-projects: none
security-events: write
statuses: none
# Cancel in-progress runs for pull requests when developers push
# additional changes
concurrency:
group: ${{ github.workflow }}-${{ github.ref }}
cancel-in-progress: ${{ github.event_name == 'pull_request' }}
jobs:
lint:
runs-on: ${{ github.repository_owner == 'coder' && 'ubuntu-latest-8-cores' || 'ubuntu-latest' }}
steps:
- name: Checkout
uses: actions/checkout@v3
# Install Go!
- uses: actions/setup-go@v3
with:
go-version: "~1.23"
# Check for Go linting errors!
- name: Lint Go
uses: golangci/[email protected]
with:
version: v1.62.2
args: "--out-${NO_FUTURE}format colored-line-number"
- name: Lint shell scripts
uses: ludeeus/[email protected]
env:
SHELLCHECK_OPTS: --external-sources
with:
ignore: node_modules
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.1.9
terraform_wrapper: false
- name: Terraform init
run: terraform init
- name: Terraform validate
run: terraform validate
fmt:
runs-on: ubuntu-latest
timeout-minutes: 5
steps:
- name: Checkout
uses: actions/checkout@v3
with:
fetch-depth: 0
submodules: true
- uses: hashicorp/setup-terraform@v2
with:
terraform_version: 1.1.9
terraform_wrapper: false
- name: Install markdownfmt
run: go install github.com/Kunde21/markdownfmt/v3/cmd/markdownfmt@latest
- name: make fmt
run: |
export PATH=${PATH}:$(go env GOPATH)/bin
make --output-sync -j -B fmt
- name: Check for unstaged files
run: ./scripts/check_unstaged.sh
unit-tests:
runs-on: ubuntu-latest
timeout-minutes: 20
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~1.23"
# Sadly the new "set output" syntax (of writing env vars to
# $GITHUB_OUTPUT) does not work on both powershell and bash so we use the
# deprecated syntax here.
- name: Echo Go Cache Paths
id: go-cache-paths
run: |
echo "::set-output name=GOCACHE::$(go env GOCACHE)"
echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)"
- name: Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Run unit tests
id: test
shell: bash
run: go test ./...
integration-tests:
runs-on: ubuntu-20.04
timeout-minutes: 20
steps:
- name: Install dependencies
run: sudo apt update && sudo apt install -y gcc
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~1.23"
# Sadly the new "set output" syntax (of writing env vars to
# $GITHUB_OUTPUT) does not work on both powershell and bash so we use the
# deprecated syntax here.
- name: Echo Go Cache Paths
id: go-cache-paths
run: |
echo "::set-output name=GOCACHE::$(go env GOCACHE)"
echo "::set-output name=GOMODCACHE::$(go env GOMODCACHE)"
- name: Go Build Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOCACHE }}
key: ${{ runner.os }}-go-build-${{ hashFiles('**/go.**', '**.go') }}
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-go-mod-${{ hashFiles('**/go.sum') }}
- name: Run integration tests
id: test
shell: bash
run: go test -tags=integration ./...
build:
runs-on: ubuntu-20.04
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v3
with:
go-version: "~1.23"
- name: Go Cache Paths
id: go-cache-paths
run: |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
- name: Install yq
run: go run github.com/mikefarah/yq/[email protected]
- name: build image
run: make -j build/image/envbox
# We don't want to run Trivy on pull requests.
- name: Exit if not on main
if: github.ref != 'refs/heads/main'
run: exit 0
- name: Run Trivy vulnerability scanner
uses: aquasecurity/[email protected]
with:
image-ref: envbox:latest
format: sarif
output: trivy-results.sarif
severity: "CRITICAL,HIGH"
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: trivy-results.sarif
category: "Trivy"
- name: Upload Trivy scan results as an artifact
uses: actions/upload-artifact@v3
with:
name: trivy
path: trivy-results.sarif
retention-days: 7
codeql:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Setup Go
uses: actions/setup-go@v3
with:
go-version: "~1.23"
- name: Go Cache Paths
id: go-cache-paths
run: |
echo "GOMODCACHE=$(go env GOMODCACHE)" >> $GITHUB_OUTPUT
- name: Go Mod Cache
uses: actions/cache@v3
with:
path: ${{ steps.go-cache-paths.outputs.GOMODCACHE }}
key: ${{ runner.os }}-release-go-mod-${{ hashFiles('**/go.sum') }}
- name: Initialize CodeQL
uses: github/codeql-action/init@v2
with:
languages: go
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v2
publish:
runs-on: ubuntu-20.04
if: github.ref == 'refs/heads/main'
steps:
- name: Docker Login
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: actions/checkout@v3
with:
# Needed to get older tags
fetch-depth: 0
- uses: actions/setup-go@v3
with:
go-version: "~1.23"
- name: build image
run: make -j build/image/envbox
- name: Tag and push envbox-preview
run: |
VERSION=$(./scripts/version.sh)-dev-$(git rev-parse --short HEAD)
BASE=ghcr.io/coder/envbox-preview
docker tag envbox "${BASE}:${VERSION}"
docker push "${BASE}:${VERSION}"