fix: tivy scanning (#89)

* fix: pass trivy control flags to underlying workflow * fix: GitHub Advanced Security is not enabled * chore: bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 (#75) * chore: bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.23.0 to 0.24.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@7c2007b...6e7b7d1) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * chore: bump aquasecurity/trivy-action from 0.23.0 to 0.24.0 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: nepalevov <33350321+nepalevov@users.noreply.github.com> Co-authored-by: Vladislav Yatsun <vyatsun@deltixlab.com> * chore: bump github/codeql-action from 3.25.11 to 3.26.10 (#86) * chore: bump github/codeql-action from 3.25.11 to 3.26.10 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.11 to 3.26.10. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b611370...e2b3eaf) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> * chore: bump github/codeql-action from 3.25.11 to 3.26.10 --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Vladislav Yatsun <vyatsun@deltixlab.com> Co-authored-by: nepalevov <33350321+nepalevov@users.noreply.github.com> * chore: bump self-dependencies --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
epam · Oct 14, 2024 · 33982bd · 33982bd
1 parent cadafa7
commit 33982bd
Show file tree

Hide file tree

Showing 16 changed files with 60 additions and 51 deletions.
diff --git a/.github/workflows/generic_docker_pr.yml b/.github/workflows/generic_docker_pr.yml
@@ -51,7 +51,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/build_docker@1.9.1
+      - uses: epam/ai-dial-ci/actions/build_docker@1.9.2
         with:
           image_name: ghcr.io/${{ env.IMAGE_NAME }}
           image_tag: test

diff --git a/.github/workflows/generic_docker_release.yml b/.github/workflows/generic_docker_release.yml
@@ -60,7 +60,7 @@ jobs:
       is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.1
+      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.2
         id: semantic_versioning
 
   release:
@@ -73,14 +73,14 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.1
+      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.2
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
           token: ${{ secrets.ACTIONS_BOT_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/build_docker@1.9.1
+      - uses: epam/ai-dial-ci/actions/build_docker@1.9.2
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
@@ -97,7 +97,7 @@ jobs:
             ${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
-      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.1
+      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.2
         with:
           tag_version: ${{ needs.calculate_version.outputs.next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
diff --git a/.github/workflows/generic_docker_test.yml b/.github/workflows/generic_docker_test.yml
@@ -45,6 +45,6 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/ort@1.9.1
+      - uses: epam/ai-dial-ci/actions/ort@1.9.2
         with:
           bypass_checks: ${{ inputs.bypass_checks || inputs.bypass_ort }}
diff --git a/.github/workflows/java_pr.yml b/.github/workflows/java_pr.yml
@@ -71,7 +71,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/java_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/java_prepare@1.9.2
         with:
           java_version: ${{ inputs.java_version }}
           java_distribution: ${{ inputs.java_distribution }}
@@ -83,7 +83,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/build_docker@1.9.1
+      - uses: epam/ai-dial-ci/actions/build_docker@1.9.2
         with:
           image_name: ghcr.io/${{ env.IMAGE_NAME }}
           image_tag: test

diff --git a/.github/workflows/java_release.yml b/.github/workflows/java_release.yml
@@ -72,7 +72,7 @@ jobs:
       is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.1
+      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.2
         id: semantic_versioning
 
   release:
@@ -85,22 +85,22 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.1
+      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.2
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
           token: ${{ secrets.ACTIONS_BOT_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/java_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/java_prepare@1.9.2
         with:
           java_version: ${{ inputs.java_version }}
           java_distribution: ${{ inputs.java_distribution }}
       - name: Set version
         shell: bash
         run: |
           sed -i "s/^version = .*/version = \"${{ needs.calculate_version.outputs.next_version }}\"/g" build.gradle
-      - uses: epam/ai-dial-ci/actions/build_docker@1.9.1
+      - uses: epam/ai-dial-ci/actions/build_docker@1.9.2
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
@@ -117,7 +117,7 @@ jobs:
             ${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
-      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.1
+      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.2
         with:
           tag_version: ${{ needs.calculate_version.outputs.next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify

diff --git a/.github/workflows/java_test.yml b/.github/workflows/java_test.yml
@@ -48,7 +48,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/java_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/java_prepare@1.9.2
         with:
           java_version: ${{ inputs.java_version }}
           java_distribution: ${{ inputs.java_distribution }}
@@ -65,7 +65,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/java_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/java_prepare@1.9.2
         with:
           java_version: ${{ inputs.java_version }}
           java_distribution: ${{ inputs.java_distribution }}
@@ -82,7 +82,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/ort@1.9.1
+      - uses: epam/ai-dial-ci/actions/ort@1.9.2
         with:
           bypass_checks: ${{ inputs.bypass_checks || inputs.bypass_ort }}
           cli_args: "-P ort.forceOverwrite=true --stacktrace -P ort.analyzer.enabledPackageManagers=Gradle"
diff --git a/.github/workflows/node_pr.yml b/.github/workflows/node_pr.yml
@@ -76,7 +76,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/build_docker@1.9.1
+      - uses: epam/ai-dial-ci/actions/build_docker@1.9.2
         with:
           image_name: ghcr.io/${{ env.IMAGE_NAME }}
           image_tag: test

diff --git a/.github/workflows/node_release.yml b/.github/workflows/node_release.yml
@@ -81,7 +81,7 @@ jobs:
       is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.1
+      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.2
         id: semantic_versioning
 
   release:
@@ -94,14 +94,14 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.1
+      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.2
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
           token: ${{ secrets.ACTIONS_BOT_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/node_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/node_prepare@1.9.2
         with:
           node_version: ${{ inputs.node_version }}
           clean_install: true
@@ -110,7 +110,7 @@ jobs:
         shell: bash
         run: |
           npm version ${{ needs.calculate_version.outputs.next_version }} --no-git-tag-version || true # upstream branch may already be updated
-      - uses: epam/ai-dial-ci/actions/build_docker@1.9.1
+      - uses: epam/ai-dial-ci/actions/build_docker@1.9.2
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
@@ -150,7 +150,7 @@ jobs:
           IS_LATEST: ${{ needs.calculate_version.outputs.is_latest == 'true' }}
           IS_DEVELOPMENT_BRANCH: ${{ github.ref == 'refs/heads/development' }}
           IS_RELEASE_BRANCH: ${{ startsWith(github.ref, 'refs/heads/release-') }}
-      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.1
+      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.2
         with:
           tag_version: ${{ needs.calculate_version.outputs.next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify

diff --git a/.github/workflows/node_test.yml b/.github/workflows/node_test.yml
@@ -52,7 +52,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/node_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/node_prepare@1.9.2
         with:
           node_version: ${{ inputs.node_version }}
           clean_install: "true"
@@ -69,7 +69,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/node_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/node_prepare@1.9.2
         with:
           node_version: ${{ inputs.node_version }}
           clean_install: "true"
@@ -86,7 +86,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/node_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/node_prepare@1.9.2
         with:
           node_version: ${{ inputs.node_version }}
           clean_install: "true"
@@ -103,7 +103,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/ort@1.9.1
+      - uses: epam/ai-dial-ci/actions/ort@1.9.2
         with:
           bypass_checks: ${{ inputs.bypass_checks || inputs.bypass_ort }}
           cli_args: "-P ort.forceOverwrite=true --stacktrace -P ort.analyzer.enabledPackageManagers=NPM"
diff --git a/.github/workflows/python_docker_pr.yml b/.github/workflows/python_docker_pr.yml
@@ -66,7 +66,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/build_docker@1.9.1
+      - uses: epam/ai-dial-ci/actions/build_docker@1.9.2
         with:
           image_name: ghcr.io/${{ env.IMAGE_NAME }}
           image_tag: test

diff --git a/.github/workflows/python_docker_release.yml b/.github/workflows/python_docker_release.yml
@@ -68,7 +68,7 @@ jobs:
       is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.1
+      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.2
         id: semantic_versioning
 
   release:
@@ -81,7 +81,7 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.1
+      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.2
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
@@ -92,7 +92,7 @@ jobs:
         shell: bash
         run: |
           sed -i "s/^version = .*/version = \"${{ needs.calculate_version.outputs.non_semver_next_version }}\"/g" pyproject.toml
-      - uses: epam/ai-dial-ci/actions/build_docker@1.9.1
+      - uses: epam/ai-dial-ci/actions/build_docker@1.9.2
         with:
           ghcr_username: ${{ github.actor }}
           ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
@@ -109,7 +109,7 @@ jobs:
             ${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
             ${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
-      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.1
+      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.2
         with:
           tag_version: ${{ needs.calculate_version.outputs.next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify

diff --git a/.github/workflows/python_docker_test.yml b/.github/workflows/python_docker_test.yml
@@ -44,7 +44,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/python_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/python_prepare@1.9.2
         with:
           python_version: ${{ inputs.python_version }}
       - name: Test
@@ -60,7 +60,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/python_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/python_prepare@1.9.2
         with:
           python_version: ${{ inputs.python_version }}
       - name: Test
@@ -76,7 +76,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/ort@1.9.1
+      - uses: epam/ai-dial-ci/actions/ort@1.9.2
         with:
           bypass_checks: ${{ inputs.bypass_checks || inputs.bypass_ort }}
           cli_args: "-P ort.forceOverwrite=true --stacktrace -P ort.analyzer.enabledPackageManagers=Poetry"
diff --git a/.github/workflows/python_package_pr.yml b/.github/workflows/python_package_pr.yml
@@ -62,6 +62,8 @@ jobs:
       bypass_code_checks: ${{ inputs.bypass_code_checks }}
       enable_ort: ${{ inputs.enable_ort }}
       bypass_ort: ${{ inputs.bypass_ort }}
+      enable_trivy: ${{ inputs.enable_trivy }}
+      bypass_trivy: ${{ inputs.bypass_trivy }}
       python_version: ${{ inputs.python_version }}
       test_python_versions: ${{ inputs.test_python_versions }}
 
@@ -71,7 +73,7 @@ jobs:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
-      - uses: epam/ai-dial-ci/actions/python_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/python_prepare@1.9.2
         with:
           python_version: ${{ inputs.python_version }}
       - run: make build
diff --git a/.github/workflows/python_package_release.yml b/.github/workflows/python_package_release.yml
@@ -59,6 +59,8 @@ jobs:
       bypass_code_checks: ${{ inputs.bypass_code_checks }}
       enable_ort: ${{ inputs.enable_ort }}
       bypass_ort: ${{ inputs.bypass_ort }}
+      enable_trivy: ${{ inputs.enable_trivy }}
+      bypass_trivy: ${{ inputs.bypass_trivy }}
       python_version: ${{ inputs.python_version }}
       test_python_versions: ${{ inputs.test_python_versions }}
 
@@ -68,7 +70,7 @@ jobs:
       non_semver_next_version: ${{ steps.semantic_versioning.outputs.non_semver_next_version }}
       latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
     steps:
-      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.1
+      - uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.2
         id: semantic_versioning
 
   release:
@@ -81,14 +83,14 @@ jobs:
       - calculate_version
       - test
     steps:
-      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.1
+      - uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.2
         with:
           latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
         with:
           lfs: true
           token: ${{ secrets.ACTIONS_BOT_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/python_prepare@1.9.1
+      - uses: epam/ai-dial-ci/actions/python_prepare@1.9.2
         with:
           python_version: ${{ inputs.python_version }}
       - name: Set version
@@ -102,7 +104,7 @@ jobs:
           make publish
         env:
           PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
-      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.1
+      - uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.2
         with:
           tag_version: ${{ needs.calculate_version.outputs.non_semver_next_version }}
           changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify