Skip to content

Commit

Permalink
chore: optimize Trivy scanning configuration (#102)
Browse files Browse the repository at this point in the history
* chore: optimize Trivy scanning configuration

* chore: bump self dependencies
  • Loading branch information
nepalevov authored Oct 25, 2024
1 parent be3770d commit 8819d48
Show file tree
Hide file tree
Showing 16 changed files with 45 additions and 42 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/generic_docker_pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/build_docker@1.9.3
- uses: epam/ai-dial-ci/actions/build_docker@1.9.4
with:
image_name: ghcr.io/${{ env.IMAGE_NAME }}
image_tag: test
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/generic_docker_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ jobs:
is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.3
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.4
id: semantic_versioning

release:
Expand All @@ -73,14 +73,14 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.3
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.4
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
token: ${{ secrets.ACTIONS_BOT_TOKEN }}
- uses: epam/ai-dial-ci/actions/build_docker@1.9.3
- uses: epam/ai-dial-ci/actions/build_docker@1.9.4
with:
ghcr_username: ${{ github.actor }}
ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
Expand All @@ -97,7 +97,7 @@ jobs:
${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.3
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.4
with:
tag_version: ${{ needs.calculate_version.outputs.next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
2 changes: 1 addition & 1 deletion .github/workflows/generic_docker_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,6 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/ort@1.9.3
- uses: epam/ai-dial-ci/actions/ort@1.9.4
with:
bypass_checks: ${{ inputs.bypass_checks || inputs.bypass_ort }}
4 changes: 2 additions & 2 deletions .github/workflows/java_pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.4
with:
java_version: ${{ inputs.java_version }}
java_distribution: ${{ inputs.java_distribution }}
Expand All @@ -83,7 +83,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/build_docker@1.9.3
- uses: epam/ai-dial-ci/actions/build_docker@1.9.4
with:
image_name: ghcr.io/${{ env.IMAGE_NAME }}
image_tag: test
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/java_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -72,7 +72,7 @@ jobs:
is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.3
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.4
id: semantic_versioning

release:
Expand All @@ -85,22 +85,22 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.3
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.4
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
token: ${{ secrets.ACTIONS_BOT_TOKEN }}
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.4
with:
java_version: ${{ inputs.java_version }}
java_distribution: ${{ inputs.java_distribution }}
- name: Set version
shell: bash
run: |
sed -i -E "s/^([ \t]*version[ \t]*=[ \t]*)[\"'].*[\"']/\1\"${{ needs.calculate_version.outputs.next_version }}\"/g" build.gradle
- uses: epam/ai-dial-ci/actions/build_docker@1.9.3
- uses: epam/ai-dial-ci/actions/build_docker@1.9.4
with:
ghcr_username: ${{ github.actor }}
ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
Expand All @@ -117,7 +117,7 @@ jobs:
${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.3
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.4
with:
tag_version: ${{ needs.calculate_version.outputs.next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/java_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.4
with:
java_version: ${{ inputs.java_version }}
java_distribution: ${{ inputs.java_distribution }}
Expand All @@ -65,7 +65,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/java_prepare@1.9.4
with:
java_version: ${{ inputs.java_version }}
java_distribution: ${{ inputs.java_distribution }}
Expand All @@ -82,7 +82,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/ort@1.9.3
- uses: epam/ai-dial-ci/actions/ort@1.9.4
with:
bypass_checks: ${{ inputs.bypass_checks || inputs.bypass_ort }}
cli_args: "-P ort.forceOverwrite=true --stacktrace -P ort.analyzer.enabledPackageManagers=Gradle"
2 changes: 1 addition & 1 deletion .github/workflows/node_pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -76,7 +76,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/build_docker@1.9.3
- uses: epam/ai-dial-ci/actions/build_docker@1.9.4
with:
image_name: ghcr.io/${{ env.IMAGE_NAME }}
image_tag: test
Expand Down
10 changes: 5 additions & 5 deletions .github/workflows/node_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ jobs:
is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.3
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.4
id: semantic_versioning

release:
Expand All @@ -94,14 +94,14 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.3
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.4
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
token: ${{ secrets.ACTIONS_BOT_TOKEN }}
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.4
with:
node_version: ${{ inputs.node_version }}
clean_install: true
Expand All @@ -110,7 +110,7 @@ jobs:
shell: bash
run: |
npm version ${{ needs.calculate_version.outputs.next_version }} --no-git-tag-version || true # upstream branch may already be updated
- uses: epam/ai-dial-ci/actions/build_docker@1.9.3
- uses: epam/ai-dial-ci/actions/build_docker@1.9.4
with:
ghcr_username: ${{ github.actor }}
ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
Expand Down Expand Up @@ -150,7 +150,7 @@ jobs:
IS_LATEST: ${{ needs.calculate_version.outputs.is_latest == 'true' }}
IS_DEVELOPMENT_BRANCH: ${{ github.ref == 'refs/heads/development' }}
IS_RELEASE_BRANCH: ${{ startsWith(github.ref, 'refs/heads/release-') }}
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.3
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.4
with:
tag_version: ${{ needs.calculate_version.outputs.next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/node_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.4
with:
node_version: ${{ inputs.node_version }}
clean_install: "true"
Expand All @@ -69,7 +69,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.4
with:
node_version: ${{ inputs.node_version }}
clean_install: "true"
Expand All @@ -86,7 +86,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/node_prepare@1.9.4
with:
node_version: ${{ inputs.node_version }}
clean_install: "true"
Expand All @@ -103,7 +103,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/ort@1.9.3
- uses: epam/ai-dial-ci/actions/ort@1.9.4
with:
bypass_checks: ${{ inputs.bypass_checks || inputs.bypass_ort }}
cli_args: "-P ort.forceOverwrite=true --stacktrace -P ort.analyzer.enabledPackageManagers=NPM"
2 changes: 1 addition & 1 deletion .github/workflows/python_docker_pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/build_docker@1.9.3
- uses: epam/ai-dial-ci/actions/build_docker@1.9.4
with:
image_name: ghcr.io/${{ env.IMAGE_NAME }}
image_tag: test
Expand Down
8 changes: 4 additions & 4 deletions .github/workflows/python_docker_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ jobs:
is_latest: ${{ steps.semantic_versioning.outputs.is_latest }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.3
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.4
id: semantic_versioning

release:
Expand All @@ -81,7 +81,7 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.3
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.4
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
Expand All @@ -92,7 +92,7 @@ jobs:
shell: bash
run: |
sed -i "s/^version = .*/version = \"${{ needs.calculate_version.outputs.non_semver_next_version }}\"/g" pyproject.toml
- uses: epam/ai-dial-ci/actions/build_docker@1.9.3
- uses: epam/ai-dial-ci/actions/build_docker@1.9.4
with:
ghcr_username: ${{ github.actor }}
ghcr_password: ${{ secrets.ACTIONS_BOT_TOKEN }}
Expand All @@ -109,7 +109,7 @@ jobs:
${{ github.ref == 'refs/heads/development' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'development') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}:{1}', env.IMAGE_NAME, 'latest') || ''}}
${{ startsWith(github.ref, 'refs/heads/release-') && needs.calculate_version.outputs.is_latest == 'true' && format('{0}/{1}:{2}', 'ghcr.io', env.IMAGE_NAME, 'latest') || ''}}
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.3
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.4
with:
tag_version: ${{ needs.calculate_version.outputs.next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/python_docker_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.4
with:
python_version: ${{ inputs.python_version }}
- name: Test
Expand All @@ -60,7 +60,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.4
with:
python_version: ${{ inputs.python_version }}
- name: Test
Expand All @@ -76,7 +76,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/ort@1.9.3
- uses: epam/ai-dial-ci/actions/ort@1.9.4
with:
bypass_checks: ${{ inputs.bypass_checks || inputs.bypass_ort }}
cli_args: "-P ort.forceOverwrite=true --stacktrace -P ort.analyzer.enabledPackageManagers=Poetry"
2 changes: 1 addition & 1 deletion .github/workflows/python_package_pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.4
with:
python_version: ${{ inputs.python_version }}
- run: make build
8 changes: 4 additions & 4 deletions .github/workflows/python_package_release.yml
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ jobs:
non_semver_next_version: ${{ steps.semantic_versioning.outputs.non_semver_next_version }}
latest_tag: ${{ steps.semantic_versioning.outputs.latest_tag }}
steps:
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.3
- uses: epam/ai-dial-ci/actions/semantic_versioning@1.9.4
id: semantic_versioning

release:
Expand All @@ -83,14 +83,14 @@ jobs:
- calculate_version
- test
steps:
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.3
- uses: epam/ai-dial-ci/actions/generate_release_notes@1.9.4
with:
latest_tag: ${{ needs.calculate_version.outputs.latest_tag }}
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
token: ${{ secrets.ACTIONS_BOT_TOKEN }}
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.4
with:
python_version: ${{ inputs.python_version }}
- name: Set version
Expand All @@ -104,7 +104,7 @@ jobs:
make publish
env:
PYPI_TOKEN: ${{ secrets.PYPI_TOKEN }}
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.3
- uses: epam/ai-dial-ci/actions/publish_tag_release@1.9.4
with:
tag_version: ${{ needs.calculate_version.outputs.non_semver_next_version }}
changelog_file: "/tmp/my_changelog" # comes from generate_release_notes step; TODO: beautify
Expand Down
6 changes: 3 additions & 3 deletions .github/workflows/python_package_test.yml
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.4
with:
python_version: ${{ inputs.python_version }}
- name: Test
Expand All @@ -88,7 +88,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.3
- uses: epam/ai-dial-ci/actions/python_prepare@1.9.4
with:
python_version: ${{ matrix.python-version }}
- name: Test
Expand All @@ -107,7 +107,7 @@ jobs:
- uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.2.1
with:
lfs: true
- uses: epam/ai-dial-ci/actions/ort@1.9.3
- uses: epam/ai-dial-ci/actions/ort@1.9.4
with:
bypass_checks: ${{ inputs.bypass_checks || inputs.bypass_ort }}
cli_args: "-P ort.forceOverwrite=true --stacktrace -P ort.analyzer.enabledPackageManagers=Poetry"
Expand Down
3 changes: 3 additions & 0 deletions actions/build_docker/action.yml
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,10 @@ runs:
vuln-type: ${{ inputs.scan_vuln_type }}
severity: ${{ inputs.scan_severity }}
limit-severities-for-sarif: true
skip-setup-trivy: true # We already have trivy installed just above
env:
TRIVY_SKIP_DB_UPDATE: true # We already have the DB updated just above
TRIVY_SKIP_JAVA_DB_UPDATE: true # We already have the Java DB updated just above
CONTINUE_ON_ERROR: ${{ inputs.bypass_checks }} # Hack to use the input below as a boolean
continue-on-error: ${{ fromJSON(env.CONTINUE_ON_ERROR) }}
- name: Upload Trivy scan results to GitHub Security tab
Expand Down

0 comments on commit 8819d48

Please sign in to comment.