chore: bump step-security/harden-runner from 2.5.0 to 2.5.1 #2976
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: test | |
| on: | |
| push: | |
| paths-ignore: | |
| - "**.md" | |
| - "hack/**" | |
| - "docs/**" | |
| pull_request: | |
| paths-ignore: | |
| - "**.md" | |
| - "hack/**" | |
| - "docs/**" | |
| env: | |
| REGISTRY: ghcr.io | |
| permissions: read-all | |
| jobs: | |
| generate-bucket-id: | |
| name: "Generate build id for storage" | |
| uses: ./.github/workflows/build-id.yaml | |
| build-images: | |
| name: "Build images for e2e tests" | |
| uses: ./.github/workflows/e2e-build.yaml | |
| needs: | |
| - generate-bucket-id | |
| with: | |
| bucket-id: ${{ needs.generate-bucket-id.outputs.bucket-id }} | |
| e2e-test: | |
| name: "Run e2e tests" | |
| uses: ./.github/workflows/e2e-test.yaml | |
| permissions: | |
| contents: write | |
| needs: | |
| - build-images | |
| - generate-bucket-id | |
| with: | |
| bucket-id: ${{ needs.generate-bucket-id.outputs.bucket-id }} | |
| lint: | |
| name: "Lint" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 40 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Set up Go 1.20 | |
| uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | |
| with: | |
| go-version: "1.20" | |
| - name: lint manager | |
| uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0 | |
| with: | |
| version: latest | |
| args: --timeout=10m | |
| - name: lint remover | |
| uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0 | |
| with: | |
| version: latest | |
| working-directory: pkg/remover | |
| skip-pkg-cache: true | |
| args: --timeout=10m | |
| - name: lint collector | |
| uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0 | |
| with: | |
| version: latest | |
| working-directory: pkg/collector | |
| skip-pkg-cache: true | |
| args: --timeout=10m | |
| - name: lint trivvy scanner | |
| uses: golangci/golangci-lint-action@639cd343e1d3b897ff35927a75193d57cfcba299 # v3.6.0 | |
| with: | |
| version: latest | |
| working-directory: pkg/scanners/trivy | |
| skip-pkg-cache: true | |
| args: --timeout=10m | |
| unit-test: | |
| name: "Unit Tests" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 40 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | |
| with: | |
| egress-policy: audit | |
| - name: Set up Go 1.20 | |
| uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | |
| with: | |
| go-version: "1.20" | |
| - uses: actions/cache@88522ab9f39a2ea568f7027eddc7d8d8bc9d59c8 # v3.3.1 | |
| with: | |
| key: ${{ runner.OS }}-go-${{ hashFiles('**/go.sum') }} | |
| restore-keys: | | |
| ${{ runner.os }}-go- | |
| path: | | |
| ~/go/pkg/mod | |
| ~/.cache/go-build | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Unit test | |
| run: make test | |
| - name: Codecov upload | |
| uses: codecov/codecov-action@eaaf4bedf32dbdc6b720b63067d99c4d77d6047d | |
| with: | |
| flags: unittests | |
| file: ./cover.out | |
| fail_ci_if_error: false | |
| check-manifest: | |
| name: "Check codegen and manifest" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | |
| with: | |
| egress-policy: audit | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Set up Go 1.20 | |
| uses: actions/setup-go@fac708d6674e30b6ba41289acaab6d4b75aa0753 # v4.0.1 | |
| with: | |
| go-version: "1.20" | |
| - name: Check go.mod and manifests | |
| run: | | |
| go mod tidy | |
| git diff --exit-code | |
| make generate manifests | |
| git diff --exit-code | |
| scan_vulnerabilities: | |
| name: "[Trivy] Scan for vulnerabilities" | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| permissions: | |
| contents: read | |
| steps: | |
| - name: Harden Runner | |
| uses: step-security/harden-runner@8ca2b8b2ece13480cda6dacd3511b49857a23c09 | |
| with: | |
| egress-policy: audit | |
| - name: Check out code into the Go module directory | |
| uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 | |
| - name: Get repo | |
| run: | | |
| echo "REPO=$(echo $GITHUB_REPOSITORY | awk '{print tolower($0)}')" >> $GITHUB_ENV | |
| - name: Download trivy | |
| run: | | |
| pushd $(mktemp -d) | |
| wget https://github.com/aquasecurity/trivy/releases/download/v${{ env.TRIVY_VERSION }}/trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz | |
| tar zxvf trivy_${{ env.TRIVY_VERSION }}_Linux-64bit.tar.gz | |
| echo "$(pwd)" >> $GITHUB_PATH | |
| env: | |
| TRIVY_VERSION: "0.28.0" | |
| - name: Build eraser-manager | |
| run: | | |
| make docker-build-manager MANAGER_REPO=${{ env.REGISTRY }}/${REPO}-manager MANAGER_TAG=test | |
| - name: Build remover | |
| run: | | |
| make docker-build-remover REMOVER_REPO=${{ env.REGISTRY }}/remover REMOVER_TAG=test | |
| - name: Build collector | |
| run: | | |
| make docker-build-collector COLLECTOR_REPO=${{ env.REGISTRY }}/collector COLLECTOR_TAG=test | |
| - name: Build trivy scanner | |
| run: | | |
| make docker-build-trivy-scanner TRIVY_SCANNER_REPO=${{ env.REGISTRY }}/${REPO}-trivy-scanner TRIVY_SCANNER_TAG=test | |
| - name: Run trivy for remover | |
| run: trivy image --ignore-unfixed --exit-code=1 --vuln-type=os,library ${{ env.REGISTRY }}/remover:test | |
| - name: Run trivy for eraser-manager | |
| run: trivy image --ignore-unfixed --exit-code=1 --vuln-type=os,library ${{ env.REGISTRY }}/${REPO}-manager:test | |
| - name: Run trivy for collector | |
| run: trivy image --ignore-unfixed --exit-code=1 --vuln-type=os,library ${{ env.REGISTRY }}/collector:test | |
| - name: Run trivy for trivy-scanner | |
| run: trivy image --ignore-unfixed --exit-code=1 --vuln-type=os,library ${{ env.REGISTRY }}/${REPO}-trivy-scanner:test |