Skip to content
Public-CI

chore: use quay images #164

Sign in to view logs

chore: use quay images

chore: use quay images #164

Workflow file for this run

.github/workflows/public-ci.yml at bc2f864
name: 'Public-CI'
on: [push, pull_request]
permissions: # added using https://github.com/step-security/secure-repo
contents: read
jobs:
# Super-linter consists of several lint tools
# lint tools are assigned to the pipeline via the env field
# For more information, please see https://github.com/github/super-linter
super-linter:
permissions:
contents: read # for actions/checkout to fetch code
statuses: write # for github/super-linter to mark status of each linter run
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: super-linter
uses: github/super-linter@985ef206aaca4d560cb9ee2af2b42ba44adc1d55 # v4.10.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LINTER_RULES_PATH: /
VALIDATE_BASH: true
VALIDATE_GO: true
VALIDATE_DOCKERFILE_HADOLINT: true
VALIDATE_CLANG_FORMAT: true
VALIDATE_JSON: true
# Build stage executes binary builds for CNI and device-plugin
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Set up Go
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
with:
go-version: 1.19
- name: Install dependencies
run: |
sudo apt update
sudo apt install -y wget build-essential golang libbsd-dev libelf-dev libjson-c-dev\
libnl-3-dev libnl-cli-3-dev libnuma-dev libpcap-dev meson\
pkg-config wget zstd clang llvm gcc-multilib m4
- name: Install libbpf
run: |
wget -q -O - https://github.com/libbpf/libbpf/archive/refs/tags/v1.1.0.tar.gz \
| tar -xzC "${GITHUB_WORKSPACE}" \
&& sudo make -j -C "${GITHUB_WORKSPACE}"/libbpf-1.1.0/src install \
&& sudo rm -rf "${GITHUB_WORKSPACE}"/libbpf-1.1.0
- name: Install libxdp
run: |
wget -q -O - https://github.com/xdp-project/xdp-tools/releases/download/v1.3.0/xdp-tools-1.3.0.tar.gz \
| tar -xzC "${GITHUB_WORKSPACE}" \
&& cd "${GITHUB_WORKSPACE}"/xdp-tools-1.3.0 && ./configure && cd - \
&& sudo make -j -C "${GITHUB_WORKSPACE}"/xdp-tools-1.3.0 PREFIX=/usr install \
&& sudo rm -rf "${GITHUB_WORKSPACE}"/xdp-tools-1.3.0 \
&& pkg-config --libs --static libelf
- name: Run build
run: make fixup && make build
# go-static-tools scans code base and packages using go-vet, go mod verify and staticcheck
go-static-tools:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: 1.19
- name: Install dependencies
run: |
sudo apt update
sudo apt install -y wget build-essential golang libbsd-dev libelf-dev libjson-c-dev\
libnl-3-dev libnl-cli-3-dev libnuma-dev libpcap-dev meson\
pkg-config wget zstd clang llvm gcc-multilib m4
- name: Install libbpf
run: |
wget -q -O - https://github.com/libbpf/libbpf/archive/refs/tags/v1.1.0.tar.gz \
| tar -xzC "${GITHUB_WORKSPACE}" \
&& sudo make -j -C "${GITHUB_WORKSPACE}"/libbpf-1.1.0/src install \
&& sudo rm -rf "${GITHUB_WORKSPACE}"/libbpf-1.1.0
- name: Install libxdp
run: |
wget -q -O - https://github.com/xdp-project/xdp-tools/releases/download/v1.3.0/xdp-tools-1.3.0.tar.gz \
| tar -xzC "${GITHUB_WORKSPACE}" \
&& cd "${GITHUB_WORKSPACE}"/xdp-tools-1.3.0 && ./configure && cd - \
&& sudo make -j -C "${GITHUB_WORKSPACE}"/xdp-tools-1.3.0 PREFIX=/usr install \
&& sudo rm -rf "${GITHUB_WORKSPACE}"/xdp-tools-1.3.0 \
&& pkg-config --libs --static libelf
- name: Install staticcheck
run: go install honnef.co/go/tools/cmd/staticcheck@v0.4.0
- name: run static analysis
run: make static-ci
# unit-test stage
unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Set up Go
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
with:
go-version: 1.19
- name: Install dependencies
run: |
sudo apt update
sudo apt install -y wget build-essential golang libbsd-dev libelf-dev libjson-c-dev\
libnl-3-dev libnl-cli-3-dev libnuma-dev libpcap-dev meson\
pkg-config wget zstd clang llvm gcc-multilib m4
- name: Install libbpf
run: |
wget -q -O - https://github.com/libbpf/libbpf/archive/refs/tags/v1.1.0.tar.gz \
| tar -xzC "${GITHUB_WORKSPACE}" \
&& sudo make -j -C "${GITHUB_WORKSPACE}"/libbpf-1.1.0/src install \
&& sudo rm -rf "${GITHUB_WORKSPACE}"/libbpf-1.1.0
- name: Install libxdp
run: |
wget -q -O - https://github.com/xdp-project/xdp-tools/releases/download/v1.3.0/xdp-tools-1.3.0.tar.gz \
| tar -xzC "${GITHUB_WORKSPACE}" \
&& cd "${GITHUB_WORKSPACE}"/xdp-tools-1.3.0 && ./configure && cd - \
&& sudo make -j -C "${GITHUB_WORKSPACE}"/xdp-tools-1.3.0 PREFIX=/usr install \
&& sudo rm -rf "${GITHUB_WORKSPACE}"/xdp-tools-1.3.0 \
&& pkg-config --libs --static libelf
- name: unit-tests
run: make test
# Trivy Scan
trivy-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Build Docker image
run: make image
- name: Generate .tar image
run: make generate-tar-image
- name: Run Trivy on tarballed image
uses: aquasecurity/trivy-action@master
with:
image-ref: ${GITHUB_WORKSPACE}/vul-image.tar
scan-type: 'fs'
ignore-unfixed: false
format: 'sarif'
output: 'trivy-image-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Print sarif file
run: cat < trivy-results.sarif
- name: Print image sarif file
run: cat trivy-image-results.sarif