[discovery] Simplify the instructions for partial success (#4912) #7

Workflow file for this run

.github/workflows/vuln-scans.yml at 2d91f06

	name: vulnerability scans

	on:
	push:
	branches:
	- main
	pull_request:
	paths:
	- '.github/workflows/vuln-scans.yml'
	- '.grype.yaml'
	- '.trivyignore'
	- '.snyk'

	env:
	GO_VERSION: '1.21.10'

	concurrency:
	group: vuln-scans-${{ github.event.pull_request.number \|\| github.ref }}
	cancel-in-progress: true

	jobs:
	trivy-fs-scan:
	# Use 20.04.5 until https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/16450 is resolved
	runs-on: ubuntu-20.04
	steps:
	- uses: actions/checkout@v4
	- name: Run trivy filesystem scan
	uses: aquasecurity/trivy-action@0.21.0
	with:
	scan-type: 'fs'
	scan-ref: '.'
	skip-dirs: 'deployments,examples,instrumentation/packaging,internal/buildscripts/packaging,tests'
	format: 'table'
	exit-code: '1'
	severity: 'CRITICAL,HIGH'
	ignore-unfixed: true

	anchore-fs-scan:
	runs-on: ubuntu-20.04
	steps:
	- uses: actions/checkout@v4
	- uses: anchore/scan-action@v3
	with:
	severity-cutoff: "high"
	only-fixed: true
	add-cpes-if-none: true
	output-format: "table"
	path: "."

	docker-otelcol:
	runs-on: ubuntu-20.04
	strategy:
	matrix:
	ARCH: [ "amd64", "arm64" ]
	fail-fast: false
	steps:
	- uses: actions/checkout@v4
	- uses: actions/setup-go@v5
	with:
	go-version: ${{ env.GO_VERSION }}
	cache-dependency-path: '**/go.sum'
	- uses: actions/cache@v4
	id: bundle-cache
	with:
	path: .cache/buildx/agent-bundle-${{ matrix.ARCH }}
	key: agent-bundle-buildx-${{ matrix.ARCH }}-${{ hashFiles('internal/signalfx-agent/bundle/**') }}
	restore-keys: \|
	agent-bundle-buildx-${{ matrix.ARCH }}-
	- uses: docker/setup-qemu-action@v3
	if: ${{ matrix.ARCH != 'amd64' }}
	with:
	platforms: ${{ matrix.ARCH }}
	image: tonistiigi/binfmt:qemu-v7.0.0
	- run: \|
	make docker-otelcol ARCH=${{ matrix.ARCH }}
	env:
	DOCKER_BUILDKIT: '1'
	BUNDLE_CACHE_HIT: "${{ steps.bundle-cache.outputs.cache-hit }}"
	- run: mkdir -p dist && docker save -o dist/image.tar otelcol:latest
	- uses: actions/upload-artifact@v4
	with:
	name: otelcol-${{ matrix.ARCH }}
	path: ./dist

	binaries-windows_amd64:
	runs-on: ubuntu-20.04
	steps:
	- name: Check out the codebase.
	uses: actions/checkout@v4
	- name: Set up Go
	uses: actions/setup-go@v5
	with:
	go-version: ${{ env.GO_VERSION }}
	cache-dependency-path: '**/go.sum'
	- run: make binaries-windows_amd64
	- uses: actions/upload-artifact@v4
	with:
	name: binaries-windows_amd64
	path: \|
	./bin/*

	trivy-image-scan:
	# Use 20.04.5 until https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/16450 is resolved
	runs-on: ubuntu-20.04
	needs: docker-otelcol
	strategy:
	matrix:
	ARCH: [ "amd64", "arm64" ]
	fail-fast: false
	steps:
	- uses: actions/checkout@v4
	- uses: docker/setup-qemu-action@v3
	if: ${{ matrix.ARCH != 'amd64' }}
	with:
	platforms: ${{ matrix.ARCH }}
	image: tonistiigi/binfmt:qemu-v7.0.0
	- uses: actions/download-artifact@v4
	with:
	name: otelcol-${{ matrix.ARCH }}
	path: ./dist
	- run: docker load -i ./dist/image.tar
	- name: Run trivy image scan
	uses: aquasecurity/trivy-action@0.21.0
	with:
	scan-type: 'image'
	image-ref: 'otelcol:latest'
	format: 'table'
	exit-code: '1'
	severity: 'CRITICAL,HIGH'
	ignore-unfixed: true

	anchore-image-scan:
	runs-on: ubuntu-20.04
	needs: docker-otelcol
	strategy:
	matrix:
	ARCH: [ "amd64", "arm64" ]
	fail-fast: false
	env:
	GRYPE_PLATFORM: ${{ matrix.ARCH }}
	steps:
	- uses: actions/checkout@v4
	- uses: docker/setup-qemu-action@v3
	if: ${{ matrix.ARCH != 'amd64' }}
	with:
	platforms: ${{ matrix.ARCH }}
	image: tonistiigi/binfmt:qemu-v7.0.0
	- uses: actions/download-artifact@v4
	with:
	name: otelcol-${{ matrix.ARCH }}
	path: ./dist
	- run: docker load -i ./dist/image.tar
	- uses: anchore/scan-action@v3
	with:
	severity-cutoff: "high"
	only-fixed: true
	add-cpes-if-none: true
	output-format: "table"
	image: "otelcol:latest"

	anchore-win-image-scan:
	runs-on: windows-2022
	needs: [ "binaries-windows_amd64" ]
	env:
	PIP_CACHE_DIR: ${{ github.workspace }}/.cache/pip
	steps:
	- name: Check out the codebase.
	uses: actions/checkout@v4
	- name: Downloading binaries-windows_amd64
	uses: actions/download-artifact@v4
	with:
	name: binaries-windows_amd64
	path: ./bin
	- uses: actions/cache@v4
	with:
	path: ${{ env.PIP_CACHE_DIR }}
	key: agent-bundle-windows-pip-${{ hashFiles('internal/signalfx-agent/bundle/collectd-plugins.yaml', 'internal/signalfx-agent/bundle/scripts/requirements.txt') }}
	- run: ./internal/signalfx-agent/bundle/scripts/windows/make.ps1 bundle
	- name: Build docker image
	run: \|
	$ErrorActionPreference = 'Stop'
	Copy-Item .\bin\otelcol_windows_amd64.exe .\cmd\otelcol\otelcol.exe
	Copy-Item .\dist\agent-bundle_windows_amd64.zip .\cmd\otelcol\agent-bundle_windows_amd64.zip
	docker build -t otelcol-windows --build-arg BASE_IMAGE=mcr.microsoft.com/windows/servercore:ltsc2022 --build-arg JMX_METRIC_GATHERER_RELEASE=$(Get-Content internal\buildscripts\packaging\jmx-metric-gatherer-release.txt) -f .\cmd\otelcol\Dockerfile.windows .\cmd\otelcol\
	Remove-Item .\cmd\otelcol\otelcol.exe
	Remove-Item .\cmd\otelcol\agent-bundle_windows_amd64.zip
	- run: choco install -y grype
	- run: grype --fail-on high --only-fixed -o table otelcol-windows:latest

	snyk-fs-scan:
	runs-on: ubuntu-latest
	steps:
	- uses: actions/checkout@v4
	- name: Run Snyk to check for vulnerabilities
	uses: snyk/actions/golang@master
	continue-on-error: true # To make sure that SARIF upload gets called
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	command: code test
	args: --severity-threshold=high --sarif-file-output=snyk.sarif --policy-path=.snyk
	- name: Upload result to GitHub Code Scanning
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: snyk.sarif

	snyk-docker-scan:
	runs-on: ubuntu-latest
	needs: docker-otelcol
	strategy:
	matrix:
	ARCH: [ "amd64", "arm64" ]
	fail-fast: false
	steps:
	- uses: actions/checkout@v4
	- uses: actions/download-artifact@v4
	with:
	name: otelcol-${{ matrix.ARCH }}
	path: ./dist
	- run: docker load -i ./dist/image.tar
	- uses: snyk/actions/docker@master
	env:
	SNYK_TOKEN: ${{ secrets.SNYK_TOKEN }}
	with:
	image: "otelcol:latest"
	args: --file=cmd/otelcol/Dockerfile --severity-threshold=high --sarif-file-output=snyk.sarif --policy-path=.snyk
	- name: Upload result to GitHub Code Scanning
	uses: github/codeql-action/upload-sarif@v3
	with:
	sarif_file: snyk.sarif

	govulncheck:
	runs-on: ubuntu-latest
	timeout-minutes: 30
	steps:
	- name: Checkout Repo
	uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
	- name: Setup Go
	uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0
	with:
	go-version: ${{ env.GO_VERSION }}
	cache: false
	- name: Cache Go
	id: go-cache
	uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
	with:
	path: \|
	~/go/bin
	~/go/pkg/mod
	key: go-cache-${{ runner.os }}-${{ hashFiles('**/go.sum') }}
	- name: Install Tools
	if: steps.go-cache.outputs.cache-hit != 'true'
	run: make install-tools
	- name: Run `govulncheck`
	run: make govulncheck

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[discovery] Simplify the instructions for partial success (#4912) #7

Workflow file

[discovery] Simplify the instructions for partial success (#4912) #7

Jobs

Run details

Workflow file for this run