allow fips-compliance enforcement when building #397
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: ci | |
on: | |
pull_request: | |
branches-ignore: | |
- none | |
jobs: | |
build-and-test: | |
name: Build and run tests | |
runs-on: ubuntu-latest | |
services: | |
redis: | |
image: redis | |
ports: | |
- 6379:6379 | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Setup Go | |
uses: actions/setup-go@v4 | |
with: | |
go-version: '^1.13.1' | |
- name: Get version | |
run: echo "VERSION=$(awk '/^const Version/{gsub(/"/, "", $4); print $4}' splitio/version.go)" >> $GITHUB_ENV | |
- name: Run test | |
run: make test_coverage | |
- name: Create build folder | |
run: mkdir -p build | |
- name: Build assets | |
run: make release_assets | |
- name: SonarQube Scan (Pull Request) | |
uses: SonarSource/sonarcloud-github-action@v1.9 | |
env: | |
SONAR_TOKEN: ${{ secrets.SONARQUBE_TOKEN }} | |
with: | |
projectBaseDir: . | |
args: > | |
-Dsonar.host.url=${{ secrets.SONARQUBE_HOST }} | |
-Dsonar.projectVersion=${{ env.VERSION }} | |
-Dsonar.pullrequest.key=${{ github.event.pull_request.number }} | |
-Dsonar.pullrequest.branch=${{ github.event.pull_request.head.ref }} | |
-Dsonar.pullrequest.base=${{ github.event.pull_request.base.ref }} | |
build-docker-image: | |
name: Build Docker Image | |
runs-on: ubuntu-latest | |
strategy: | |
matrix: | |
app: [synchronizer, proxy] | |
fips_mode: [enabled, disabled] | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@v3 | |
- name: Docker Build and Push | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: docker/Dockerfile.${{ matrix.app }} | |
push: false | |
tags: splitio-docker.jfrog.io/split-${{ matrix.app }}${{ matrix.fips_mode == 'enabled' && '-fips' || '' }}:latest | |
build-args: | | |
FIPS_MODE=${{ matrix.fips_mode }} | |
- name: Scan container using Lacework | |
uses: lacework/lw-scanner-action@v1.4.0 | |
with: | |
LW_ACCOUNT_NAME: ${{ secrets.LW_ACCOUNT_NAME }} | |
LW_ACCESS_TOKEN: ${{ secrets.LW_ACCESS_TOKEN }} | |
IMAGE_NAME: splitio-docker.jfrog.io/split-${{ matrix.app }}${{ matrix.fips_mode == 'enabled' && '-fips' || '' }} | |
IMAGE_TAG: latest | |
SAVE_RESULTS_IN_LACEWORK: true | |
SAVE_BUILD_REPORT: true | |
BUILD_REPORT_FILE_NAME: split-${{ matrix.app }}${{ matrix.fips_mode == 'enabled' && '-fips' || '' }}.html | |
- name: Save vulnerability report | |
if: always() | |
uses: actions/upload-artifact@v4 | |
with: | |
name: vulnerability_report_${{ matrix.app }}${{ matrix.fips_mode == 'enabled' && '-fips' || '' }} | |
path: split-${{ matrix.app }}${{ matrix.fips_mode == 'enabled' && '-fips' || '' }}.html | |
retention-days: 7 | |
overwrite: true |