CI: Bump version to v5.6.0-92.23 #218

Workflow file for this run

.github/workflows/image-scan-analysis.yml at 1fe1657

	name: Image Security Scan

	on:
	push:
	branches: [master, test, dev]
	pull_request:
	branches: [master, test, dev]
	schedule:
	- cron: "30 5 14 * *" # Run this scan every sprint release cycle 14th of every month at 5:30 UTC

	jobs:
	nodejs-base-image:
	name: nodejs-base-image
	if: github.event.pull_request.head.repo.full_name == github.repository
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	env:
	working-directory: ./openshift/4.0/templates/base-images
	image-name: nodejs-14-ubi8
	tag: ${{secrets.NODEJS14_BASE_TAG}} # 1-35
	OPENSHIFT_NAMESPACE: 3cd915-tools
	output-filename: nodejs14.txt

	steps:
	- uses: actions/checkout@v4
	- name: Authenticate and set context
	uses: redhat-actions/oc-login@v1
	env:
	OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}} # service account gitaction in openshift will be used here!
	OPENSHIFT_NAMESPACE: 3cd915-tools
	SERVER_URL: ${{secrets.OPENSHIFT_SERVER}}
	OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}}

	with:
	openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
	openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Login to OpenShift Container Registry
	uses: docker/login-action@v1
	with:
	registry: ${{secrets.OPENSHIFT_REGISTRY}}
	username: ${{ secrets.OC_USERNAME_SA }}
	password: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Pull nodejs Base Image
	env:
	OPENSHIFT_NAMESPACE: 3cd915-tools
	run: \|
	docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}
	working-directory: ${{env.working-directory}}
	- name: Scan nodejs14 Base Image with Aqua Trivy
	id: scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	output: ${{env.output-filename}}
	- if: failure() && steps.scan.outcome == 'failure'
	name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.output-filename}}
	retention-days: 3
	if-no-files-found: error

	comment_nodejs_pr:
	# this action will leave a comment in response to vulnerability scans performed on cotnainer image
	if: always() && needs.nodejs-base-image.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
	needs: nodejs-base-image
	runs-on: ubuntu-latest
	env:
	working-directory: ./source/frontend
	image-name: nodejs-14-ubi8
	tag: ${{secrets.NODEJS14_BASE_TAG}}
	OPENSHIFT_NAMESPACE: 3cd915-tools
	output-filename: nodejs14.txt
	steps:
	- uses: actions/checkout@v4
	- name: Download artifact
	id: artifact
	uses: actions/download-artifact@master
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.image-name}}
	- name: Get comment body
	id: get-comment-body
	if: steps.artifact.outcome == 'success'
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	body="$(cat ${{env.output-filename}})"
	body="${body//'%'/'%25'}"
	body="${body//$'\n'/'%0A'}"
	body="${body//$'\r'/'%0D'}"
	echo "::set-output name=body::$body"
	fi
	- name: Find Comment
	if: github.event_name == 'pull_request'
	uses: peter-evans/find-comment@v1
	id: fc
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: "github-actions[bot]"
	body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report

	- name: Comment on PR
	if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure'
	env:
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	commentPR () {
	gh pr comment $PRNUM -b "${1}"
	}
	PRNUM=${{ github.event.pull_request.number }}
	PRBODY=$(cat ${{env.output-filename}})
	INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	```'${PRBODY}'```';
	commentPR "$INDENTED"
	else
	echo "No vulnerability detected in this image"
	fi

	- name: Update PR Comment
	if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
	uses: peter-evans/create-or-update-comment@v1
	with:
	comment-id: ${{ steps.fc.outputs.comment-id }}
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	``` echo "${{ steps.get-comment-body.outputs.body }}"```
	edit-mode: replace
	reactions: confused

	nginx-base-image:
	name: nginx-base-image
	if: github.event.pull_request.head.repo.full_name == github.repository
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	env:
	working-directory: ./openshift/s2i/nginx-runtime
	image-name: nginx-base
	tag: ${{secrets.NGINX_BASE_TAG}} # mainline
	OPENSHIFT_NAMESPACE: 3cd915-tools
	output-filename: nginx-base.txt

	steps:
	- uses: actions/checkout@v4
	- name: Authenticate and set context
	uses: redhat-actions/oc-login@v1
	env:
	OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}}
	OPENSHIFT_NAMESPACE: 3cd915-tools
	SERVER_URL: ${{secrets.OPENSHIFT_SERVER}}
	OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}}

	with:
	openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
	openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Login to OpenShift Container Registry
	uses: docker/login-action@v1
	with:
	registry: ${{secrets.OPENSHIFT_REGISTRY}}
	username: ${{ secrets.OC_USERNAME_SA }}
	password: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Pull Nginx Runtime Base Image
	run: \|
	docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}
	working-directory: ${{env.working-directory}}
	- name: Scan Nginx Runtime Base Image with Aqua Trivy
	id: scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	output: ${{env.output-filename}}
	- if: failure() && steps.scan.outcome == 'failure'
	name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.output-filename}}
	retention-days: 3

	comment_nginx_pr:
	# this action will leave a comment in response to vulnerability scans performed on cotnainer image
	if: always() && needs.nginx-base-image.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
	needs: nginx-base-image
	runs-on: ubuntu-latest
	env:
	working-directory: ./source/frontend
	image-name: nginx-base
	tag: ${{secrets.NGINX_BASE_TAG}}
	output-filename: nginx-base.txt
	steps:
	- uses: actions/checkout@v4
	- name: Download artifact
	id: artifact
	uses: actions/download-artifact@master
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.image-name}}

	- name: Get comment body
	id: get-comment-body
	if: steps.artifact.outcome == 'success'
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	body="$(cat ${{env.output-filename}})"
	body="${body//'%'/'%25'}"
	body="${body//$'\n'/'%0A'}"
	body="${body//$'\r'/'%0D'}"
	echo "::set-output name=body::$body"
	fi
	- name: Find Comment
	if: github.event_name == 'pull_request'
	uses: peter-evans/find-comment@v1
	id: fc
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: "github-actions[bot]"
	body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report

	- name: Comment on PR
	if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure'
	env:
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	commentPR () {
	gh pr comment $PRNUM -b "${1}"
	}
	PRNUM=${{ github.event.pull_request.number }}
	PRBODY=$(cat ${{env.output-filename}})
	INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	```'${PRBODY}'```';
	commentPR "$INDENTED"
	else
	echo "No vulnerability detected in this image"
	fi

	- name: Update PR Comment
	if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
	uses: peter-evans/create-or-update-comment@v1
	with:
	comment-id: ${{ steps.fc.outputs.comment-id }}
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	``` echo "${{ steps.get-comment-body.outputs.body }}"```
	edit-mode: replace
	reactions: confused

	build_frontend:
	if: always() && github.event.pull_request.head.repo.full_name == github.repository
	needs: [nodejs-base-image, nginx-base-image]
	name: pims-frontend
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	env:
	working-directory: ./source/frontend
	image-name: pims-app
	tag: latest
	OPENSHIFT_NAMESPACE: 3cd915-tools
	output-filename: pims-app.txt

	steps:
	- uses: actions/checkout@v4
	- name: Authenticate and set context
	uses: redhat-actions/oc-login@v1
	env:
	# These can be stored in secrets, if desired.
	OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}}
	OPENSHIFT_NAMESPACE: 3cd915-tools
	SERVER_URL: ${{secrets.OPENSHIFT_SERVER}}
	OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}}

	with:
	openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
	openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Login to OpenShift Container Registry
	uses: docker/login-action@v1
	with:
	registry: ${{secrets.OPENSHIFT_REGISTRY}}
	username: ${{ secrets.OC_USERNAME_SA }}
	password: ${{ secrets.OPENSHIFT_TOKEN }}
	- name: Pull PIMS App React Frontend Image
	env:
	OPENSHIFT_NAMESPACE: 3cd915-tools
	run: \|
	docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}
	working-directory: ${{env.working-directory}}
	- name: Scan PIMS React Frontend Image with Aqua Trivy
	id: scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	output: ${{env.output-filename}}
	- if: failure() && steps.scan.outcome == 'failure'
	name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.output-filename}}
	retention-days: 3

	comment_app_pr:
	# this action will leave a comment in response to credential scans performed on pull requests
	if: always() && needs.build_frontend.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
	needs: build_frontend
	runs-on: ubuntu-latest
	env:
	working-directory: ./source/frontend
	image-name: pims-app
	tag: latest
	output-filename: pims-app.txt
	steps:
	- uses: actions/checkout@v4
	- name: Download artifact
	id: artifact
	uses: actions/download-artifact@master
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.image-name}}

	- name: Get comment body
	id: get-comment-body
	if: steps.artifact.outcome == 'success'
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	body="$(cat ${{env.output-filename}})"
	body="${body//'%'/'%25'}"
	body="${body//$'\n'/'%0A'}"
	body="${body//$'\r'/'%0D'}"
	echo "::set-output name=body::$body"
	fi
	- name: Find Comment
	if: github.event_name == 'pull_request'
	uses: peter-evans/find-comment@v1
	id: fc
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: "github-actions[bot]"
	body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report

	- name: Comment on PR
	if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure'
	env:
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	commentPR () {
	gh pr comment $PRNUM -b "${1}"
	}
	PRNUM=${{ github.event.pull_request.number }}
	PRBODY=$(cat ${{env.output-filename}})
	INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	```'${PRBODY}'```';
	commentPR "$INDENTED"
	else
	echo "No vulnerability detected in this image"
	fi

	- name: Update PR Comment
	if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
	uses: peter-evans/create-or-update-comment@v1
	with:
	comment-id: ${{ steps.fc.outputs.comment-id }}
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	``` echo "${{ steps.get-comment-body.outputs.body }}"```
	edit-mode: replace
	reactions: confused

	aspnet-runtime:
	name: aspnet-runtime
	if: github.event.pull_request.head.repo.full_name == github.repository
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	env:
	working-directory: ./openshift/4.0/templates/base-images/dotnet50
	image-name: dotnet-aspnet
	tag: "5.0"
	OPENSHIFT_NAMESPACE: 3cd915-tools
	output-filename: dotnet-aspnet.txt

	steps:
	- uses: actions/checkout@v4
	- name: Authenticate and set context
	uses: redhat-actions/oc-login@v1
	env:
	# These can be stored in secrets, if desired.
	OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}}
	OPENSHIFT_NAMESPACE: 3cd915-tools
	SERVER_URL: ${{secrets.OPENSHIFT_SERVER}}
	OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}}

	with:
	openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
	openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Login to OpenShift Container Registry
	uses: docker/login-action@v1
	with:
	registry: ${{secrets.OPENSHIFT_REGISTRY}}
	username: ${{ secrets.OC_USERNAME_SA }}
	password: ${{ secrets.OPENSHIFT_TOKEN }}
	- name: Pull aspnet dotnet5 runtime Base Image
	run: \|
	docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}
	working-directory: ${{env.working-directory}}
	- name: Scan dotnet5 SDK and runtime Image with Aqua Trivy
	id: scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	output: ${{env.output-filename}}
	- if: failure() && steps.scan.outcome == 'failure'
	name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.output-filename}}
	retention-days: 3

	comment_aspnet_pr:
	# this action will leave a comment in response to credential scans performed on pull requests
	if: always() && needs.aspnet-runtime.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
	needs: aspnet-runtime
	runs-on: ubuntu-latest
	env:
	working-directory: ./openshift/4.0/templates/base-images/dotnet50
	image-name: dotnet-aspnet
	tag: "5.0"
	output-filename: dotnet-aspnet.txt
	steps:
	- uses: actions/checkout@v4
	- name: Download artifact
	id: artifact
	uses: actions/download-artifact@master
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.image-name}}

	- name: Get comment body
	id: get-comment-body
	if: steps.artifact.outcome == 'success'
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	body="$(cat ${{env.output-filename}})"
	body="${body//'%'/'%25'}"
	body="${body//$'\n'/'%0A'}"
	body="${body//$'\r'/'%0D'}"
	echo "::set-output name=body::$body"
	fi
	- name: Find Comment
	if: github.event_name == 'pull_request'
	uses: peter-evans/find-comment@v1
	id: fc
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: "github-actions[bot]"
	body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report

	- name: Comment on PR
	if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure'
	env:
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	commentPR () {
	gh pr comment $PRNUM -b "${1}"
	}
	PRNUM=${{ github.event.pull_request.number }}
	PRBODY=$(cat ${{env.output-filename}})
	INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	```'${PRBODY}'```';
	commentPR "$INDENTED"
	else
	echo "No vulnerability detected in this image"
	fi

	- name: Update PR Comment
	if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
	uses: peter-evans/create-or-update-comment@v1
	with:
	comment-id: ${{ steps.fc.outputs.comment-id }}
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	``` echo "${{ steps.get-comment-body.outputs.body }}"```
	edit-mode: replace
	reactions: confused

	dotnet-sdk:
	name: dotnet5-sdk
	if: github.event.pull_request.head.repo.full_name == github.repository
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	env:
	working-directory: ./openshift/4.0/templates/base-images/dotnet50
	image-name: dotnet-sdk
	tag: "5.0"
	OPENSHIFT_NAMESPACE: 3cd915-tools
	output-filename: dotnet-sdk.txt

	steps:
	- uses: actions/checkout@v4
	- name: Authenticate and set context
	uses: redhat-actions/oc-login@v1
	env:
	# These can be stored in secrets, if desired.
	OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}}
	OPENSHIFT_NAMESPACE: 3cd915-tools
	SERVER_URL: ${{secrets.OPENSHIFT_SERVER}}
	OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}}

	with:
	openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
	openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Login to OpenShift Container Registry
	uses: docker/login-action@v1
	with:
	registry: ${{secrets.OPENSHIFT_REGISTRY}}
	username: ${{ secrets.OC_USERNAME_SA }}
	password: ${{ secrets.OPENSHIFT_TOKEN }}
	- name: Pull aspnet dotnet5 runtime Base Image
	run: \|
	docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}
	working-directory: ${{env.working-directory}}
	- name: Scan dotnet5 SDK and runtime Image with Aqua Trivy
	id: scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	output: ${{env.output-filename}}
	- if: failure() && steps.scan.outcome == 'failure'
	name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.output-filename}}
	retention-days: 3

	comment_dotnetsdk_pr:
	# this action will leave a comment in response to credential scans performed on pull requests
	if: always() && needs.dotnet-sdk.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
	needs: dotnet-sdk
	runs-on: ubuntu-latest
	env:
	working-directory: ./openshift/4.0/templates/base-images/dotnet50
	image-name: dotnet-sdk
	tag: "5.0"
	output-filename: dotnet-sdk.txt
	steps:
	- uses: actions/checkout@v4
	- name: Download artifact
	id: artifact
	uses: actions/download-artifact@master
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.image-name}}

	- name: Get comment body
	id: get-comment-body
	if: steps.artifact.outcome == 'success'
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	body="$(cat ${{env.output-filename}})"
	body="${body//'%'/'%25'}"
	body="${body//$'\n'/'%0A'}"
	body="${body//$'\r'/'%0D'}"
	echo "::set-output name=body::$body"
	fi
	- name: Find Comment
	if: github.event_name == 'pull_request'
	uses: peter-evans/find-comment@v1
	id: fc
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: "github-actions[bot]"
	body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report

	- name: Comment on PR
	if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure'
	env:
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	commentPR () {
	gh pr comment $PRNUM -b "${1}"
	}
	PRNUM=${{ github.event.pull_request.number }}
	PRBODY=$(cat ${{env.output-filename}})
	INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	```'${PRBODY}'```';
	commentPR "$INDENTED"
	else
	echo "No vulnerability detected in this image"
	fi

	- name: Update PR Comment
	if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
	uses: peter-evans/create-or-update-comment@v1
	with:
	comment-id: ${{ steps.fc.outputs.comment-id }}
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	``` echo "${{ steps.get-comment-body.outputs.body }}"```
	edit-mode: replace
	reactions: confused

	build_backend:
	if: always() && github.event.pull_request.head.repo.full_name == github.repository
	needs: [aspnet-runtime, dotnet-sdk]
	name: pims-backend
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	env:
	working-directory: ./source/backend
	image-name: pims-api
	tag: latest
	OPENSHIFT_NAMESPACE: 3cd915-tools
	output-filename: pims-api.txt

	steps:
	- uses: actions/checkout@v4
	- name: Authenticate and set context
	uses: redhat-actions/oc-login@v1
	env:
	# These can be stored in secrets, if desired.
	OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}}
	OPENSHIFT_NAMESPACE: 3cd915-tools
	SERVER_URL: ${{secrets.OPENSHIFT_SERVER}}
	OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}}

	with:
	openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
	openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Login to OpenShift Container Registry
	uses: docker/login-action@v1
	with:
	registry: ${{secrets.OPENSHIFT_REGISTRY}}
	username: ${{ secrets.OC_USERNAME_SA }}
	password: ${{ secrets.OPENSHIFT_TOKEN }}
	- name: Pull PIMS Backend API Image
	run: \|
	docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}
	working-directory: ${{env.working-directory}}
	- name: Scan PIMS Backend API Image with Aqua Trivy
	id: scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	output: ${{env.output-filename}}
	- if: failure() && steps.scan.outcome == 'failure'
	name: Upload artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.output-filename}}
	retention-days: 3

	comment_api_pr:
	# this action will leave a comment in response to credential scans performed on pull requests
	if: always() && needs.build_backend.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
	needs: build_backend
	runs-on: ubuntu-latest
	env:
	working-directory: ./source/backend
	image-name: pims-api
	tag: latest
	output-filename: pims-api.txt
	steps:
	- uses: actions/checkout@v4
	- name: Download artifact
	id: artifact
	uses: actions/download-artifact@master
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.image-name}}

	- name: Get comment body
	id: get-comment-body
	if: steps.artifact.outcome == 'success'
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	body="$(cat ${{env.output-filename}})"
	body="${body//'%'/'%25'}"
	body="${body//$'\n'/'%0A'}"
	body="${body//$'\r'/'%0D'}"
	echo "::set-output name=body::$body"
	fi
	- name: Find Comment
	if: github.event_name == 'pull_request'
	uses: peter-evans/find-comment@v1
	id: fc
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: "github-actions[bot]"
	body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report

	- name: Comment on PR
	if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure'
	env:
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	commentPR () {
	gh pr comment $PRNUM -b "${1}"
	}
	PRNUM=${{ github.event.pull_request.number }}
	PRBODY=$(cat ${{env.output-filename}})
	INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	```'${PRBODY}'```';
	commentPR "$INDENTED"
	else
	echo "No vulnerability detected in this image"
	fi

	- name: Update PR Comment
	if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
	uses: peter-evans/create-or-update-comment@v1
	with:
	comment-id: ${{ steps.fc.outputs.comment-id }}
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	``` echo "${{ steps.get-comment-body.outputs.body }}"```
	edit-mode: replace
	reactions: confused

	pims_logging:
	if: always() && github.event.pull_request.head.repo.full_name == github.repository
	needs: [build_frontend, build_backend]
	name: logging
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	env:
	working-directory: ./openshift/4.0/templates/Logging
	image-name: pims-logging
	tag: latest
	OPENSHIFT_NAMESPACE: 3cd915-tools
	output-filename: pims-logging.txt

	steps:
	- uses: actions/checkout@v4
	- name: Authenticate and set context
	uses: redhat-actions/oc-login@v1
	env:
	# These can be stored in secrets, if desired.
	OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}}
	OPENSHIFT_NAMESPACE: 3cd915-tools
	SERVER_URL: ${{secrets.OPENSHIFT_SERVER}}
	OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}}

	with:
	openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
	openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Login to OpenShift Container Registry
	uses: docker/login-action@v1
	with:
	registry: ${{secrets.OPENSHIFT_REGISTRY}}
	username: ${{ secrets.OC_USERNAME_SA }}
	password: ${{ secrets.OPENSHIFT_TOKEN }}
	- name: Build PIMS Logging
	run: \|
	docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}
	working-directory: ${{env.working-directory}}
	- name: Scan PIMS Logging Image with Aqua Trivy
	id: scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	output: ${{env.output-filename}}
	- if: failure() && steps.scan.outcome == 'failure'
	name: Upload OWASP ZAP scan artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.output-filename}}
	retention-days: 3
	if-no-files-found: error

	comment_logging_pr:
	# this action will leave a comment in response to Image scans performed on pull requests
	if: always() && needs.pims_logging.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
	needs: pims_logging
	runs-on: ubuntu-latest
	env:
	working-directory: ./openshift/4.0/templates/jenkins-slaves/jenkins-slave-zap
	image-name: pims-logging
	tag: latest
	output-filename: pims-logging.txt
	steps:
	- uses: actions/checkout@v4
	- name: Download artifact
	id: artifact
	uses: actions/download-artifact@master
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.image-name}}
	- name: Get comment body
	id: get-comment-body
	if: steps.artifact.outcome == 'success'
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	body="$(cat ${{env.output-filename}})"
	body="${body//'%'/'%25'}"
	body="${body//$'\n'/'%0A'}"
	body="${body//$'\r'/'%0D'}"
	echo "::set-output name=body::$body"
	fi
	- name: Find Comment
	if: github.event_name == 'pull_request'
	uses: peter-evans/find-comment@v1
	id: fc
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: "github-actions[bot]"
	body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report

	- name: Comment on PR
	if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure'
	env:
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	commentPR () {
	gh pr comment $PRNUM -b "${1}"
	}
	PRNUM=${{ github.event.pull_request.number }}
	PRBODY=$(cat ${{env.output-filename}})
	INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	```'${PRBODY}'```';
	commentPR "$INDENTED"
	else
	echo "No vulnerability detected in this image"
	fi

	- name: Update PR Comment
	if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
	uses: peter-evans/create-or-update-comment@v1
	with:
	comment-id: ${{ steps.fc.outputs.comment-id }}
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	``` echo "${{ steps.get-comment-body.outputs.body }}"```
	edit-mode: replace
	reactions: confused

	jenkins-agent-dotnet:
	if: github.event.pull_request.head.repo.full_name == github.repository
	name: jenkins-agent-dotnet
	runs-on: ubuntu-latest
	permissions:
	actions: read
	contents: read
	security-events: write
	pull-requests: write
	env:
	working-directory: ./openshift/4.0/templates/jenkins-slaves/jenkins-slave-zap
	image-name: jenkins-agent-dotnet
	tag: latest
	OPENSHIFT_NAMESPACE: 3cd915-tools
	output-filename: jenkins-agent-dotnet.txt

	steps:
	- uses: actions/checkout@v4
	- name: Authenticate and set context
	uses: redhat-actions/oc-login@v1
	env:
	# These can be stored in secrets, if desired.
	OPENSHIFT_USER: ${{secrets.OC_USERNAME_SA}}
	OPENSHIFT_NAMESPACE: 3cd915-tools
	SERVER_URL: ${{secrets.OPENSHIFT_SERVER}}
	OPENSHIFT_REGISTRY: ${{secrets.OPENSHIFT_REGISTRY}}

	with:
	openshift_server_url: ${{ secrets.OPENSHIFT_SERVER }}
	openshift_token: ${{ secrets.OPENSHIFT_TOKEN }}

	- name: Login to OpenShift Container Registry
	uses: docker/login-action@v1
	with:
	registry: ${{ secrets.OPENSHIFT_REGISTRY }}
	username: ${{ secrets.OC_USERNAME_SA }}
	password: ${{ secrets.OPENSHIFT_TOKEN }}
	- name: Pull jenkins-agent-dotnet Image
	run: \|
	docker pull ${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}
	working-directory: ${{env.working-directory}}
	- name: Scan jenkins-agent-dotnet with Aqua Trivy
	id: scan
	uses: aquasecurity/trivy-action@master
	with:
	image-ref: "${{secrets.OPENSHIFT_REGISTRY}}/${{env.OPENSHIFT_NAMESPACE}}/${{env.image-name}}:${{env.tag}}"
	format: "table"
	exit-code: "1"
	ignore-unfixed: true
	vuln-type: "os,library"
	severity: "CRITICAL,HIGH"
	output: ${{env.output-filename}}
	- if: failure() && steps.scan.outcome == 'failure'
	name: Upload jenkins agent scan artifact
	uses: actions/upload-artifact@v4
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.output-filename}}
	retention-days: 3
	if-no-files-found: error

	comment_agent_pr:
	# this action will leave a comment in response to credential scans performed on pull requests
	if: always() && needs.jenkins-agent-dotnet.result == 'failure' && github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository
	needs: jenkins-agent-dotnet
	runs-on: ubuntu-latest
	env:
	working-directory: ./openshift/4.0/templates/jenkins-slaves/jenkins-slave-zap
	image-name: jenkins-agent-dotnet
	tag: latest
	output-filename: jenkins-agent-dotnet.txt
	steps:
	- uses: actions/checkout@v4
	- name: Download artifact
	id: artifact
	uses: actions/download-artifact@master
	with:
	name: ${{env.image-name}}_scan_report
	path: ./${{env.image-name}}
	- name: Get comment body
	id: get-comment-body
	if: steps.artifact.outcome == 'success'
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	body="$(cat ${{env.output-filename}})"
	body="${body//'%'/'%25'}"
	body="${body//$'\n'/'%0A'}"
	body="${body//$'\r'/'%0D'}"
	echo "::set-output name=body::$body"
	fi
	- name: Find Comment
	if: github.event_name == 'pull_request'
	uses: peter-evans/find-comment@v1
	id: fc
	with:
	issue-number: ${{ github.event.pull_request.number }}
	comment-author: "github-actions[bot]"
	body-includes: ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report

	- name: Comment on PR
	if: steps.fc.outputs.comment-id == '' && steps.get-comment-body.outcome != 'failure'
	env:
	GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
	run: \|
	cd ${{env.image-name}}/
	if [ -s ${{env.output-filename}} ]; then
	commentPR () {
	gh pr comment $PRNUM -b "${1}"
	}
	PRNUM=${{ github.event.pull_request.number }}
	PRBODY=$(cat ${{env.output-filename}})
	INDENTED='## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	```'${PRBODY}'```';
	commentPR "$INDENTED"
	else
	echo "No vulnerability detected in this image"
	fi

	- name: Update PR Comment
	if: github.event_name == 'pull_request' && steps.fc.outputs.comment-id != ''
	uses: peter-evans/create-or-update-comment@v1
	with:
	comment-id: ${{ steps.fc.outputs.comment-id }}
	issue-number: ${{ github.event.pull_request.number }}
	body: \|
	## ${{secrets.OPENSHIFT_REGISTRY}}/${{env.image-name}}:${{env.tag}} vulnerability report
	``` echo "${{ steps.get-comment-body.outputs.body }}"```
	edit-mode: replace
	reactions: confused

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CI: Bump version to v5.6.0-92.23 #218

Workflow file

CI: Bump version to v5.6.0-92.23 #218

Jobs

Run details

Workflow file for this run