Bump golang.org/x/crypto from 0.26.0 to 0.31.0 in /go/topkapi #45
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: go-legacy | |
on: | |
pull_request: | |
paths: [ 'go/**', '.github/workflows/go.yml' ] | |
push: | |
# If at least one path matches a pattern in the paths filter, the workflow runs | |
paths: [ 'go/**', '.github/workflows/go.yml' ] | |
branches: [ main ] | |
jobs: | |
# test run always | |
go-test: | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
- name: Set up Go 1.x | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ^1.22 | |
- name: Test Go Projects | |
working-directory: ./go | |
run: | | |
make test | |
# build and push runs only on merge into default main branch | |
go-build-push: | |
needs: [go-test] | |
# && github.ref == 'refs/heads/master' | |
# if: " ! contains(github.event.head_commit.message, 'skip ci')" | |
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main | |
runs-on: ubuntu-latest | |
permissions: | |
packages: write | |
# avoid Resource not accessible by integration error on CodeQL action | |
# https://github.com/github/codeql/issues/8843#issuecomment-1108467590 | |
actions: read | |
contents: read | |
security-events: write | |
steps: | |
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it | |
- name: Checkout Repo | |
uses: actions/checkout@v4 | |
- name: Set up Go 1.x | |
uses: actions/setup-go@v5 | |
with: | |
go-version: ^1.22 | |
id: go | |
- name: Configure AWS Credentials | |
uses: aws-actions/configure-aws-credentials@v4 | |
with: | |
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }} | |
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }} | |
aws-region: eu-central-1 | |
# https://stackoverflow.com/a/58178121/4292075, https://stackoverflow.com/a/51761312/4292075 | |
- name: Pull Environment Config from AWS SSM ParamStore | |
run: | | |
echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV | |
echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV | |
# install SonarQube Scanner, we handle this ourselves | |
- name: Cache node modules | |
uses: actions/cache@v4 | |
with: | |
path: | | |
~/.npm | |
**/node_modules | |
key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }} | |
restore-keys: | | |
${{ runner.os }}-npm- | |
- name: Node ${{ matrix.node-version }} | |
uses: actions/setup-node@v4 | |
with: | |
node-version: ${{ matrix.node-version }} | |
- name: Install SonarQube Scanner with npm in ./tools/sonar | |
working-directory: ./tools/sonar/ | |
run: | | |
npm install | |
# https://github.com/actions/cache/blob/main/examples.md#go---modules | |
- name: Cache Go modules packages | |
uses: actions/cache@v4 | |
with: | |
path: ~/go/pkg/mod | |
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }} | |
restore-keys: | | |
${{ runner.os }}-go- | |
- name: Build with Go and run Sonar Scanner | |
working-directory: ./go | |
run: | | |
make build | |
SONAR_TOKEN=$(aws ssm get-parameter --name /angkor/prod/SONAR_TOKEN --with-decryption --query 'Parameter.Value' --output text) | |
echo "Running SonarQube Scanner (make sonar)" | |
SONAR_TOKEN=$SONAR_TOKEN make sonar | |
# all go binaries are pushed to dockerhub as part of the image, but we (still) need polly binary for systemd service | |
aws s3 cp --no-progress dist/polly ${{ secrets.AWS_DEPLOY_TARGET }}/tools/polly | |
env: | |
CI: true | |
RELEASE_NAME: ${{ env.RELEASE_NAME }} | |
RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Sonarcloud: Needed to get PR information, if any | |
- name: Lint Dockerfile with hadolint | |
uses: brpaz/hadolint-action@v1.5.0 | |
with: | |
dockerfile: ./go/Dockerfile | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKER_USERNAME }} | |
password: ${{ secrets.DOCKER_PASSWORD }} # Password or personal access token used to log in to a Docker registry. If not set then no login will occur. | |
- name: Push to DockerHub | |
uses: docker/build-push-action@v6 # https://github.com/docker/build-push-action | |
with: | |
context: ./go | |
file: ./go/Dockerfile | |
platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386 | |
push: true | |
# can also use ${{ github.sha }} as tag | |
tags: ${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest | |
build-args: | | |
RELEASE_NAME: ${{ env.RELEASE_NAME }} | |
RELEASE_VERSION: ${{ env.RELEASE_VERSION }} | |
- name: Publish Action Event | |
run: | | |
aws sns publish --topic-arn $TOPIC_ARN --message "{\"action\":\"deploy-tools\",\"workflow\":\"$GITHUB_WORKFLOW\"}" \ | |
--message-attributes "GITHUB_SHA={DataType=String,StringValue=\"$GITHUB_SHA\"}, GITHUB_RUN_ID={DataType=String,StringValue=\"$GITHUB_RUN_ID\"}" | |
env: | |
TOPIC_ARN: ${{ secrets.TOPIC_ARN }} | |
- name: Send Kafka Publish Event with Docker | |
id: send-kafka-pub-event-playground # becomes $GITHUB_ACTION | |
run: | | |
docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \ | |
-ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \ | |
-source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \ | |
-type "net.timafe.event.ci.published.v1" -subject "docker.io/${GITHUB_REPOSITORY}-tools" \ | |
-record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}" | |
# Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action | |
# - https://github.com/aquasecurity/trivy-action | |
# - https://blog.aquasec.com/github-vulnerability-scanner-trivy | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest' | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
# additional options when not using GitHub Code Scanning with sarif format | |
# format: 'table' | |
# exit-code: '1' | |
# ignore-unfixed: true | |
# vuln-type: 'os,library' | |
# severity: 'CRITICAL,HIGH' | |
# Using Trivy with GitHub Code Scanning | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'trivy-results.sarif' | |