Skip to content

Bump golang.org/x/crypto from 0.26.0 to 0.31.0 in /go/imagine #46

Bump golang.org/x/crypto from 0.26.0 to 0.31.0 in /go/imagine

Bump golang.org/x/crypto from 0.26.0 to 0.31.0 in /go/imagine #46

Workflow file for this run

name: go-legacy
on:
pull_request:
paths: [ 'go/**', '.github/workflows/go.yml' ]
push:
# If at least one path matches a pattern in the paths filter, the workflow runs
paths: [ 'go/**', '.github/workflows/go.yml' ]
branches: [ main ]
jobs:
# test run always
go-test:
runs-on: ubuntu-latest
steps:
- name: Checkout Repo
uses: actions/checkout@v4
- name: Set up Go 1.x
uses: actions/setup-go@v5
with:
go-version: ^1.22
- name: Test Go Projects
working-directory: ./go
run: |
make test
# build and push runs only on merge into default main branch
go-build-push:
needs: [go-test]
# && github.ref == 'refs/heads/master'
# if: " ! contains(github.event.head_commit.message, 'skip ci')"
if: github.ref == format('refs/heads/{0}', github.event.repository.default_branch) # run only on main
runs-on: ubuntu-latest
permissions:
packages: write
# avoid Resource not accessible by integration error on CodeQL action
# https://github.com/github/codeql/issues/8843#issuecomment-1108467590
actions: read
contents: read
security-events: write
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout Repo
uses: actions/checkout@v4
- name: Set up Go 1.x
uses: actions/setup-go@v5
with:
go-version: ^1.22
id: go
- name: Configure AWS Credentials
uses: aws-actions/configure-aws-credentials@v4
with:
aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
aws-region: eu-central-1
# https://stackoverflow.com/a/58178121/4292075, https://stackoverflow.com/a/51761312/4292075
- name: Pull Environment Config from AWS SSM ParamStore
run: |
echo "LATEST_REPO_TAG=$(git ls-remote --tags --sort='v:refname' | tail -n1 | sed 's/.*\///; s/\^{}//')" >> $GITHUB_ENV
echo "RELEASE_NAME=$(aws ssm get-parameter --name /angkor/prod/RELEASE_NAME --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
echo "RELEASE_VERSION=$(aws ssm get-parameter --name /angkor/prod/RELEASE_VERSION --with-decryption --query 'Parameter.Value' --output text)" >> $GITHUB_ENV
# install SonarQube Scanner, we handle this ourselves
- name: Cache node modules
uses: actions/cache@v4
with:
path: |
~/.npm
**/node_modules
key: ${{ runner.os }}-npm-${{ hashFiles('**/package-lock.json') }}
restore-keys: |
${{ runner.os }}-npm-
- name: Node ${{ matrix.node-version }}
uses: actions/setup-node@v4
with:
node-version: ${{ matrix.node-version }}
- name: Install SonarQube Scanner with npm in ./tools/sonar
working-directory: ./tools/sonar/
run: |
npm install
# https://github.com/actions/cache/blob/main/examples.md#go---modules
- name: Cache Go modules packages
uses: actions/cache@v4
with:
path: ~/go/pkg/mod
key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
restore-keys: |
${{ runner.os }}-go-
- name: Build with Go and run Sonar Scanner
working-directory: ./go
run: |
make build
SONAR_TOKEN=$(aws ssm get-parameter --name /angkor/prod/SONAR_TOKEN --with-decryption --query 'Parameter.Value' --output text)
echo "Running SonarQube Scanner (make sonar)"
SONAR_TOKEN=$SONAR_TOKEN make sonar
# all go binaries are pushed to dockerhub as part of the image, but we (still) need polly binary for systemd service
aws s3 cp --no-progress dist/polly ${{ secrets.AWS_DEPLOY_TARGET }}/tools/polly
env:
CI: true
RELEASE_NAME: ${{ env.RELEASE_NAME }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} # Sonarcloud: Needed to get PR information, if any
- name: Lint Dockerfile with hadolint
uses: brpaz/hadolint-action@v1.5.0
with:
dockerfile: ./go/Dockerfile
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKER_USERNAME }}
password: ${{ secrets.DOCKER_PASSWORD }} # Password or personal access token used to log in to a Docker registry. If not set then no login will occur.
- name: Push to DockerHub
uses: docker/build-push-action@v6 # https://github.com/docker/build-push-action
with:
context: ./go
file: ./go/Dockerfile
platforms: linux/arm64,linux/amd64 #linux/amd64,linux/386
push: true
# can also use ${{ github.sha }} as tag
tags: ${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest
build-args: |
RELEASE_NAME: ${{ env.RELEASE_NAME }}
RELEASE_VERSION: ${{ env.RELEASE_VERSION }}
- name: Publish Action Event
run: |
aws sns publish --topic-arn $TOPIC_ARN --message "{\"action\":\"deploy-tools\",\"workflow\":\"$GITHUB_WORKFLOW\"}" \
--message-attributes "GITHUB_SHA={DataType=String,StringValue=\"$GITHUB_SHA\"}, GITHUB_RUN_ID={DataType=String,StringValue=\"$GITHUB_RUN_ID\"}"
env:
TOPIC_ARN: ${{ secrets.TOPIC_ARN }}
- name: Send Kafka Publish Event with Docker
id: send-kafka-pub-event-playground # becomes $GITHUB_ACTION
run: |
docker run -e KAFKA_PRODUCER_TOPIC_URL="${{secrets.KAFKA_PRODUCER_TOPIC_URL}}" -e KAFKA_PRODUCER_API_SECRET="${{secrets.KAFKA_PRODUCER_API_SECRET}}" ghcr.io/tillkuhn/rubin:latest \
-ce -key "$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" -header "producer=rubin/cli latest" \
-source "urn:ci:$GITHUB_REPOSITORY/$GITHUB_WORKFLOW/$GITHUB_JOB" \
-type "net.timafe.event.ci.published.v1" -subject "docker.io/${GITHUB_REPOSITORY}-tools" \
-record "{\"action\":\"$GITHUB_ACTION\",\"actor\":\"$GITHUB_ACTOR\",\"commit\":\"$GITHUB_SHA\",\"run_url\":\"$GITHUB_SERVER_URL/$GITHUB_REPOSITORY/actions/runs/$GITHUB_RUN_ID\",\"version\":\"${GITHUB_REF#refs/*/}\"}"
# Find Image Vulnerabilities Using GitHub and Aqua Security Trivy Action
# - https://github.com/aquasecurity/trivy-action
# - https://blog.aquasec.com/github-vulnerability-scanner-trivy
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
with:
image-ref: 'docker.io/${{ secrets.DOCKER_USERNAME }}/angkor-tools:latest'
format: 'sarif'
output: 'trivy-results.sarif'
# additional options when not using GitHub Code Scanning with sarif format
# format: 'table'
# exit-code: '1'
# ignore-unfixed: true
# vuln-type: 'os,library'
# severity: 'CRITICAL,HIGH'
# Using Trivy with GitHub Code Scanning
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: 'trivy-results.sarif'