From 1da0b3b4ce2ca94886d999e6a627aa29dac1da98 Mon Sep 17 00:00:00 2001 From: Dave Henderson Date: Sat, 9 Nov 2024 16:12:48 -0500 Subject: [PATCH] ci(trivy): Avoid rate-limiting by using CLI directly (#2253) Signed-off-by: Dave Henderson --- .github/workflows/image-scan.yml | 51 ++++++++------- .github/workflows/release.yml | 108 +++++++++++++++++++++++++++++++ 2 files changed, 137 insertions(+), 22 deletions(-) create mode 100644 .github/workflows/release.yml diff --git a/.github/workflows/image-scan.yml b/.github/workflows/image-scan.yml index 6211e7da7..164057928 100644 --- a/.github/workflows/image-scan.yml +++ b/.github/workflows/image-scan.yml @@ -19,30 +19,37 @@ jobs: - name: Quick build (linux/alpine only) run: | docker build --target gomplate-alpine -t gomplate . - - name: Run Trivy vulnerability scanner (table output) - uses: aquasecurity/trivy-action@master + - name: Install Trivy + uses: aquasecurity/setup-trivy@v0.2.2 with: - image-ref: gomplate - format: table - exit-code: 1 - ignore-unfixed: true - vuln-type: os,library - severity: CRITICAL,HIGH + version: v0.57.0 + cache: true + - name: Download Trivy DB + run: | + trivy fs --no-progress --download-db-only --db-repository public.ecr.aws/aquasecurity/trivy-db + - name: Run Trivy vulnerability scanner (table output) + run: | + trivy image \ + --scanners vuln \ + --format table \ + --exit-code 1 \ + --ignore-unfixed \ + --pkg-types os,library \ + --severity CRITICAL,HIGH \ + --skip-db-update \ + gomplate - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@master - with: - image-ref: gomplate - format: sarif - output: trivy-results.sarif - # exit-code: 1 - ignore-unfixed: true - vuln-type: os,library - # The SARIF format ignores severity and uploads all vulnerabilities for - # later triage. The table-format step above is used to fail the build if - # there are any critical or high vulnerabilities. - # See https://github.com/aquasecurity/trivy-action/issues/95 - # severity: 'CRITICAL,HIGH' - trivyignores: .trivyignore + run: | + trivy image \ + --scanners vuln \ + --format sarif \ + --output trivy-results.sarif \ + --ignore-unfixed \ + --pkg-types os,library \ + --ignorefile .trivyignore \ + --skip-db-update \ + gomplate + if: always() && github.repository == 'hairyhenderson/gomplate' - name: Upload Trivy scan results to GitHub Security tab uses: github/codeql-action/upload-sarif@v3 with: diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml new file mode 100644 index 000000000..ff95f66b3 --- /dev/null +++ b/.github/workflows/release.yml @@ -0,0 +1,108 @@ +name: Deploy Released Assets + +on: + release: + types: [published] + +permissions: + contents: write + pull-requests: write + +jobs: + deploy-alpine: + runs-on: ubuntu-latest + environment: + name: aports + env: + TAG_NAME: ${{ github.event.release.tag_name }} + steps: + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + - name: Retrieve release artifacts + id: artifacts + run: | + # need the checksums + gh release download ${TAG_NAME} --skip-existing -p "${TAG_NAME}.sha*" + + echo "sha256sum=$(cat ${TAG_NAME}.sha256)" >> $GITHUB_OUTPUT + echo "sha512sum=$(cat ${TAG_NAME}.sha512)" >> $GITHUB_OUTPUT + + # need gomplate to template the APKBUILD! + gh release download ${TAG_NAME} --skip-existing -p gomplate_linux-amd64 + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + - uses: actions/checkout@v4 + - name: checkout alpinelinux/aports + run: | + git config --global user.name "${{ vars.USERNAME }}" + git config --global user.email "${{ secrets.EMAIL }}" + git clone https://gitlab.alpinelinux.org/hairyhenderson/aports.git + git remote add upstream https://gitlab.alpinelinux.org/alpine/aports.git + cd aports + git checkout master + - name: update fork + run: | + cd aports + git fetch upstream + git rebase upstream/master + git push + - name: upgrade gomplate in aports + run: | + cd aports/community/gomplate + git checkout -b upgrade-gomplate-aport-${VERSION} + + export VERSION=${TAG_NAME#v} + + export ENVJSON="{\"version\": \"${VERSION}\", \"sha512\": \"${{ steps.artifacts.outputs.sha512sum }}\" }" + gomplate_linux-amd64 -c .=env:///ENVJSON\?type=application/json \ + -f ../../../packaging/alpine/APKBUILD.tmpl \ + -o APKBUILD + + git add APKBUILD + git commit -S -sm "community/gomplate: upgrade to ${VERSION}" + git push -u origin upgrade-gomplate-aport-${VERSION} + + # open a PR + lab mr create --allow-collaboration \ + -m "community/gomplate: upgrade to ${VERSION}" \ + -m "https://github.com/${{ github.repository }}/releases/tag/${TAG_NAME}" + - name: + run: | + echo "Triggered by release ${{ github.event.release.tag_name }}" + + env: + GH_TOKEN: ${{ steps.app-token.outputs.token }} + deploy-homebrew: + runs-on: ubuntu-latest + environment: + name: homebrew + env: + TAG_NAME: ${{ github.event.release.tag_name }} + steps: + - uses: actions/create-github-app-token@v1 + id: app-token + with: + app-id: ${{ vars.APP_ID }} + private-key: ${{ secrets.PRIVATE_KEY }} + # - name: Retrieve release artifacts + # id: artifacts + # run: | + # # need the checksum and archive + # gh release download ${TAG_NAME} -p "${TAG_NAME}.sha*" + + # echo "sha256sum=$(cat ${TAG_NAME}.sha256)" >> $GITHUB_OUTPUT + # echo "archive=https://github.com/${{ github.repository }}/archive/refs/tags/${TAG_NAME}.tar.gz" >> $GITHUB_OUTPUT + # env: + # GH_TOKEN: ${{ steps.app-token.outputs.token }} + - name: Set up Homebrew + id: set-up-homebrew + uses: Homebrew/actions/setup-homebrew@master + - name: Bump packages + uses: Homebrew/actions/bump-packages@master + with: + token: ${{ steps.app-token.outputs.token }} + formulae: gomplate + fork: false