From 2608016d0c6a55ee62c6960cf1a038d129092b63 Mon Sep 17 00:00:00 2001 From: Dagan Henderson Date: Sat, 31 Aug 2024 15:43:44 -0700 Subject: [PATCH 1/3] Updates actions to publish releases --- .github/workflows/{go-build.yml => build.yml} | 80 +++++++++---------- .github/workflows/docker-build.yml | 67 ++++++++++++++++ .github/workflows/helm-release.yml | 45 +++-------- .github/workflows/helm-validate.yml | 32 -------- Dockerfile | 8 +- Makefile | 25 +++--- charts/konfirm/Chart.lock | 6 ++ .../konfirm-validate/templates/testsuite.yaml | 2 +- .../charts/konfirm-validate/values.yaml | 2 +- charts/konfirm/templates/deployment.yaml | 2 +- charts/konfirm/values.yaml | 2 +- charts/mock-inspection/templates/failing.yaml | 2 +- charts/mock-inspection/templates/passing.yaml | 2 +- charts/mock-inspection/templates/random.yaml | 2 +- charts/mock-inspection/values.yaml | 2 +- docker/e2e.dockerfile | 8 +- docker/mock.dockerfile | 12 +-- 17 files changed, 158 insertions(+), 141 deletions(-) rename .github/workflows/{go-build.yml => build.yml} (56%) create mode 100644 .github/workflows/docker-build.yml delete mode 100644 .github/workflows/helm-validate.yml create mode 100644 charts/konfirm/Chart.lock diff --git a/.github/workflows/go-build.yml b/.github/workflows/build.yml similarity index 56% rename from .github/workflows/go-build.yml rename to .github/workflows/build.yml index 7ea680f..04cc6c5 100644 --- a/.github/workflows/go-build.yml +++ b/.github/workflows/build.yml @@ -1,86 +1,82 @@ -name: Go Build +name: Build -permissions: - contents: read +permissions: { } on: push: - branches: ['develop'] + branches: [ 'develop' ] pull_request: - branches: ['develop'] - paths-ignore: - - '.github/**' - - 'charts/**' - - 'LICENSE' - - 'README.md' + branches: [ 'develop' ] types: - opened - ready_for_review - reopened - synchronize + paths-ignore: + - '.github/**' + - 'charts/**' + - 'LICENSE' + - 'README.md' jobs: - Setup: - if: github.event.pull_request.draft == false + + SetUp: runs-on: ubuntu-latest + permissions: + contents: read steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: stable - name: Install Dependencies run: go mod download + Test: - needs: Setup runs-on: ubuntu-latest + needs: [ SetUp ] + permissions: + contents: read steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: stable - name: Test run: make test - env: - ENVTEST_K8S_VERSION: "1.30" + Build: - needs: Test + needs: [ SetUp ] runs-on: ubuntu-latest + permissions: + contents: read + security-events: write steps: - - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - name: Set up Go uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32 # v5.0.2 with: go-version: stable - name: Build - run: make build - - name: Upload Konfirm - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - with: - name: konfirm - path: bin/konfirm - retention-days: 1 - Scan: - needs: Build - runs-on: ubuntu-latest - permissions: - contents: read - security-events: write - actions: read - steps: - - name: Checkout code - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - - name: Download Konfirm - uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 + run: make docker-build - name: Scan with Trivy uses: aquasecurity/trivy-action@6e7b7d1fd3e4fef0c5fa8cce1229c54b2c9bd0d8 # v0.24.0 with: - scan-type: 'fs' - format: 'sarif' + scan-type: 'image' + scanners: 'vuln' + image-ref: 'ghcr.io/raft-tech/konfirm/controller' + ignore-unfixed: 'true' + limit-severities-for-sarif: true output: 'trivy-results.sarif' + format: 'sarif' severity: 'MEDIUM,HIGH,CRITICAL' + vuln-type: 'os,library' - name: Upload scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@0e346f2c4a1b999b44f1ef93fe08bdb83dae63ab # v2.18.1 + uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 with: - sarif_file: 'trivy-results.sarif' \ No newline at end of file + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml new file mode 100644 index 0000000..997a179 --- /dev/null +++ b/.github/workflows/docker-build.yml @@ -0,0 +1,67 @@ +name: Docker Build + +permissions: { } + +on: + workflow_dispatch: + push: + branches: [ 'develop' ] + pull_request: + branches: + - 'develop' + types: + - opened + - ready_for_review + - reopened + - synchronize + release: + types: [ 'published' ] + +env: + IMAGE_REGISTRY: ghcr.io/raft-tech/konfirm + IMAGE_NAME: controller + +jobs: + + Publish: + runs-on: ubuntu-latest + permissions: + contents: read + packages: write + attestations: write + outputs: + IMAGE_ID: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ steps.docker.outputs.digest }} + steps: + - name: Set up QEMU + uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf #v3.2.0 + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@988b5a0280414f521da01fcc63a27aeeb4b104db #v3.6.1 + - name: Login to the Container Registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 #v3.3.0 + with: + registry: ${{ env.IMAGE_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Checkout + uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 + - name: Extract metadata (tags, labels) for Docker + id: metadata + uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81 #v5.5.1 + with: + images: ${{ env.IMAGE_REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=edge,branch=develop + type=ref,event=pr + - name: Build and push + id: docker + uses: docker/build-push-action/@5cd11c3a4ced054e52742c5fd54dca954e0edd85 #v6.7.0 + with: + context: . + platforms: linux/amd64,linux/arm64 + push: true + annotations: ${{ steps.metadata.outputs.annotations }} + labels: ${{ steps.metadata.outputs.labels }} + tags: ${{ steps.metadata.outputs.tags }} diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml index 954cead..c552b49 100644 --- a/.github/workflows/helm-release.yml +++ b/.github/workflows/helm-release.yml @@ -1,49 +1,22 @@ name: Release Charts -permissions: - contents: read +permissions: { } on: workflow_dispatch: - push: - tags: ["*"] + release: + types: [ 'published' ] jobs: - release: + + Publish: runs-on: ubuntu-latest + permissions: + contents: read steps: - name: Checkout uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 with: fetch-depth: 0 - - uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 - name: Setup Helm - with: - version: 'latest' - token: ${{ secrets.GHUB_TOKEN }} # only needed if version is 'latest' - id: install - - name: Package Helm Chart - run: | - helm package ./charts/ - - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - name: Upload Helm Chart Snapshot Version - if: startsWith(github.ref, 'refs/tags/v') != true - with: - name: konfirm-${{ github.sha }}.tgz - path: konfirm*.tgz - - name: Set env containing release tag - if: startsWith(github.ref, 'refs/tags/v') - run: echo "RELEASE_VERSION=${GITHUB_REF#refs/*/}" >> $GITHUB_ENV - - uses: actions/upload-artifact@834a144ee995460fba8ed112a2fc961b36a5ec5a # v4.3.6 - name: Upload Helm Chart Release Version - if: startsWith(github.ref, 'refs/tags/v') - with: - name: konfirm-${{ env.RELEASE_VERSION }}.tgz - path: konfirm*.tgz - - name: Release with Notes - uses: softprops/action-gh-release@c062e08bd532815e2082a85e87e3ef29c3e6d191 # v2.0.8 - if: startsWith(github.ref, 'refs/tags/v') - with: - files: konfirm*.tgz - env: - GITHUB_TOKEN: ${{ secrets.GHUB_TOKEN }} + - name: Helm Setup + uses: azure/setup-helm@fe7b79cd5ee1e45176fcad797de68ecaf3ca4814 # v4.2.0 diff --git a/.github/workflows/helm-validate.yml b/.github/workflows/helm-validate.yml deleted file mode 100644 index 4e93d25..0000000 --- a/.github/workflows/helm-validate.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: Validate Charts - -permissions: - contents: read - -on: - push: - branches: ['develop'] - pull_request: - branches: ['develop'] - paths: - - 'charts/**' - types: - - opened - - ready_for_review - - reopened - - synchronize - -jobs: - release: - runs-on: ubuntu-latest - steps: - - name: Checkout - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7 - with: - fetch-depth: 0 - - name: Lint - run: | - helm lint ./charts/konfirm - helm lint ./charts/konfirm/charts/konfirm-validate - - diff --git a/Dockerfile b/Dockerfile index f8c7208..7d14fc6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,11 +1,13 @@ -FROM golang:1.23.0@sha256:613a108a4a4b1dfb6923305db791a19d088f77632317cfc3446825c54fb862cd AS build +FROM --platform=$BUILDPLATFORM golang:1.23.0@sha256:613a108a4a4b1dfb6923305db791a19d088f77632317cfc3446825c54fb862cd AS build WORKDIR /go/src COPY go.mod go.sum ./ RUN go mod download COPY . ./ -RUN CGO_ENABLED=0 go build -o konfirm . +ARG GOOS=${TARGETOS} +ARG GOARCH=${TARGETARCH} +RUN go build -o konfirm . -FROM registry.access.redhat.com/ubi9/ubi-micro:9.4-13@sha256:9dbba858e5c8821fbe1a36c376ba23b83ba00f100126f2073baa32df2c8e183a +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/ubi-micro:9.4-13@sha256:9dbba858e5c8821fbe1a36c376ba23b83ba00f100126f2073baa32df2c8e183a COPY --from=build --chown=0:0 /go/src/konfirm /usr/local/bin/ USER 1001 ENTRYPOINT ["/usr/local/bin/konfirm"] diff --git a/Makefile b/Makefile index 7f8d6e8..d220481 100644 --- a/Makefile +++ b/Makefile @@ -1,15 +1,16 @@ VERSION ?= $(shell cat VERSION) -IMG ?= rafttech/konfirm:latest -IMG_VERSION = rafttech/konfirm:v$(VERSION) -E2E_IMG ?= rafttech/konfirm-e2e:latest -E2E_IMG_VERSION ?= rafttech/konfirm-e2e:v$(VERSION) -MOCK_IMG ?= rafttech/konfirm-mock:latest -MOCK_IMG_VERSION ?= rafttech/konfirm-mock:v$(VERSION) +IMAGE_REGISTRY ?= ghcr.io/raft-tech/konfirm +IMAGE ?= $(IMAGE_REGISTRY)/controller +IMAGE_VERSION = $(IMAGE):$(VERSION) +E2E_IMAGE ?= $(IMAGE_REGISTRY)/controller-e2e +E2E_IMAGE_VERSION ?= $(E2E_IMAGE):$(VERSION) +MOCK_IMAGE ?= $(IMAGE_REGISTRY)/mock-inspection +MOCK_IMAGE_VERSION ?= $(MOCK_IMAGE):$(VERSION) ENVTEST ?= $(BIN)/setup-envtest ENVTEST_K8S_VERSION = 1.30.0 KUBECTL ?= kubectl -KUBE_PROMETHEUS_STACK_CHART ?= https://github.com/prometheus-community/helm-charts/releases/download/kube-prometheus-stack-60.3.0/kube-prometheus-stack-60.3.0.tgz +KUBE_PROMETHEUS_STACK_CHART ?= https://github.com/prometheus-community/helm-charts/releases/download/kube-prometheus-stack-62.3.1/kube-prometheus-stack-62.3.1.tgz .PHONY: generate generate: @@ -18,7 +19,7 @@ generate: .PHONY: test test: generate vet envtest KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) --bin-dir $(BIN) -p path)" \ - go test -v ./... -coverprofile cover.out -ginkgo.label-filter="!e2e && !broken" + go test -v ./... -ginkgo.label-filter="!e2e && !broken" .PHONY: clean clean: clean-kind-cluster @@ -38,15 +39,15 @@ build: generate .PHONY: docker-build docker-build: - docker build -t $(IMG) -t $(IMG_VERSION) . + docker build -t $(IMAGE) -t $(IMAGE_VERSION) . .PHONY: docker-build-e2e docker-build-e2e: - docker build -f docker/e2e.dockerfile -t $(E2E_IMG) -t $(E2E_IMG_VERSION) . + docker build -f docker/e2e.dockerfile -t $(E2E_IMAGE) -t $(E2E_IMAGE_VERSION) . .PHONY: docker-build-mock docker-build-mock: - docker build -f docker/mock.dockerfile -t $(MOCK_IMG) -t $(MOCK_IMG_VERSION) . + docker build -f docker/mock.dockerfile -t $(MOCK_IMAGE) -t $(MOCK_IMAGE_VERSION) . BIN ?= $(shell pwd)/bin $(BIN): @@ -75,7 +76,7 @@ clean-kind-cluster: .PHONY: kind-load kind-load: kind-cluster docker-build docker-build-e2e docker-build-mock - kind load docker-image --name konfirm $(IMG) $(IMG_VERSION) $(E2E_IMG) $(E2E_IMG_VERSION) $(MOCK_IMG) $(MOCK_IMG_VERSION) + kind load docker-image --name konfirm $(IMAGE) $(IMAGE_VERSION) $(E2E_IMAGE) $(E2E_IMAGE_VERSION) $(MOCK_IMAGE) $(MOCK_IMAGE_VERSION) .PHONY: kind-deploy kind-deploy: kind-load kind-monitoring diff --git a/charts/konfirm/Chart.lock b/charts/konfirm/Chart.lock new file mode 100644 index 0000000..6d689b9 --- /dev/null +++ b/charts/konfirm/Chart.lock @@ -0,0 +1,6 @@ +dependencies: +- name: konfirm-validate + repository: "" + version: 0.1.0 +digest: sha256:6992bb419068aeefb304ed31d203b1df9e35cfeeb14ab046b80ab56190474dcf +generated: "2024-08-31T15:21:31.881042-07:00" diff --git a/charts/konfirm/charts/konfirm-validate/templates/testsuite.yaml b/charts/konfirm/charts/konfirm-validate/templates/testsuite.yaml index bdb6b2c..c6575b6 100644 --- a/charts/konfirm/charts/konfirm-validate/templates/testsuite.yaml +++ b/charts/konfirm/charts/konfirm-validate/templates/testsuite.yaml @@ -18,4 +18,4 @@ spec: spec: containers: - name: tests - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" \ No newline at end of file + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" \ No newline at end of file diff --git a/charts/konfirm/charts/konfirm-validate/values.yaml b/charts/konfirm/charts/konfirm-validate/values.yaml index cabb05f..84e1a84 100644 --- a/charts/konfirm/charts/konfirm-validate/values.yaml +++ b/charts/konfirm/charts/konfirm-validate/values.yaml @@ -1,6 +1,6 @@ image: - repository: rafttech/konfirm-e2e + repository: ghcr.io/raft-tech/konfirm/controller-e2e tag: "" schedule: "*/2 * * * *" \ No newline at end of file diff --git a/charts/konfirm/templates/deployment.yaml b/charts/konfirm/templates/deployment.yaml index 496722e..11f9487 100644 --- a/charts/konfirm/templates/deployment.yaml +++ b/charts/konfirm/templates/deployment.yaml @@ -30,7 +30,7 @@ spec: - name: {{ .Chart.Name }} securityContext: {{- toYaml .Values.securityContext | nindent 12 }} - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} ports: - name: http-healthz diff --git a/charts/konfirm/values.yaml b/charts/konfirm/values.yaml index 8858c87..d8e9468 100644 --- a/charts/konfirm/values.yaml +++ b/charts/konfirm/values.yaml @@ -2,7 +2,7 @@ replicaCount: 1 image: - repository: rafttech/konfirm + repository: ghcr.io/raft-tech/konfirm/controller pullPolicy: IfNotPresent tag: "" diff --git a/charts/mock-inspection/templates/failing.yaml b/charts/mock-inspection/templates/failing.yaml index 694fc8c..15a42d0 100644 --- a/charts/mock-inspection/templates/failing.yaml +++ b/charts/mock-inspection/templates/failing.yaml @@ -17,6 +17,6 @@ spec: spec: containers: - name: tests - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" args: - fail \ No newline at end of file diff --git a/charts/mock-inspection/templates/passing.yaml b/charts/mock-inspection/templates/passing.yaml index f47273c..6bbdd0d 100644 --- a/charts/mock-inspection/templates/passing.yaml +++ b/charts/mock-inspection/templates/passing.yaml @@ -17,6 +17,6 @@ spec: spec: containers: - name: tests - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" args: - pass \ No newline at end of file diff --git a/charts/mock-inspection/templates/random.yaml b/charts/mock-inspection/templates/random.yaml index f46873e..a44e6cd 100644 --- a/charts/mock-inspection/templates/random.yaml +++ b/charts/mock-inspection/templates/random.yaml @@ -17,6 +17,6 @@ spec: spec: containers: - name: tests - image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default (printf "v%s" .Chart.AppVersion) }}" + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" args: - random \ No newline at end of file diff --git a/charts/mock-inspection/values.yaml b/charts/mock-inspection/values.yaml index 51bb99f..e762d48 100644 --- a/charts/mock-inspection/values.yaml +++ b/charts/mock-inspection/values.yaml @@ -1,5 +1,5 @@ image: - repository: rafttech/konfirm-mock + repository: ghcr.io/raft-tech/konfirm/mock-inspection tag: "" schedule: "0/2 * * * *" diff --git a/docker/e2e.dockerfile b/docker/e2e.dockerfile index 9a520e6..77837db 100644 --- a/docker/e2e.dockerfile +++ b/docker/e2e.dockerfile @@ -1,11 +1,13 @@ -FROM golang:1.23.0@sha256:613a108a4a4b1dfb6923305db791a19d088f77632317cfc3446825c54fb862cd AS build +FROM --platform=$BUILDPLATFORM golang:1.23.0@sha256:613a108a4a4b1dfb6923305db791a19d088f77632317cfc3446825c54fb862cd AS build WORKDIR /go/src COPY go.mod go.sum ./ RUN go mod download COPY . ./ -RUN CGO_ENABLED=0 go test -c -o konfirm-e2e ./pkg/controllers/e2e +ARG GOOS=${TARGETOS} +ARG GOARCH=${TARGETARCH} +RUN go test -c -o konfirm-e2e ./pkg/controllers/e2e -FROM registry.access.redhat.com/ubi9/ubi-micro:9.4-13@sha256:9dbba858e5c8821fbe1a36c376ba23b83ba00f100126f2073baa32df2c8e183a +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/ubi-micro:9.4-13@sha256:9dbba858e5c8821fbe1a36c376ba23b83ba00f100126f2073baa32df2c8e183a COPY --from=build --chown=0:0 /go/src/konfirm-e2e /usr/local/bin/ USER 1001 ENTRYPOINT ["/usr/local/bin/konfirm-e2e"] diff --git a/docker/mock.dockerfile b/docker/mock.dockerfile index 16082ea..e5ff489 100644 --- a/docker/mock.dockerfile +++ b/docker/mock.dockerfile @@ -1,11 +1,13 @@ -FROM golang:1.23.0@sha256:613a108a4a4b1dfb6923305db791a19d088f77632317cfc3446825c54fb862cd AS build +FROM --platform=$BUILDPLATFORM golang:1.23.0@sha256:613a108a4a4b1dfb6923305db791a19d088f77632317cfc3446825c54fb862cd AS build WORKDIR /go/src COPY go.mod go.sum ./ RUN go mod download COPY . ./ -RUN CGO_ENABLED=0 go build -o konfirm-mock ./inspections/mock +ARG GOOS=${TARGETOS} +ARG GOARCH=${TARGETARCH} +RUN go build -o mock-inspect ./inspections/mock -FROM registry.access.redhat.com/ubi9/ubi-micro:9.4-13@sha256:9dbba858e5c8821fbe1a36c376ba23b83ba00f100126f2073baa32df2c8e183a -COPY --from=build --chown=0:0 /go/src/konfirm-mock /usr/local/bin/ +FROM --platform=$BUILDPLATFORM registry.access.redhat.com/ubi9/ubi-micro:9.4-13@sha256:9dbba858e5c8821fbe1a36c376ba23b83ba00f100126f2073baa32df2c8e183a +COPY --from=build --chown=0:0 /go/src/mock-inspect /usr/local/bin/ USER 1001 -ENTRYPOINT ["/usr/local/bin/konfirm-mock"] +ENTRYPOINT ["/usr/local/bin/mock-inspect"] From b5a25fc74d5dbb010ea12b84846fbcbf35b8fe25 Mon Sep 17 00:00:00 2001 From: Dagan Henderson Date: Sat, 31 Aug 2024 17:08:18 -0700 Subject: [PATCH 2/3] Skip Docker Build on PRs --- .github/workflows/docker-build.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-build.yml index 997a179..0c57865 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-build.yml @@ -6,14 +6,6 @@ on: workflow_dispatch: push: branches: [ 'develop' ] - pull_request: - branches: - - 'develop' - types: - - opened - - ready_for_review - - reopened - - synchronize release: types: [ 'published' ] From 0992a34bade60dcba6031d32b8af0a1ca8ccb7a6 Mon Sep 17 00:00:00 2001 From: Dagan Henderson Date: Sat, 31 Aug 2024 17:13:17 -0700 Subject: [PATCH 3/3] Fail Trivy scan on fixed vulns --- .github/workflows/build.yml | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 04cc6c5..951dabb 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -69,14 +69,9 @@ jobs: with: scan-type: 'image' scanners: 'vuln' + format: 'table' image-ref: 'ghcr.io/raft-tech/konfirm/controller' ignore-unfixed: 'true' - limit-severities-for-sarif: true - output: 'trivy-results.sarif' - format: 'sarif' severity: 'MEDIUM,HIGH,CRITICAL' vuln-type: 'os,library' - - name: Upload scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@4dd16135b69a43b6c8efb853346f8437d92d3c93 # v3.26.6 - with: - sarif_file: 'trivy-results.sarif' + exit-code: 1