Merge branch 'main' into bug/3026/checkov-CKV2_GHA_1 #1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
######################### | |
######################### | |
## Deploy Docker Image ## | |
######################### | |
######################### | |
# | |
# Documentation: | |
# https://help.github.com/en/articles/workflow-syntax-for-github-actions | |
# | |
####################################### | |
# Start the job on all push to main # | |
####################################### | |
############################# | |
# Start the job on all push # | |
############################# | |
name: "Build & Deploy - DEV" | |
on: | |
push: | |
branches-ignore: | |
- main | |
paths-ignore: | |
- .github/CONTRIBUTING.md | |
- CHANGELOG.md | |
- README.md | |
- .github/workflows/slash-command-dispatch.yml | |
- .github/workflows/help-command.yml | |
- .github/workflows/build-command.yml | |
pull_request: | |
branches-ignore: [] | |
paths-ignore: | |
- .github/CONTRIBUTING.md | |
- CHANGELOG.md | |
- README.md | |
- .github/workflows/slash-command-dispatch.yml | |
- .github/workflows/help-command.yml | |
- .github/workflows/build-command.yml | |
############### | |
# Set the Job # | |
############### | |
concurrency: | |
group: ${{ github.ref_name }}-${{ github.workflow }} | |
cancel-in-progress: true | |
jobs: | |
build: | |
# Name the Job | |
name: Tests + Deploy Docker Image - DEV | |
# Set the agent to run on | |
runs-on: ubuntu-latest | |
permissions: read-all | |
# Prevent duplicate run from happening when a forked push is committed | |
if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository) && !contains(github.event.head_commit.message, 'skip deploy') | |
# Set max build time for the job | |
timeout-minutes: 120 | |
################## | |
# Load all steps # | |
################## | |
steps: | |
########################## | |
# Checkout the code base # | |
########################## | |
- name: Checkout Code | |
uses: actions/checkout@v4 | |
####################### | |
# Docker Buildx setup # | |
####################### | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
######################## | |
# Get the current date # | |
######################## | |
- name: Get current date | |
run: echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >>"$GITHUB_ENV" | |
######################## | |
# Build image tag name # | |
######################## | |
- name: Build image tag name | |
id: image_tag | |
run: | | |
BRANCH_NAME="${GITHUB_REF##*/}" | |
TAG="test-${{ github.actor }}-${BRANCH_NAME}" | |
echo "Tag name: ${TAG}" | |
echo "tag=${TAG}" >>"$GITHUB_OUTPUT" | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
# Free disk space | |
- name: Free Disk space | |
shell: bash | |
run: | | |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android | |
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET | |
################################### | |
# Build image locally for testing # | |
################################### | |
- name: Build MegaLinter Docker Image (quick) | |
if: "contains(github.event.head_commit.message, 'quick build')" | |
id: docker_build_quick | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: Dockerfile-quick | |
platforms: linux/amd64 | |
build-args: | | |
BUILD_DATE=${{ env.BUILD_DATE }} | |
BUILD_REVISION=${{ github.sha }} | |
BUILD_VERSION=${{ steps.image_tag.outputs.tag }} | |
MEGA_LINTER_BASE_IMAGE="oxsecurity/megalinter:beta" | |
load: true | |
push: false | |
secrets: | | |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
tags: | | |
oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }} | |
timeout-minutes: 90 | |
####################################### | |
# Build image (full for forked repos) # | |
####################################### | |
- name: Build MegaLinter Docker Image (full from forks) | |
if: | | |
( | |
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) || | |
(github.event_name == 'push' && github.repository != 'oxsecurity/megalinter') | |
) | |
&& | |
!contains(github.event.head_commit.message, 'quick build') | |
id: docker_build | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: Dockerfile | |
platforms: linux/amd64 | |
build-args: | | |
BUILD_DATE=${{ env.BUILD_DATE }} | |
BUILD_REVISION=${{ github.sha }} | |
BUILD_VERSION=${{ steps.image_tag.outputs.tag }} | |
load: true | |
push: false | |
secrets: | | |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
tags: | | |
oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }} | |
timeout-minutes: 90 | |
#################################### | |
# Build image (full for main repo) # | |
#################################### | |
- name: Build MegaLinter Docker Image (full from main repo) & push | |
if: | | |
( | |
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) || | |
(github.event_name == 'push' && github.repository == 'oxsecurity/megalinter') | |
) | |
&& | |
!contains(github.event.head_commit.message, 'quick build') | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
file: Dockerfile | |
platforms: linux/amd64 | |
build-args: | | |
BUILD_DATE=${{ env.BUILD_DATE }} | |
BUILD_REVISION=${{ github.sha }} | |
BUILD_VERSION=${{ steps.image_tag.outputs.tag }} | |
load: true | |
push: false | |
secrets: | | |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} | |
tags: | | |
oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }} | |
# Clean docker build cache | |
- name: Clean docker buildx cache | |
run: docker buildx prune --force | |
##################################### | |
# Run Linter test cases # | |
##################################### | |
- name: Run Test Cases | |
shell: bash | |
run: | | |
GITHUB_REPOSITORY=$([ "${{ github.event_name }}" == "pull_request" ] && echo "${{ github.event.pull_request.head.repo.full_name }}" || echo "${{ github.repository }}") | |
GITHUB_BRANCH=$([ "${{ github.event_name }}" == "pull_request" ] && echo "${{ github.head_ref }}" || echo "${{ github.ref_name }}") | |
export CI_ENV="$(bash <(curl -s https://codecov.io/env)) -e GITHUB_ACTIONS" | |
TEST_KEYWORDS_TO_USE="" | |
if [[ "${{ github.event.head_commit.message }}" == *"TEST_KEYWORDS="* ]]; then | |
COMMIT_MSG="${{ github.event.head_commit.message }}" | |
TEST_KEYWORDS_TO_USE=${COMMIT_MSG#*TEST_KEYWORDS=} | |
echo "Run only tests with keywords ${TEST_KEYWORDS_TO_USE}" | |
if [[ "${TEST_KEYWORDS_TO_USE}" =~ $'\r' ]]; then | |
echo "Problem while parsing test keywords: switch back to all tests" | |
TEST_KEYWORDS_TO_USE="" | |
fi | |
fi | |
docker image ls | |
docker run $CI_ENV -e TEST_CASE_RUN=true -e OUTPUT_FORMAT=text -e OUTPUT_FOLDER=${{ github.sha }} -e OUTPUT_DETAIL=detailed -e GITHUB_SHA=${{ github.sha }} -e GITHUB_REPOSITORY=${GITHUB_REPOSITORY} -e GITHUB_BRANCH=${GITHUB_BRANCH} -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" -e TEST_KEYWORDS="${TEST_KEYWORDS_TO_USE}" -e MEGALINTER_VOLUME_ROOT="${GITHUB_WORKSPACE}" -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v ${GITHUB_WORKSPACE}:/tmp/lint oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }} | |
timeout-minutes: 90 | |
##################################### | |
# Run Linter against ALL code base # | |
##################################### | |
- name: Run against all code base | |
if: "!contains(github.event.head_commit.message, 'quick build')" | |
shell: bash | |
run: docker run -e GITHUB_REPOSITORY="${{ github.repository }}" -e GITHUB_SHA="${{ github.sha }}" -e GITHUB_TOKEN="${{ github.token }}" -e GITHUB_RUN_ID="${{ github.run_id }}" -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v ${GITHUB_WORKSPACE}:/tmp/lint oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }} | |
timeout-minutes: 15 | |
# Upload MegaLinter artifacts | |
- name: Archive production artifacts | |
if: success() || failure() | |
uses: actions/upload-artifact@v3 | |
with: | |
name: MegaLinter reports | |
path: | | |
megalinter-reports | |
mega-linter.log | |
linter-helps.json | |
linter-versions.json | |
- name: debug | |
if: success() || failure() | |
run: echo ${{ steps.docker_build.outcome }} | |
# Clean disk space | |
- name: Clear disk space | |
run: | | |
sudo rm -rf /opt/ghc | |
sudo rm -rf "$AGENT_TOOLSDIRECTORY" | |
sudo swapoff -a || true | |
sudo rm -f /swapfile || true | |
sudo apt clean || true | |
# Test mega-linter-runner with newly created image | |
- name: Setup Node | |
if: ${{ steps.docker_build.outcome }} == 'success' && !contains(github.event.head_commit.message, 'quick build') | |
uses: actions/[email protected] | |
with: | |
node-version: "18.x" | |
- name: Install NPM dependencies | |
if: ${{ steps.docker_build.outcome }} == 'success' && !contains(github.event.head_commit.message, 'quick build') | |
run: cd mega-linter-runner && sudo yarn install --frozen-lockfile && sudo npm link | |
- name: Run mega-linter-runner tests | |
if: ${{ steps.docker_build.outcome }} == 'success' && !contains(github.event.head_commit.message, 'quick build') | |
run: cd mega-linter-runner && MEGALINTER_RELEASE=${{ steps.image_tag.outputs.tag }} MEGALINTER_NO_DOCKER_PULL=true npm run test | |
# - name: free disk space | |
# run: | | |
# sudo swapoff -a || true | |
# sudo rm -f /swapfile || true | |
# sudo apt clean || true | |
# ############################################## | |
# # Check Docker image security with Trivy # | |
# ############################################## | |
# - name: Run Trivy vulnerability scanner | |
# uses: aquasecurity/trivy-action@master | |
# with: | |
# image-ref: "docker.io/oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }}" | |
# format: 'table' | |
# exit-code: '1' | |
# ignore-unfixed: true | |
# scanners: vuln | |
# vuln-type: 'os,library' | |
# severity: 'CRITICAL,HIGH' | |
# timeout: 15m0s |