Skip to content

Merge branch 'main' into bug/3026/checkov-CKV2_GHA_1 #1

Merge branch 'main' into bug/3026/checkov-CKV2_GHA_1

Merge branch 'main' into bug/3026/checkov-CKV2_GHA_1 #1

Workflow file for this run

---
#########################
#########################
## Deploy Docker Image ##
#########################
#########################
#
# Documentation:
# https://help.github.com/en/articles/workflow-syntax-for-github-actions
#
#######################################
# Start the job on all push to main #
#######################################
#############################
# Start the job on all push #
#############################
name: "Build & Deploy - DEV"
on:
push:
branches-ignore:
- main
paths-ignore:
- .github/CONTRIBUTING.md
- CHANGELOG.md
- README.md
- .github/workflows/slash-command-dispatch.yml
- .github/workflows/help-command.yml
- .github/workflows/build-command.yml
pull_request:
branches-ignore: []
paths-ignore:
- .github/CONTRIBUTING.md
- CHANGELOG.md
- README.md
- .github/workflows/slash-command-dispatch.yml
- .github/workflows/help-command.yml
- .github/workflows/build-command.yml
###############
# Set the Job #
###############
concurrency:
group: ${{ github.ref_name }}-${{ github.workflow }}
cancel-in-progress: true
jobs:
build:
# Name the Job
name: Tests + Deploy Docker Image - DEV
# Set the agent to run on
runs-on: ubuntu-latest
permissions: read-all
# Prevent duplicate run from happening when a forked push is committed
if: (github.event_name == 'push' || github.event.pull_request.head.repo.full_name != github.repository) && !contains(github.event.head_commit.message, 'skip deploy')
# Set max build time for the job
timeout-minutes: 120
##################
# Load all steps #
##################
steps:
##########################
# Checkout the code base #
##########################
- name: Checkout Code
uses: actions/checkout@v4
#######################
# Docker Buildx setup #
#######################
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
########################
# Get the current date #
########################
- name: Get current date
run: echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >>"$GITHUB_ENV"
########################
# Build image tag name #
########################
- name: Build image tag name
id: image_tag
run: |
BRANCH_NAME="${GITHUB_REF##*/}"
TAG="test-${{ github.actor }}-${BRANCH_NAME}"
echo "Tag name: ${TAG}"
echo "tag=${TAG}" >>"$GITHUB_OUTPUT"
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
# Free disk space
- name: Free Disk space
shell: bash
run: |
sudo rm -rf /usr/local/lib/android # will release about 10 GB if you don't need Android
sudo rm -rf /usr/share/dotnet # will release about 20GB if you don't need .NET
###################################
# Build image locally for testing #
###################################
- name: Build MegaLinter Docker Image (quick)
if: "contains(github.event.head_commit.message, 'quick build')"
id: docker_build_quick
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile-quick
platforms: linux/amd64
build-args: |
BUILD_DATE=${{ env.BUILD_DATE }}
BUILD_REVISION=${{ github.sha }}
BUILD_VERSION=${{ steps.image_tag.outputs.tag }}
MEGA_LINTER_BASE_IMAGE="oxsecurity/megalinter:beta"
load: true
push: false
secrets: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
tags: |
oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }}
timeout-minutes: 90
#######################################
# Build image (full for forked repos) #
#######################################
- name: Build MegaLinter Docker Image (full from forks)
if: |
(
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name != github.repository) ||
(github.event_name == 'push' && github.repository != 'oxsecurity/megalinter')
)
&&
!contains(github.event.head_commit.message, 'quick build')
id: docker_build
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile
platforms: linux/amd64
build-args: |
BUILD_DATE=${{ env.BUILD_DATE }}
BUILD_REVISION=${{ github.sha }}
BUILD_VERSION=${{ steps.image_tag.outputs.tag }}
load: true
push: false
secrets: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
tags: |
oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }}
timeout-minutes: 90
####################################
# Build image (full for main repo) #
####################################
- name: Build MegaLinter Docker Image (full from main repo) & push
if: |
(
(github.event_name == 'pull_request' && github.event.pull_request.head.repo.full_name == github.repository) ||
(github.event_name == 'push' && github.repository == 'oxsecurity/megalinter')
)
&&
!contains(github.event.head_commit.message, 'quick build')
uses: docker/build-push-action@v5
with:
context: .
file: Dockerfile
platforms: linux/amd64
build-args: |
BUILD_DATE=${{ env.BUILD_DATE }}
BUILD_REVISION=${{ github.sha }}
BUILD_VERSION=${{ steps.image_tag.outputs.tag }}
load: true
push: false
secrets: |
GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }}
tags: |
oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }}
# Clean docker build cache
- name: Clean docker buildx cache
run: docker buildx prune --force
#####################################
# Run Linter test cases #
#####################################
- name: Run Test Cases
shell: bash
run: |
GITHUB_REPOSITORY=$([ "${{ github.event_name }}" == "pull_request" ] && echo "${{ github.event.pull_request.head.repo.full_name }}" || echo "${{ github.repository }}")
GITHUB_BRANCH=$([ "${{ github.event_name }}" == "pull_request" ] && echo "${{ github.head_ref }}" || echo "${{ github.ref_name }}")
export CI_ENV="$(bash <(curl -s https://codecov.io/env)) -e GITHUB_ACTIONS"
TEST_KEYWORDS_TO_USE=""
if [[ "${{ github.event.head_commit.message }}" == *"TEST_KEYWORDS="* ]]; then
COMMIT_MSG="${{ github.event.head_commit.message }}"
TEST_KEYWORDS_TO_USE=${COMMIT_MSG#*TEST_KEYWORDS=}
echo "Run only tests with keywords ${TEST_KEYWORDS_TO_USE}"
if [[ "${TEST_KEYWORDS_TO_USE}" =~ $'\r' ]]; then
echo "Problem while parsing test keywords: switch back to all tests"
TEST_KEYWORDS_TO_USE=""
fi
fi
docker image ls
docker run $CI_ENV -e TEST_CASE_RUN=true -e OUTPUT_FORMAT=text -e OUTPUT_FOLDER=${{ github.sha }} -e OUTPUT_DETAIL=detailed -e GITHUB_SHA=${{ github.sha }} -e GITHUB_REPOSITORY=${GITHUB_REPOSITORY} -e GITHUB_BRANCH=${GITHUB_BRANCH} -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" -e TEST_KEYWORDS="${TEST_KEYWORDS_TO_USE}" -e MEGALINTER_VOLUME_ROOT="${GITHUB_WORKSPACE}" -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v ${GITHUB_WORKSPACE}:/tmp/lint oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }}
timeout-minutes: 90
#####################################
# Run Linter against ALL code base #
#####################################
- name: Run against all code base
if: "!contains(github.event.head_commit.message, 'quick build')"
shell: bash
run: docker run -e GITHUB_REPOSITORY="${{ github.repository }}" -e GITHUB_SHA="${{ github.sha }}" -e GITHUB_TOKEN="${{ github.token }}" -e GITHUB_RUN_ID="${{ github.run_id }}" -e GITHUB_TOKEN="${{ secrets.GITHUB_TOKEN }}" -v "/var/run/docker.sock:/var/run/docker.sock:rw" -v ${GITHUB_WORKSPACE}:/tmp/lint oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }}
timeout-minutes: 15
# Upload MegaLinter artifacts
- name: Archive production artifacts
if: success() || failure()
uses: actions/upload-artifact@v3
with:
name: MegaLinter reports
path: |
megalinter-reports
mega-linter.log
linter-helps.json
linter-versions.json
- name: debug
if: success() || failure()
run: echo ${{ steps.docker_build.outcome }}
# Clean disk space
- name: Clear disk space
run: |
sudo rm -rf /opt/ghc
sudo rm -rf "$AGENT_TOOLSDIRECTORY"
sudo swapoff -a || true
sudo rm -f /swapfile || true
sudo apt clean || true
# Test mega-linter-runner with newly created image
- name: Setup Node
if: ${{ steps.docker_build.outcome }} == 'success' && !contains(github.event.head_commit.message, 'quick build')
uses: actions/[email protected]
with:
node-version: "18.x"
- name: Install NPM dependencies
if: ${{ steps.docker_build.outcome }} == 'success' && !contains(github.event.head_commit.message, 'quick build')
run: cd mega-linter-runner && sudo yarn install --frozen-lockfile && sudo npm link
- name: Run mega-linter-runner tests
if: ${{ steps.docker_build.outcome }} == 'success' && !contains(github.event.head_commit.message, 'quick build')
run: cd mega-linter-runner && MEGALINTER_RELEASE=${{ steps.image_tag.outputs.tag }} MEGALINTER_NO_DOCKER_PULL=true npm run test
# - name: free disk space
# run: |
# sudo swapoff -a || true
# sudo rm -f /swapfile || true
# sudo apt clean || true
# ##############################################
# # Check Docker image security with Trivy #
# ##############################################
# - name: Run Trivy vulnerability scanner
# uses: aquasecurity/trivy-action@master
# with:
# image-ref: "docker.io/oxsecurity/megalinter:${{ steps.image_tag.outputs.tag }}"
# format: 'table'
# exit-code: '1'
# ignore-unfixed: true
# scanners: vuln
# vuln-type: 'os,library'
# severity: 'CRITICAL,HIGH'
# timeout: 15m0s