Bump aquasecurity/trivy-action from 0.15.0 to 0.16.0 #3556
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Continuous Integration | |
| on: | |
| push: | |
| branches: | |
| - main | |
| - release-* | |
| tags: | |
| - "v[0-9]+.[0-9]+.[0-9]+*" | |
| pull_request: | |
| defaults: | |
| run: | |
| shell: bash | |
| concurrency: | |
| group: ${{ github.ref_name }}-ci | |
| cancel-in-progress: true | |
| env: | |
| platforms: "linux/arm64, linux/amd64" | |
| permissions: | |
| contents: read | |
| jobs: | |
| vars: | |
| name: Checks and variables | |
| runs-on: ubuntu-22.04 | |
| outputs: | |
| go_path: ${{ steps.vars.outputs.go_path }} | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: stable | |
| - name: Output Variables | |
| id: vars | |
| run: echo "go_path=$(go env GOPATH)" >> $GITHUB_OUTPUT | |
| - name: Check if go.mod and go.sum are up to date | |
| run: go mod tidy && git diff --exit-code -- go.mod go.sum | |
| - name: Check if generated go files are up to date | |
| run: make generate && git diff --exit-code | |
| - name: Check if generated CRDs and types are up to date | |
| run: make generate-crds && git diff --exit-code | |
| - name: Check if generated manifests are up to date | |
| run: make generate-manifests && git diff --exit-code | |
| unit-tests: | |
| name: Unit Tests | |
| runs-on: ubuntu-22.04 | |
| needs: vars | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: stable | |
| - name: Run Tests | |
| run: make unit-test | |
| - name: Upload Coverage Report | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| with: | |
| name: cover-${{ github.run_id }}.html | |
| path: ${{ github.workspace }}/cover.html | |
| if: always() | |
| njs-unit-tests: | |
| name: NJS Unit Tests | |
| runs-on: ubuntu-22.04 | |
| needs: vars | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Setup Node.js Environment | |
| uses: actions/setup-node@8f152de45cc393bb48ce5d89d36b731f54556e65 # v4.0.0 | |
| with: | |
| node-version: 18 | |
| - run: npm --prefix ${{ github.workspace }}/internal/mode/static/nginx/modules install-ci-test | |
| binary: | |
| name: Build Binary | |
| runs-on: ubuntu-22.04 | |
| needs: [vars, unit-tests, njs-unit-tests] | |
| permissions: | |
| contents: write # for goreleaser/goreleaser-action and lucacome/draft-release to create/update releases | |
| id-token: write # for goreleaser/goreleaser-action to sign artifacts | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| with: | |
| fetch-depth: 0 | |
| - name: Setup Golang Environment | |
| uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491 # v5.0.0 | |
| with: | |
| go-version: stable | |
| - name: Create/Update Draft | |
| uses: lucacome/draft-release@785af55296512c907875513e397320ae3f1306bb # v1.0.1 | |
| with: | |
| minor-label: "enhancement" | |
| major-label: "change" | |
| publish: ${{ github.ref_type == 'tag' }} | |
| collapse-after: 20 | |
| notes-header: | | |
| *Below is the auto-generated changelog, which includes all PRs that went into the release. | |
| For a shorter version that highlights only important changes, see [CHANGELOG.md](https://github.com/nginxinc/nginx-gateway-fabric/blob/{{version}}/CHANGELOG.md).* | |
| if: ${{ github.event_name == 'push' && github.ref != 'refs/heads/main' }} | |
| - name: Download Syft | |
| uses: anchore/sbom-action/download-syft@5ecf649a417b8ae17dc8383dc32d46c03f2312df # v0.15.1 | |
| if: github.ref_type == 'tag' | |
| - name: Install Cosign | |
| uses: sigstore/cosign-installer@9614fae9e5c5eddabb09f90a270fcb487c9f7149 # v3.3.0 | |
| if: github.ref_type == 'tag' | |
| - name: Build binary | |
| uses: goreleaser/goreleaser-action@7ec5c2b0c6cdda6e8bbb49444bc797dd33d74dd8 # v5.0.0 | |
| with: | |
| version: latest | |
| args: ${{ github.ref_type == 'tag' && 'release' || 'build --snapshot' }} --clean | |
| env: | |
| GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
| GOPATH: ${{ needs.vars.outputs.go_path }} | |
| AZURE_STORAGE_ACCOUNT: ${{ secrets.AZURE_STORAGE_ACCOUNT }} | |
| AZURE_STORAGE_KEY: ${{ secrets.AZURE_STORAGE_KEY }} | |
| AZURE_BUCKET_NAME: ${{ secrets.AZURE_BUCKET_NAME }} | |
| SLACK_WEBHOOK: ${{ secrets.SLACK_WEBHOOK_COMMUNITY }} | |
| - name: Cache Artifacts | |
| uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} | |
| helm-tests: | |
| name: Helm Tests | |
| runs-on: ubuntu-22.04 | |
| needs: [vars, binary] | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Fetch Cached Artifacts | |
| uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
| - name: NGF Docker meta | |
| id: ngf-meta | |
| uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0 | |
| with: | |
| images: | | |
| name=ghcr.io/nginxinc/nginx-gateway-fabric | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=edge | |
| type=ref,event=pr | |
| type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} | |
| - name: NGINX Docker meta | |
| id: nginx-meta | |
| uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0 | |
| with: | |
| images: | | |
| name=ghcr.io/nginxinc/nginx-gateway-fabric/nginx | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=edge | |
| type=ref,event=pr | |
| type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} | |
| - name: Build NGF Docker Image | |
| uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
| with: | |
| file: build/Dockerfile | |
| tags: ${{ steps.ngf-meta.outputs.tags }} | |
| context: "." | |
| target: goreleaser | |
| load: true | |
| cache-from: type=gha,scope=ngf | |
| cache-to: type=gha,scope=ngf,mode=max | |
| pull: true | |
| - name: Build NGINX Docker Image | |
| uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
| with: | |
| file: build/Dockerfile.nginx | |
| tags: ${{ steps.nginx-meta.outputs.tags }} | |
| context: "." | |
| load: true | |
| cache-from: type=gha,scope=nginx | |
| cache-to: type=gha,scope=nginx,mode=max | |
| pull: true | |
| build-args: | | |
| NJS_DIR=internal/mode/static/nginx/modules/src | |
| NGINX_CONF_DIR=internal/mode/static/nginx/conf | |
| - name: Deploy Kubernetes | |
| id: k8s | |
| run: | | |
| kube_config=${{ github.workspace }}/deploy/helm-chart/kube-${{ github.run_id }}-helm | |
| make create-kind-cluster KIND_KUBE_CONFIG=${kube_config} | |
| echo "KUBECONFIG=${kube_config}" >> "$GITHUB_ENV" | |
| kind load docker-image ghcr.io/nginxinc/nginx-gateway-fabric:${{ steps.ngf-meta.outputs.version }} ghcr.io/nginxinc/nginx-gateway-fabric/nginx:${{ steps.nginx-meta.outputs.version }} | |
| kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml | |
| - name: Install Chart | |
| run: > | |
| helm install | |
| helm-$(echo ${{ steps.ngf-meta.outputs.version }} | tr '.' '-') | |
| . | |
| --wait | |
| --create-namespace | |
| --set nginxGateway.image.repository=ghcr.io/nginxinc/nginx-gateway-fabric | |
| --set nginxGateway.image.tag=${{ steps.ngf-meta.outputs.version }} | |
| --set nginxGateway.image.pullPolicy=Never | |
| --set nginx.image.repository=ghcr.io/nginxinc/nginx-gateway-fabric/nginx | |
| --set nginx.image.tag=${{ steps.nginx-meta.outputs.version }} | |
| --set nginx.image.pullPolicy=Never | |
| --set service.type=NodePort | |
| -n nginx-gateway | |
| working-directory: ${{ github.workspace }}/deploy/helm-chart | |
| build: | |
| name: Build Image | |
| runs-on: ubuntu-22.04 | |
| needs: [vars, binary] | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| container: [ngf, nginx] | |
| permissions: | |
| contents: read # for docker/build-push-action to read repo content | |
| security-events: write # for github/codeql-action/upload-sarif to upload SARIF results | |
| packages: write # for docker/build-push-action to push to GHCR | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Fetch Cached Artifacts | |
| uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2 | |
| with: | |
| path: ${{ github.workspace }}/dist | |
| key: nginx-gateway-fabric-${{ github.run_id }}-${{ github.run_number }} | |
| - name: Docker Buildx | |
| uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0 | |
| - name: Setup QEMU | |
| uses: docker/setup-qemu-action@68827325e0b33c7199eb31dd4e31fbe9023e06e3 # v3.0.0 | |
| with: | |
| platforms: arm64 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| if: ${{ github.event_name != 'pull_request' }} | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Docker meta | |
| id: meta | |
| uses: docker/metadata-action@31cebacef4805868f9ce9a0cb03ee36c32df2ac4 # v5.3.0 | |
| with: | |
| images: | | |
| name=ghcr.io/nginxinc/nginx-gateway-fabric${{ matrix.container == 'nginx' && '/nginx' || '' }} | |
| tags: | | |
| type=semver,pattern={{version}} | |
| type=edge | |
| type=ref,event=pr | |
| type=ref,event=branch,suffix=-rc,enable=${{ startsWith(github.ref, 'refs/heads/release') }} | |
| - name: Build Docker Image | |
| uses: docker/build-push-action@4a13e500e55cf31b7a5d59a38ab2040ab0f42f56 # v5.1.0 | |
| with: | |
| file: ${{ matrix.container == 'nginx' && 'build/Dockerfile.nginx' || 'build/Dockerfile' }} | |
| context: "." | |
| target: ${{ matrix.container == 'ngf' && 'goreleaser' || '' }} | |
| tags: ${{ steps.meta.outputs.tags }} | |
| labels: ${{ steps.meta.outputs.labels }} | |
| load: ${{ github.event_name == 'pull_request' }} | |
| push: ${{ github.event_name != 'pull_request' }} | |
| platforms: ${{ github.event_name != 'pull_request' && env.platforms || '' }} | |
| cache-from: type=gha,scope=${{ matrix.container }} | |
| cache-to: type=gha,scope=${{ matrix.container }},mode=max | |
| pull: true | |
| no-cache: ${{ github.event_name != 'pull_request' }} | |
| sbom: ${{ github.event_name != 'pull_request' }} | |
| provenance: false | |
| build-args: | | |
| NJS_DIR=internal/mode/static/nginx/modules/src | |
| NGINX_CONF_DIR=internal/mode/static/nginx/conf | |
| - name: Run Trivy vulnerability scanner | |
| uses: aquasecurity/trivy-action@91713af97dc80187565512baba96e4364e983601 # 0.16.0 | |
| continue-on-error: true | |
| with: | |
| image-ref: ghcr.io/nginxinc/nginx-gateway-fabric${{ matrix.container == 'nginx' && '/nginx' || '' }}:${{ steps.meta.outputs.version }} | |
| format: "sarif" | |
| output: trivy-results-nginx-gateway-fabric${{ matrix.container == 'nginx' && '-nginx' || '' }}.sarif | |
| ignore-unfixed: "true" | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| uses: github/codeql-action/upload-sarif@c0d1daa7f7e14667747d73a7dbbe8c074bc8bfe2 # v2.22.9 | |
| continue-on-error: true | |
| with: | |
| sarif_file: trivy-results-nginx-gateway-fabric${{ matrix.container == 'nginx' && '-nginx' || '' }}.sarif | |
| - name: Upload Scan Results | |
| uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3 | |
| continue-on-error: true | |
| with: | |
| name: trivy-results-nginx-gateway-fabric${{ matrix.container == 'nginx' && '-nginx' || '' }}.sarif | |
| path: trivy-results-nginx-gateway-fabric${{ matrix.container == 'nginx' && '-nginx' || '' }}.sarif | |
| if: always() | |
| publish-helm: | |
| name: Package and Publish Helm Chart | |
| runs-on: ubuntu-22.04 | |
| needs: [vars, helm-tests] | |
| if: ${{ github.event_name == 'push' && ! startsWith(github.ref, 'refs/heads/release-') }} | |
| permissions: | |
| contents: read | |
| packages: write # for helm to push to GHCR | |
| steps: | |
| - name: Checkout Repository | |
| uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@343f7c4344506bcbf9b4de18042ae17996df046d # v3.0.0 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Package | |
| id: package | |
| run: | | |
| output=$(helm package ${{ github.ref_type != 'tag' && '--app-version edge --version 0.0.0-edge' || '' }} deploy/helm-chart) | |
| echo "path=$(basename -- $(echo $output | cut -d: -f2))" >> $GITHUB_OUTPUT | |
| - name: Push to GitHub Container Registry | |
| run: | | |
| helm push ${{ steps.package.outputs.path }} oci://ghcr.io/nginxinc/charts |