wip: enabled portage code scan and debugging deployment job

sflanker · sflanker · commit d9e0e67b29dd · 2025-02-22T11:44:41.000-10:00
diff --git a/.github/workflows/code-scan.yml b/.github/workflows/code-scan.yml
@@ -0,0 +1,25 @@
+name: Scan gatecheck
+run-name: "Scan the gatecheck codebase"
+permissions:
+  contents: read
+  checks: write
+  packages: write
+on:
+  workflow_dispatch:
+  push:
+    branches:
+      - '*main'
+      - 'debug-*'
+    tags: [ '*' ]
+  pull_request:
+    branches:
+      - main
+jobs:
+  code_scan:
+    runs-on: ubuntu-latest
+    name: Portage Code Scan
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Run Portage CD Scans
+        uses: easy-up/portage-cd-actions/image-build-scan-publish/docker@debug-deploy-job
diff --git a/.portage.yml b/.portage.yml
@@ -1,39 +1,42 @@
 # Base Configuration
 version: "1"
-imageTag: "ghcr.io/easy-up/gatecheck:latest"  # The full image tag for the target container image (e.g. my-org/my-app:latest)
+# gatecheck doesn't have an official Dockerfile
+# imageTag: "ghcr.io/easy-up/gatecheck:latest"  # The full image tag for the target container image (e.g. my-org/my-app:latest)
 artifactDir: "artifacts"   # Directory for generated artifacts (e.g. ./artifacts)
 gatecheckBundleFilename: "gatecheck-bundle.tar.gz"  # Filename for the gatecheck bundle (e.g. gatecheck-bundle.tar.gz)
 
-# Image Build Configuration
+# Image Build Configuration (gatecheck doesn't have an official Dockerfile)
 imageBuild:
   enabled: false           # Enable/Disable the image build pipeline (true/false)
-  buildDir: "."          # Build directory for image (e.g. ./cmd/portage)
+  buildDir: "."            # Build directory for image (e.g. ./cmd/portage)
   dockerfile: "Dockerfile" # Dockerfile to use (e.g. ./cmd/portage/Dockerfile)
-  platform: ""           # Target platform (e.g. linux/amd64, linux/arm64)
-  target: ""            # Target stage for multi-stage builds (e.g. build, test, publish)
-  cacheTo: ""           # Cache export location (e.g. type=local,dest=path)
-  cacheFrom: ""         # Cache import location (e.g. type=local,src=path)
-  squashLayers: false   # Whether to squash layers (true/false)
-  args: {}              # Build arguments (e.g. BUILD_ARGS=--build-arg=key=value)
+  platform: ""             # Target platform (e.g. linux/amd64, linux/arm64)
+  target: ""               # Target stage for multi-stage builds (e.g. build, test, publish)
+  cacheTo: ""              # Cache export location (e.g. type=local,dest=path)
+  cacheFrom: ""            # Cache import location (e.g. type=local,src=path)
+  squashLayers: false      # Whether to squash layers (true/false)
+  args: {}                 # Build arguments (e.g. BUILD_ARGS=--build-arg=key=value)
 
-# Image Scan Configuration
+# Image Scan Configuration (gatecheck doesn't have an official Dockerfile)
 imageScan:
-  enabled: false           # Enable/Disable the image scan pipeline (true/false)
-  syftFilename: "syft-sbom-report.json" # Filename for the syft sbom report (e.g. syft-sbom-report.json)
-  grypeConfigFilename: "" # Filename for the grype config (e.g. grype-config.json)
+  enabled: false                                        # Enable/Disable the image scan pipeline (true/false)
+  syftFilename: "syft-sbom-report.json"                 # Filename for the syft sbom report (e.g. syft-sbom-report.json)
+  grypeConfigFilename: ""                               # Filename for the grype config (e.g. grype-config.json)
   grypeFilename: "grype-vulnerability-report-full.json" # Filename for the grype vulnerability report (e.g. grype-vulnerability-report-full.json)
-  clamavFilename: "clamav-virus-report.txt" # Filename for the clamav virus report (e.g. clamav-virus-report.txt)
+  clamavFilename: "clamav-virus-report.txt"             # Filename for the clamav virus report (e.g. clamav-virus-report.txt)
 
 # Code Scan Configuration
 codeScan:
-  enabled: true           # Enable/Disable the code scan pipeline (true/false)
+  enabled: true                               # Enable/Disable the code scan pipeline (true/false)
   gitleaksFilename: "gitleaks-secrets-report.json"
   gitleaksSrcDir: "."
   semgrepFilename: "semgrep-sast-report.json" # Filename for the semgrep sast report (e.g. semgrep-sast-report.json)
-  semgrepRules: "p/default" # Semgrep rules to use (e.g. p/default)
-  semgrepExperimental: false # Whether to use experimental semgrep rules (true/false)
-  coverageFile: "" #"coverage/cobertura-coverage.xml"      # Externally generated code coverage file
-  semgrepSrcDir: "."    # Target directory for semgrep scan (e.g. ./cmd/portage)
+  semgrepRules: "p/default"                   # Semgrep rules to use (e.g. p/default)
+  # This is overridden in the portage Dockerfile, but is set to false for runs on local systems
+  # where the standard Python semgrep is installed
+  semgrepExperimental: false                  # Whether to use the experimental semgrep CLI (true/false)
+  coverageFile: ""                            # "coverage/cobertura-coverage.xml" # Externally generated code coverage file
+  semgrepSrcDir: "."                          # Target directory for semgrep scan (e.g. ./cmd/portage)
 
 # Image Publish Configuration
 imagePublish:
@@ -42,9 +45,8 @@ imagePublish:
 
 # Deploy Configuration
 deploy:
-  enabled: true           # Enable/Disable the deploy pipeline (true/false).  When true, the .gatecheck.yml file is used, otherwise the default gatecheck config is used.
-  gatecheckConfigFilename: ".custom-gatecheck.yml"  # Filename for gatecheck config (e.g. gatecheck-config.json)
-  submit: false            # Whether to submit the artifacts to the configured API endpoint (true/false)
+  enabled: false                                   # Enable/Disable the deploy pipeline (true/false).  When true, the .gatecheck.yml file is used, otherwise the default gatecheck config is used.
+  gatecheckConfigFilename: ".custom-gatecheck.yml" # Filename for gatecheck config (e.g. gatecheck-config.json)
   successWebhooks:
-    - url: "http://localhost:5168/Build/SubmitArtifacts"  # Using the same endpoint from .custom-gatecheck.yml for consistency
+    - url: "https://belay-api.dev.holomuatech.online/Build/SubmitArtifacts"  # Using the same endpoint from .custom-gatecheck.yml for consistency
       authorizationVar: "DEPLOY_WEBHOOK_AUTH_TOKEN"  # Environment variable containing the auth token
