version-checker/.github/workflows/build-test.yaml at 54cd5acaadcf79b1df4f8dcca67423c5e20440dc · jetstack/version-checker · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
name: Test & Build
on:
  pull_request:
    branches:
      - "main"

concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

# Setting some default permissions for all jobs
permissions:
  contents: read
  security-events: read
  pull-requests: read
  checks: write

jobs:
  lint:
    name: Lint Go code
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Setup Golang
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod

      - name: Run golangci-lint
        uses: golangci/golangci-lint-action@1e7e51e771db61008b38414a730f564565cf7c20 # v9.2.0
        with:
          version: v2.1.0
          args: --timeout 10m --verbose --issues-exit-code=0
          only-new-issues: true

  code-scan:
    name: Code Scan
    runs-on: ubuntu-latest
    permissions:
      security-events: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v6

      - name: Run Trivy vulnerability scanner in repo mode
        uses: aquasecurity/trivy-action@0.35.0
        continue-on-error: true
        with:
          scan-type: "fs"
          ignore-unfixed: true
          exit-code: "1"
          format: "sarif"
          output: "trivy-results.sarif"
          severity: "CRITICAL,HIGH,MEDIUM"

      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: "trivy-results.sarif"

  govulncheck:
    runs-on: ubuntu-latest
    name: Run govulncheck
    permissions:
      security-events: write
    steps:
      # We only need to checkout as govuln does the go setup...
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - id: govulncheck
        uses: golang/govulncheck-action@v1
        with:
          go-version-file: go.mod
          go-package: ./...

  test:
    name: Run unit tests for Go packages
    runs-on: ubuntu-latest
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Setup Golang
        uses: actions/setup-go@v6
        with:
          go-version-file: go.mod

      - name: Download and required packages
        run: |
          make deps

      - name: Run all unit tests
        run: make test

      - name: check test coverage
        uses: vladopajic/go-test-coverage@v2
        with:
          config: ./.testcoverage.yml

      - name: Trigger Coverage update
        uses: ./.github/workflows/coverage-badge.yaml
        continue-on-error: true

      - name: Generate code coverage artifacts
        uses: actions/upload-artifact@v7
        with:
          name: code-coverage
          path: coverage.out

  build:
    needs:
      - test
      - lint
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
      matrix:
        platform:
          - linux/amd64
          - linux/arm64
    name: Build Images
    steps:
      - name: Checkout code
        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0

      - name: Set up QEMU
        uses: docker/setup-qemu-action@v3

      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
        with:
          platforms: ${{ matrix.platform }}
          driver: docker-container
          use: true

      - name: Build Images
        uses: docker/build-push-action@v6
        with:
          context: .
          platforms: ${{ matrix.platform }}
          push: false
          tags: quay.io/jetstack/version-checker:${{github.sha}}
          cache-from: type=gha
          cache-to: type=gha,mode=max
          # https://github.com/docker/buildx/issues/1714
          # Whilst trivy says it supports .tar etc, it wouldn't work in gha or locally on my machine.
          outputs: |-
            type=oci,tar=false,compression=uncompressed,dest=./.oci-image
          attests: |-
            type=sbom
            type=provenance,mode=max

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.35.0
        with:
          input: ./.oci-image
          format: "table"
          exit-code: "1"
          ignore-unfixed: true
          vuln-type: "os,library"
          severity: "CRITICAL,HIGH"

      - name: "Cleanup OCI Image from FS"
        run: rm -rf ./.oci-image