[chore] Rename pipelines and centralise the security ones (#33)

* chore: rename pipelines and centralise the security ones * should specify version when calling local workflows * missing a on.workflow_call trigger
newrelic · Nov 20, 2023 · 7ba95d5 · 7ba95d5
1 parent dcd7234
commit 7ba95d5
Show file tree

Hide file tree

Showing 6 changed files with 138 additions and 25 deletions.
diff --git a/.github/workflows/on_push_pr.yaml b/.github/workflows/on_push_pr.yaml
@@ -0,0 +1,24 @@
+name: Push/PR pipeline
+
+on:
+  push:
+    branches:
+      - main
+      - master
+      - renovate/**
+  pull_request:
+
+jobs:
+  renovate-config-validator:
+    name: Renovatebot config validator
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Install Renovatebot config validator
+        run: npm install --global renovate
+
+      - name: Test that the config is valid
+        run: |
+            find -name renovate\*.json\* -exec renovate-config-validator {} \; || renovate-config-validator
diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml
@@ -2,30 +2,11 @@
 # workflow_dispatch to work properly
 name: Repolinter Action
 
-# NOTE: This workflow will ONLY check the default branch!
-# Currently there is no elegant way to specify the default
-# branch in the event filtering, so branches are instead
-# filtered in the "Test Default Branch" step.
-on: [push, workflow_dispatch]
+on:
+  push:
+  workflow_dispatch:
 
 jobs:
-  repolint:
-    name: Run Repolinter
-    runs-on: ubuntu-latest
-    steps:
-      - name: Test Default Branch
-        id: default-branch
-        uses: actions/github-script@v2
-        with:
-          script: |
-            const data = await github.repos.get(context.repo)
-            return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0]
-      - name: Checkout Self
-        if: ${{ steps.default-branch.outputs.result == 'true' }}
-        uses: actions/checkout@v4
-      - name: Run Repolinter
-        if: ${{ steps.default-branch.outputs.result == 'true' }}
-        uses: newrelic/repolinter-action@v1
-        with:
-          config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-project.yml
-          output_type: issue
+  repolinter:
+    uses: ./.github/workflows/reusable_repolinter.yaml
+  # uses: newrelic/coreint-automation/.github/workflows/reusable_repolinter.yaml@v1
diff --git a/.github/workflows/reusable_repolinter.yaml b/.github/workflows/reusable_repolinter.yaml
@@ -0,0 +1,32 @@
+name: Repolinter Action
+
+# To see how to reuse this workflow, see `repolinter.yml` workflow in this repository.
+
+on:
+  workflow_call:
+
+# NOTE: This workflow will ONLY check the default branch!
+# Currently there is no elegant way to specify the default
+# branch in the event filtering, so branches are instead
+# filtered in the "Test Default Branch" step.
+jobs:
+  repolint:
+    name: Run Repolinter
+    runs-on: ubuntu-latest
+    steps:
+      - name: Test Default Branch
+        id: default-branch
+        uses: actions/github-script@v2
+        with:
+          script: |
+            const data = await github.repos.get(context.repo)
+            return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0]
+      - name: Checkout Self
+        if: ${{ steps.default-branch.outputs.result == 'true' }}
+        uses: actions/checkout@v4
+      - name: Run Repolinter
+        if: ${{ steps.default-branch.outputs.result == 'true' }}
+        uses: newrelic/repolinter-action@v1
+        with:
+          config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-project.yml
+          output_type: issue
diff --git a/.github/workflows/reusable_security.yaml b/.github/workflows/reusable_security.yaml
@@ -0,0 +1,55 @@
+name: Security Scan
+
+# To see how to reuse this workflow, see `security.yaml` workflow in this repository.
+
+on:
+  workflow_call:
+    inputs:
+      skip-dirs:
+        description: 'comma separated list of directories where traversal is skipped'
+        required: false
+        type: string
+        default: ''
+      skip-files:
+        description: 'comma separated list of files to be skipped'
+        required: false
+        type: string
+        default: ''
+
+jobs:
+  trivy:
+    name: Trivy security scan
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Run Trivy vulnerability scanner in repo mode
+        uses: aquasecurity/trivy-action@0.12.0
+        if: ${{ ! github.event.schedule }}  # Do not run inline checks when running periodically
+        with:
+          scan-type: fs
+          ignore-unfixed: true
+          exit-code: 1
+          severity: 'HIGH,CRITICAL'
+          skip-dirs: "${{ inputs.skip-dirs }}"
+          skip-files: "${{ inputs.skip-files }}"
+
+      - name: Run Trivy vulnerability scanner sarif output
+        uses: aquasecurity/trivy-action@0.12.0
+        if: ${{ github.event.schedule }}  # Generate sarif when running periodically
+        with:
+          scan-type: fs
+          ignore-unfixed: true
+          severity: 'HIGH,CRITICAL'
+          format: 'template'
+          template: '@/contrib/sarif.tpl'
+          output: 'trivy-results.sarif'
+          skip-dirs: "${{ inputs.skip-dirs }}"
+          skip-files: "${{ inputs.skip-files }}"
+
+      - name: Upload Trivy scan results to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@v2
+        if: ${{ github.event.schedule }}  # Upload sarif when running periodically
+        with:
+          sarif_file: 'trivy-results.sarif'
diff --git a/.github/workflows/trigger_prerelease.yaml → ...orkflows/reusable_trigger_prerelease.yaml b/.github/workflows/trigger_prerelease.yaml → ...orkflows/reusable_trigger_prerelease.yaml
@@ -9,6 +9,8 @@ name: Trigger pre-release shared workflow
 #        bot_token: {{ secret."github_token_name" }}
 #        slack_channel: {{ secret."slack_channel_name" }}
 #        slack_token: {{ secret."slack_token_name" }}
+#      with:
+#        rt-included-files: go.mod,go.sum,build/Dockerfile
 
 on:
   workflow_call:

diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml
@@ -0,0 +1,19 @@
+name: Security Scan
+
+on:
+  push:
+    branches:
+      - master
+      - main
+      - renovate/**
+  pull_request:
+  schedule:
+    - cron: "0 3 * * *"
+
+jobs:
+  security:
+  # uses: newrelic/coreint-automation/.github/workflows/reusable_security.yaml@v1
+    uses: ./.github/workflows/reusable_security.yaml
+  # with:
+  #   skip-dirs: "build"
+  #   skip-files: "some-testing-tls-file"