From 7ba95d543d722bb76e8c1a20d0fe41f02de6234a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Juan=20Manuel=20=22Kang=22=20P=C3=A9rez?= Date: Mon, 20 Nov 2023 10:54:42 +0100 Subject: [PATCH] [chore] Rename pipelines and centralise the security ones (#33) * chore: rename pipelines and centralise the security ones * should specify version when calling local workflows * missing a on.workflow_call trigger --- .github/workflows/on_push_pr.yaml | 24 ++++++++ .github/workflows/repolinter.yml | 31 ++--------- .github/workflows/reusable_repolinter.yaml | 32 +++++++++++ .github/workflows/reusable_security.yaml | 55 +++++++++++++++++++ ....yaml => reusable_trigger_prerelease.yaml} | 2 + .github/workflows/security.yaml | 19 +++++++ 6 files changed, 138 insertions(+), 25 deletions(-) create mode 100644 .github/workflows/on_push_pr.yaml create mode 100644 .github/workflows/reusable_repolinter.yaml create mode 100644 .github/workflows/reusable_security.yaml rename .github/workflows/{trigger_prerelease.yaml => reusable_trigger_prerelease.yaml} (98%) create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/on_push_pr.yaml b/.github/workflows/on_push_pr.yaml new file mode 100644 index 0000000..acc7711 --- /dev/null +++ b/.github/workflows/on_push_pr.yaml @@ -0,0 +1,24 @@ +name: Push/PR pipeline + +on: + push: + branches: + - main + - master + - renovate/** + pull_request: + +jobs: + renovate-config-validator: + name: Renovatebot config validator + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Install Renovatebot config validator + run: npm install --global renovate + + - name: Test that the config is valid + run: | + find -name renovate\*.json\* -exec renovate-config-validator {} \; || renovate-config-validator diff --git a/.github/workflows/repolinter.yml b/.github/workflows/repolinter.yml index 661f3c2..65f2e6b 100644 --- a/.github/workflows/repolinter.yml +++ b/.github/workflows/repolinter.yml @@ -2,30 +2,11 @@ # workflow_dispatch to work properly name: Repolinter Action -# NOTE: This workflow will ONLY check the default branch! -# Currently there is no elegant way to specify the default -# branch in the event filtering, so branches are instead -# filtered in the "Test Default Branch" step. -on: [push, workflow_dispatch] +on: + push: + workflow_dispatch: jobs: - repolint: - name: Run Repolinter - runs-on: ubuntu-latest - steps: - - name: Test Default Branch - id: default-branch - uses: actions/github-script@v2 - with: - script: | - const data = await github.repos.get(context.repo) - return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0] - - name: Checkout Self - if: ${{ steps.default-branch.outputs.result == 'true' }} - uses: actions/checkout@v4 - - name: Run Repolinter - if: ${{ steps.default-branch.outputs.result == 'true' }} - uses: newrelic/repolinter-action@v1 - with: - config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-project.yml - output_type: issue + repolinter: + uses: ./.github/workflows/reusable_repolinter.yaml + # uses: newrelic/coreint-automation/.github/workflows/reusable_repolinter.yaml@v1 diff --git a/.github/workflows/reusable_repolinter.yaml b/.github/workflows/reusable_repolinter.yaml new file mode 100644 index 0000000..3eb86b9 --- /dev/null +++ b/.github/workflows/reusable_repolinter.yaml @@ -0,0 +1,32 @@ +name: Repolinter Action + +# To see how to reuse this workflow, see `repolinter.yml` workflow in this repository. + +on: + workflow_call: + +# NOTE: This workflow will ONLY check the default branch! +# Currently there is no elegant way to specify the default +# branch in the event filtering, so branches are instead +# filtered in the "Test Default Branch" step. +jobs: + repolint: + name: Run Repolinter + runs-on: ubuntu-latest + steps: + - name: Test Default Branch + id: default-branch + uses: actions/github-script@v2 + with: + script: | + const data = await github.repos.get(context.repo) + return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0] + - name: Checkout Self + if: ${{ steps.default-branch.outputs.result == 'true' }} + uses: actions/checkout@v4 + - name: Run Repolinter + if: ${{ steps.default-branch.outputs.result == 'true' }} + uses: newrelic/repolinter-action@v1 + with: + config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-project.yml + output_type: issue diff --git a/.github/workflows/reusable_security.yaml b/.github/workflows/reusable_security.yaml new file mode 100644 index 0000000..a48f9cd --- /dev/null +++ b/.github/workflows/reusable_security.yaml @@ -0,0 +1,55 @@ +name: Security Scan + +# To see how to reuse this workflow, see `security.yaml` workflow in this repository. + +on: + workflow_call: + inputs: + skip-dirs: + description: 'comma separated list of directories where traversal is skipped' + required: false + type: string + default: '' + skip-files: + description: 'comma separated list of files to be skipped' + required: false + type: string + default: '' + +jobs: + trivy: + name: Trivy security scan + runs-on: ubuntu-latest + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Run Trivy vulnerability scanner in repo mode + uses: aquasecurity/trivy-action@0.12.0 + if: ${{ ! github.event.schedule }} # Do not run inline checks when running periodically + with: + scan-type: fs + ignore-unfixed: true + exit-code: 1 + severity: 'HIGH,CRITICAL' + skip-dirs: "${{ inputs.skip-dirs }}" + skip-files: "${{ inputs.skip-files }}" + + - name: Run Trivy vulnerability scanner sarif output + uses: aquasecurity/trivy-action@0.12.0 + if: ${{ github.event.schedule }} # Generate sarif when running periodically + with: + scan-type: fs + ignore-unfixed: true + severity: 'HIGH,CRITICAL' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + skip-dirs: "${{ inputs.skip-dirs }}" + skip-files: "${{ inputs.skip-files }}" + + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + if: ${{ github.event.schedule }} # Upload sarif when running periodically + with: + sarif_file: 'trivy-results.sarif' diff --git a/.github/workflows/trigger_prerelease.yaml b/.github/workflows/reusable_trigger_prerelease.yaml similarity index 98% rename from .github/workflows/trigger_prerelease.yaml rename to .github/workflows/reusable_trigger_prerelease.yaml index c25f6ed..5a86ea4 100644 --- a/.github/workflows/trigger_prerelease.yaml +++ b/.github/workflows/reusable_trigger_prerelease.yaml @@ -9,6 +9,8 @@ name: Trigger pre-release shared workflow # bot_token: {{ secret."github_token_name" }} # slack_channel: {{ secret."slack_channel_name" }} # slack_token: {{ secret."slack_token_name" }} +# with: +# rt-included-files: go.mod,go.sum,build/Dockerfile on: workflow_call: diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..e950afc --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,19 @@ +name: Security Scan + +on: + push: + branches: + - master + - main + - renovate/** + pull_request: + schedule: + - cron: "0 3 * * *" + +jobs: + security: + # uses: newrelic/coreint-automation/.github/workflows/reusable_security.yaml@v1 + uses: ./.github/workflows/reusable_security.yaml + # with: + # skip-dirs: "build" + # skip-files: "some-testing-tls-file"