From b35c1032f6e5909db47397fc691d0b7accea64eb Mon Sep 17 00:00:00 2001 From: VOID404 Date: Fri, 6 Sep 2024 11:30:41 +0200 Subject: [PATCH] Migrate build pipeline --- .github/workflows/build_kim.yaml | 133 +++++++++++++++++++++++++++++++ 1 file changed, 133 insertions(+) create mode 100644 .github/workflows/build_kim.yaml diff --git a/.github/workflows/build_kim.yaml b/.github/workflows/build_kim.yaml new file mode 100644 index 00000000..86dddc5d --- /dev/null +++ b/.github/workflows/build_kim.yaml @@ -0,0 +1,133 @@ +name: KIM + +on: + push: + branches: + - main + tags: + - "[0-9]+.[0-9]+.[0-9]+" + - "[0-9]+.[0-9]+.[0-9]+-*" + paths-ignore: + - .reuse + - hack/ + - LICENSES/ + - LICENSE + - .gitignore + - "**.md" + + pull_request_target: + types: [opened, synchronize, reopened] + paths-ignore: + - .reuse + - hack/ + - LICENSES/ + - LICENSE + - .gitignore + - "**.md" + +env: + trivy-table: trivy-table.txt + +permissions: + id-token: write # This is required for requesting the JWT token + contents: read # This is required for actions/checkout + +jobs: + setup: + permissions: + contents: read + runs-on: ubuntu-latest + outputs: + tag: ${{ steps.tag.outputs.tag }} + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + - id: tag + if: github.event_name == 'push' && github.ref_type == 'tag' + run: echo "tag=${{ github.ref_name }}" >> $GITHUB_OUTPUT + + trivy: + permissions: + contents: read + runs-on: "ubuntu-20.04" + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + repository: ${{ github.event.pull_request.head.repo.full_name }} + + - name: Install trivy + run: | + mkdir ./trivy + curl -L https://github.com/aquasecurity/trivy/releases/download/v0.49.1/trivy_0.49.1_Linux-64bit.tar.gz | tar xvz --directory=./trivy + ./trivy/trivy --version + + - name: Run Trivy vulnerability scanner + uses: aquasecurity/trivy-action@0.24.0 + with: + scan-type: "fs" + scan-ref: "." + + exit-code: 1 + severity: "UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL" + ignore-unfixed: false + timeout: "5m0s" + vuln-type: "os,library" + + format: table + output: ${{ env.trivy-table }} + + - name: Upload trivy table + if: success() || failure() + uses: actions/upload-artifact@v4 + with: + name: ${{ env.trivy-table }} + path: ${{ env.trivy-table }} + + - name: Print trivy table + if: success() || failure() + run: cat ${{ env.trivy-table }} + + build-image: + needs: setup + uses: kyma-project/test-infra/.github/workflows/image-builder.yml@main # Usage: kyma-project/test-infra/.github/workflows/image-builder.yml@main + with: + name: infrastructure-manager + dockerfile: Dockerfile + context: . + tags: ${{ needs.setup.outputs.tag }} + + summary: + runs-on: ubuntu-latest + needs: [build-image, trivy] + if: success() || failure() + steps: + - name: "Download trivy log" + uses: actions/download-artifact@v4 + continue-on-error: true + with: + name: ${{ env.trivy-table }} + - name: "Generate summary" + run: | + { + echo '# Kyma Infrastructure Manager' + # if trivy results table exists + if [ -f ${{ env.trivy-table }} ]; then + echo '## Trivy' + printf '\n```txt\n' + cat ${{ env.trivy-table }} + printf '\n```\n' + fi + + # if build-image was successful + if [ "${{ needs.build-image.result }}" == "success" ]; then + printf '\n\n## Image\n' + printf '\n```json\n' + echo '${{ needs.build-image.outputs.images }}' | jq + printf '\n```\n' + fi + } >> $GITHUB_STEP_SUMMARY