chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 #271
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Node CI | |
| on: | |
| push: | |
| branches: | |
| - "**" | |
| tags: | |
| - "v**" | |
| pull_request: | |
| workflow_dispatch: | |
| jobs: | |
| lint: | |
| name: Lint | |
| runs-on: ubuntu-latest | |
| continue-on-error: true | |
| timeout-minutes: 15 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| package-name: | |
| - "@sofie-prompter-editor/shared-model" | |
| - "@sofie-prompter-editor/shared-lib" | |
| - "@sofie-prompter-editor/apps-backend" | |
| - "@sofie-prompter-editor/apps-client" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - run: corepack enable | |
| - name: Use Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: ".node-version" | |
| cache: "yarn" | |
| - name: Prepare Environment | |
| run: | | |
| yarn install | |
| yarn lerna run --scope ${{ matrix.package-name }} --include-dependencies --stream build | |
| env: | |
| CI: true | |
| - name: Run typecheck and linter | |
| run: | | |
| yarn lerna run --scope ${{ matrix.package-name }} --stream lint | |
| env: | |
| CI: true | |
| test: | |
| name: Test | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 15 | |
| strategy: | |
| fail-fast: false | |
| matrix: | |
| package-name: | |
| - "@sofie-prompter-editor/shared-model" | |
| - "@sofie-prompter-editor/shared-lib" | |
| - "@sofie-prompter-editor/apps-backend" | |
| - "@sofie-prompter-editor/apps-client" | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - run: corepack enable | |
| - name: Use Node.js | |
| uses: actions/setup-node@v4 | |
| with: | |
| node-version-file: ".node-version" | |
| cache: "yarn" | |
| - name: Prepare Environment | |
| run: | | |
| yarn install | |
| yarn lerna run --scope ${{ matrix.package-name }} --include-dependencies --stream build | |
| env: | |
| CI: true | |
| - name: Run tests | |
| run: | | |
| yarn lerna run --scope ${{ matrix.package-name }} --stream test | |
| env: | |
| CI: true | |
| build-docker-image: | |
| name: Build docker image | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 30 | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| persist-credentials: false | |
| - name: Determine if images should be published to DockerHub | |
| id: dockerhub | |
| run: | | |
| # HACK: Never publish to dockerhub for now | |
| # check if a release branch, or main, or a tag | |
| # if [[ "${{ github.ref }}" =~ ^refs/heads/release([0-9]+)$ || "${{ github.ref }}" == "refs/heads/main" || "${{ github.ref }}" == "refs/tags/*" ]] | |
| # then | |
| # DOCKERHUB_PUBLISH="1" | |
| # else | |
| DOCKERHUB_PUBLISH="0" | |
| # fi | |
| # debug output | |
| echo "dockerhub-publish $DOCKERHUB_PUBLISH" | |
| echo "dockerhub-publish=$DOCKERHUB_PUBLISH" >> $GITHUB_OUTPUT | |
| - name: Check if push to GHCR is enabled | |
| id: check-ghcr | |
| env: | |
| GHCR_ENABLED: ${{ vars.GHCR_ENABLED }} | |
| run: | | |
| echo "Enable push to GHCR: ${{ env.GHCR_ENABLED != '' }}" | |
| echo "enable=${{ env.GHCR_ENABLED != '' }}" >> $GITHUB_OUTPUT | |
| - name: Check if there is access to repo secrets (needed for build and push) | |
| if: steps.dockerhub.outputs.dockerhub-publish == '1' || steps.check-ghcr.outputs.enable == 'true' | |
| id: check-build-and-push | |
| env: | |
| SECRET_ACCESS: ${{ secrets.GITHUB_TOKEN }} | |
| run: | | |
| echo "Enable build and push: ${{ env.SECRET_ACCESS != '' }}" | |
| echo "enable=${{ env.SECRET_ACCESS != '' }}" >> $GITHUB_OUTPUT | |
| - name: Get the Docker tag for GHCR | |
| id: ghcr-tag | |
| if: steps.check-ghcr.outputs.enable == 'true' | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ghcr.io/${{ github.repository }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Get the Docker tag for DockerHub | |
| id: dockerhub-tag | |
| if: steps.check-build-and-push.outputs.enable == 'true' | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: | | |
| ${{ secrets.DOCKERHUB_IMAGE_PREFIX }} | |
| tags: | | |
| type=schedule | |
| type=ref,event=branch | |
| type=ref,event=tag | |
| type=raw,value=latest,enable={{is_default_branch}} | |
| - name: Use Node.js | |
| uses: actions/setup-node@v4 | |
| if: steps.check-build-and-push.outputs.enable == 'true' | |
| with: | |
| node-version-file: ".node-version" | |
| - name: Set up Docker Buildx | |
| if: steps.check-build-and-push.outputs.enable == 'true' | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to DockerHub | |
| if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1' | |
| uses: docker/login-action@v3 | |
| with: | |
| username: ${{ secrets.DOCKERHUB_USERNAME }} | |
| password: ${{ secrets.DOCKERHUB_TOKEN }} | |
| - name: Login to GitHub Container Registry | |
| if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ghcr.io | |
| username: ${{ github.repository_owner }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Build and push to GHCR | |
| if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0 | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: true | |
| provenance: false | |
| labels: ${{ steps.ghcr-tag.outputs.labels }} | |
| tags: "${{ steps.ghcr-tag.outputs.tags }}" | |
| - name: Build and push to DockerHub | |
| if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1' | |
| uses: docker/build-push-action@v6 | |
| with: | |
| push: true | |
| provenance: false | |
| labels: ${{ steps.dockerhub-tag.outputs.labels }} | |
| tags: "${{ steps.dockerhub-tag.outputs.tags }}" | |
| - name: Get image for Trivy scanning | |
| id: trivy-image | |
| if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0 | |
| run: | | |
| image=$(echo ${{ steps.ghcr-tag.outputs.tags }} | head -n 1) | |
| echo "image=$image" >> $GITHUB_OUTPUT | |
| - name: Trivy scanning | |
| if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0 | |
| uses: aquasecurity/[email protected] | |
| with: | |
| image-ref: "${{ steps.trivy-image.outputs.image }}" | |
| format: "table" | |
| output: trivy-scan-result.txt | |
| ignore-unfixed: true | |
| severity: "CRITICAL,HIGH" | |
| - name: Post all Trivy scan results to Github Summary as a table | |
| if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0 | |
| env: | |
| CODE_BLOCK: "```" | |
| run: | | |
| echo "# Trivy scan results" >> $GITHUB_STEP_SUMMARY | |
| echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY | |
| cat trivy-scan-result.txt >> $GITHUB_STEP_SUMMARY | |
| echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY |