Bump the security group with 2 updates (#4427) #1541
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: alpha | |
on: | |
push: | |
branches: | |
- main | |
jobs: | |
generate-tag: | |
runs-on: ubuntu-20.04 | |
outputs: | |
tag: ${{ steps.get_tag.outputs.GIT_TAG }} | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Get tags | |
id: get_tag | |
uses: ./.github/actions/version-tag | |
build-migrations-melange-packages: | |
needs: [generate-tag] | |
strategy: | |
fail-fast: true | |
matrix: | |
runner: [ | |
{name: ubuntu-20.04, arch: amd64}, | |
{name: arm64-runner-set, arch: arm64} | |
] | |
runs-on: ${{ matrix.runner.name }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-melange-package | |
with: | |
context: migrations/deploy | |
component: kotsadm-migrations | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
arch: ${{ matrix.runner.arch }} | |
build-migrations: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag, build-migrations-melange-packages] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-image-with-apko | |
with: | |
context: migrations/deploy | |
component: kotsadm-migrations | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
image-name: index.docker.io/kotsadm/kotsadm-migrations:alpha | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-kotsadm-melange-packages: | |
needs: [generate-tag] | |
strategy: | |
fail-fast: true | |
matrix: | |
runner: [ | |
{name: ubuntu-20.04, arch: amd64}, | |
{name: arm64-runner-set, arch: arm64} | |
] | |
runs-on: ${{ matrix.runner.name }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-melange-package | |
with: | |
context: deploy | |
component: kotsadm | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
arch: ${{ matrix.runner.arch }} | |
build-kotsadm: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag, build-kotsadm-melange-packages] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-image-with-apko | |
with: | |
context: deploy | |
component: kotsadm | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
image-name: index.docker.io/kotsadm/kotsadm:alpha | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
build-kurl-proxy-melange-packages: | |
needs: [generate-tag] | |
strategy: | |
fail-fast: true | |
matrix: | |
runner: [ | |
{name: ubuntu-20.04, arch: amd64}, | |
{name: arm64-runner-set, arch: arm64} | |
] | |
runs-on: ${{ matrix.runner.name }} | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-melange-package | |
with: | |
context: kurl_proxy/deploy | |
component: kurl-proxy | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
arch: ${{ matrix.runner.arch }} | |
build-kurl-proxy: | |
runs-on: ubuntu-20.04 | |
needs: [generate-tag, build-kurl-proxy-melange-packages] | |
steps: | |
- uses: actions/checkout@v4 | |
- uses: ./.github/actions/build-custom-image-with-apko | |
with: | |
context: kurl_proxy/deploy | |
component: kurl-proxy | |
git-tag: ${{ needs.generate-tag.outputs.tag }} | |
image-name: index.docker.io/kotsadm/kurl-proxy:alpha | |
registry-username: ${{ secrets.DOCKERHUB_USER }} | |
registry-password: ${{ secrets.DOCKERHUB_PASSWORD }} | |
scan_rqlite: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Read image tags from env file | |
uses: falti/dotenv-action@v1 | |
id: dotenv | |
with: | |
path: .image.env | |
- name: Scan rqlite for vulnerabilities | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/kotsadm/rqlite:${{ steps.dotenv.outputs.RQLITE_TAG }}" | |
format: 'template' | |
template: '@/contrib/sarif.tpl' | |
output: 'rqlite-scan-output.sarif' | |
exit-code: '0' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH,MEDIUM' | |
- name: Upload scan report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: rqlite-scan-output.sarif | |
scan_minio: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Read image tags from env file | |
uses: falti/dotenv-action@v1 | |
id: dotenv | |
with: | |
path: .image.env | |
- name: Scan minio for vulnerabilities | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/kotsadm/minio:${{ steps.dotenv.outputs.MINIO_TAG }}" | |
format: 'template' | |
template: '@/contrib/sarif.tpl' | |
output: 'minio-scan-output.sarif' | |
exit-code: '0' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH,MEDIUM' | |
- name: Upload scan report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: 'minio-scan-output.sarif' | |
scan_dex: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Read image tags from env file | |
uses: falti/dotenv-action@v1 | |
id: dotenv | |
with: | |
path: .image.env | |
- name: Scan dex for vulnerabilities | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/kotsadm/dex:${{ steps.dotenv.outputs.DEX_TAG }}" | |
format: 'template' | |
template: '@/contrib/sarif.tpl' | |
output: 'dex-scan-output.sarif' | |
exit-code: '0' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH,MEDIUM' | |
- name: Upload scan report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: dex-scan-output.sarif | |
scan_kurl_proxy: | |
runs-on: ubuntu-20.04 | |
needs: [build-kurl-proxy] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Scan kurl-proxy for vulnerabilities | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: 'docker.io/kotsadm/kurl-proxy:alpha' | |
format: 'template' | |
template: '@/contrib/sarif.tpl' | |
output: 'kurl-proxy-scan-output.sarif' | |
exit-code: '0' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH,MEDIUM' | |
- name: Upload scan report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: kurl-proxy-scan-output.sarif | |
scan_local_volume_provider: | |
runs-on: ubuntu-20.04 | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Read image tags from env file | |
uses: falti/dotenv-action@v1 | |
id: dotenv | |
with: | |
path: .image.env | |
- name: Scan replicated/local-volume-provider for vulnerabilities | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: "docker.io/replicated/local-volume-provider:${{ steps.dotenv.outputs.LVP_TAG }}" | |
format: 'template' | |
template: '@/contrib/sarif.tpl' | |
output: 'scan-output.sarif' | |
exit-code: '0' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH,MEDIUM' | |
- name: Upload scan report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: scan-output.sarif | |
scan_kotsadm: | |
runs-on: ubuntu-20.04 | |
needs: [build-kotsadm] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Scan kotsadm for vulnerabilities | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: 'docker.io/kotsadm/kotsadm:alpha' | |
format: 'template' | |
template: '@/contrib/sarif.tpl' | |
output: 'kotsadm-scan-output.sarif' | |
exit-code: '0' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH,MEDIUM' | |
- name: Upload scan report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: kotsadm-scan-output.sarif | |
scan_kotsadm_migrations: | |
runs-on: ubuntu-20.04 | |
needs: [build-migrations] | |
steps: | |
- name: Checkout | |
uses: actions/checkout@v4 | |
- name: Scan migrations for vulnerabilities | |
id: scan | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: 'docker.io/kotsadm/kotsadm-migrations:alpha' | |
format: 'template' | |
template: '@/contrib/sarif.tpl' | |
output: 'kotsadm-migration-scan-output.sarif' | |
exit-code: '0' | |
ignore-unfixed: true | |
severity: 'CRITICAL,HIGH,MEDIUM' | |
- name: Upload scan report | |
uses: github/codeql-action/upload-sarif@v3 | |
with: | |
sarif_file: kotsadm-migration-scan-output.sarif |