diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 85cbc0763e..a463817b16 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -1,43 +1,88 @@ -name: Check +name: Pull Request Workflow -# XXX disabled for now because we use Jenkins still, but at the time this was tested it was functional -# on: -# pull_request: -# branches: [ master ] +on: + push: + branches: + #- '*' # Trigger on all branches for pull requests + - feat/ING-4183 + workflow_dispatch: {} jobs: check: runs-on: ubuntu-latest steps: - - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1 - - # Note: Actually we don't need Maven CLI, only Java 17, but this may have additional benefits due to the Maven cache - - name: Setup Maven - uses: s4u/setup-maven-action@4fdbe2a6a718a03bf4874636eed4311886cab6ba # v1.5.1 - with: - java-version: 17 - java-distribution: temurin - maven-version: 3.8.6 - - - name: Clean - run: ./build.sh clean - working-directory: ./build - - - name: Test (commitStage) - run: ./build.sh commitStage - # run: ./build.sh integrationStage - working-directory: ./build - - # https://github.com/marketplace/actions/junit-report-action - - name: Publish Test Report - uses: mikepenz/action-junit-report@9379f0ccddcab154835d4e2487555ee79614fe95 # v4.2.1 - if: always() # always run even if the previous step fails - with: - report_paths: 'build/target/testReports/*.xml' - - # TODO allure report? - # build/target/allure-results - - # TODO archive logs? - # build/target/testReports/*.out,build/target/testReports/*.err + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Maven + uses: s4u/setup-maven-action@v1.5.1 + with: + java-version: 17 + java-distribution: temurin + maven-version: 3.8.6 + + + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + + # Build Docker image + - name: Build Docker image + run: docker build -t halestudio-docker-image . + + # Push Docker image to a registry (optional) + - name: Push Docker image + run: | + echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin + docker push halestudio-docker-image + + # Scan Docker image using Trivy + - name: Scan Docker image for vulnerabilities + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: 'halestudio-docker-image' + scan-type: 'image' + format: 'template' + template: '/junit.tpl' + output: 'trivy-scan-results.xml' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL' + + # Upload Trivy scan results to GitHub Security tab + #- name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-scan-results.sarif' + + - name: Upload Trivy scan results + uses: actions/upload-artifact@v2 + with: + name: trivy-results + path: trivy-results.json + + - name: Clean + run: ./build.sh clean + working-directory: ./build + + - name: Test + run: ./build.sh commitStage + working-directory: ./build + + - name: Publish Test Report + uses: mikepenz/action-junit-report@v4 + if: always() # always run even if the previous step fails + with: + # fail if there are no test results + require_tests: true + + # Workaround for check that is additionally created being associated + # to the wrong workflow/run. Instead no additional check is created. + # See https://github.com/mikepenz/action-junit-report/issues/40 + annotate_only: true + detailed_summary: true + report_paths: 'build/target/testReports/*.xml' + \ No newline at end of file diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml new file mode 100644 index 0000000000..a3bda27f69 --- /dev/null +++ b/.github/workflows/trivy.yml @@ -0,0 +1,63 @@ +name: Pull Request Workflow + +on: + push: + branches: + #- '*' # Trigger on all branches for pull requests + - feat/ING-4183 + +jobs: + build: + runs-on: ubuntu-latest + + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Maven + uses: s4u/setup-maven-action@v1.5.1 + with: + java-version: 17 + java-distribution: temurin + maven-version: 3.8.6 + + - name: Login to Docker Hub + uses: docker/login-action@v2 + with: + username: ${{ secrets.DOCKER_HUB_USERNAME }} + password: ${{ secrets.DOCKER_HUB_PASSWORD }} + + # Build Docker image + - name: Build Docker image + run: docker build -t halestudio-docker-image . + + # Push Docker image to a registry (optional) + - name: Push Docker image + run: | + echo "${{ secrets.DOCKER_HUB_PASSWORD }}" | docker login -u ${{ secrets.DOCKER_HUB_USERNAME }} --password-stdin + docker push halestudio-docker-image + + # Scan Docker image using Trivy + - name: Scan Docker image for vulnerabilities + uses: aquasecurity/trivy-action@0.12.0 + with: + image-ref: 'halestudio-docker-image' + scan-type: 'image' + format: 'template' + template: '/junit.tpl' + output: 'trivy-scan-results.xml' + ignore-unfixed: true + vuln-type: 'os,library' + severity: 'CRITICAL' + + # Upload Trivy scan results to GitHub Security tab + #- name: Upload Trivy scan results to GitHub Security tab + # uses: github/codeql-action/upload-sarif@v2 + # with: + # sarif_file: 'trivy-scan-results.sarif' + + - name: Upload Trivy scan results + uses: actions/upload-artifact@v2 + with: + name: trivy-results + path: trivy-results.json diff --git a/junit.tpl b/junit.tpl new file mode 100644 index 0000000000..80c7f6b025 --- /dev/null +++ b/junit.tpl @@ -0,0 +1,16 @@ +{{- range .Results }} + + {{- range .Vulnerabilities }} + + + + + + {{- end }} + +{{- end }}