Skip to content

fix: multiplatform sbom and vulnscan #759

fix: multiplatform sbom and vulnscan

fix: multiplatform sbom and vulnscan #759

Workflow file for this run

---
name: "CI"
on: # yamllint disable-line rule:truthy
push:
branches:
- main
pull_request:
branches:
- main
env:
python_version: "3.11"
defaults:
run:
shell: 'bash --noprofile --norc -Eeuo pipefail {0}'
jobs:
test:
name: Test
runs-on: ubuntu-22.04
strategy:
fail-fast: false
matrix:
platform:
- linux/amd64
- linux/arm64
steps:
- name: Checkout the repository
uses: actions/checkout@v3
with:
fetch-depth: 0
- uses: actions/setup-python@v4
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v3
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: |
python -m pip install --upgrade pipenv
mkdir "${RUNNER_TEMP}/bin"
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/syft"
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/grype"
echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
- name: Install Task
uses: arduino/setup-task@v1
- name: Initialize the repo
run: task -v init
- name: Set up QEMU for cross-platform emulation
uses: docker/setup-qemu-action@v2
- name: Build the goat
run: task -v build
env:
PLATFORM: ${{ matrix.platform }}
- name: Run the tests
run: task -v test -- debug
env:
PLATFORM: ${{ matrix.platform }}
- name: Generate the SBOMs
run: task -v sbom
env:
PLATFORM: ${{ matrix.platform }}
- name: Upload the SBOMs to GitHub
uses: actions/upload-artifact@v3
with:
name: SBOM
path: sbom.*.json
if-no-files-found: error
- name: Generate vuln scan results
run: task -v vulnscan
env:
PLATFORM: ${{ matrix.platform }}
- name: Upload the vuln scan results to GitHub
uses: actions/upload-artifact@v3
with:
name: Vulns
path: vulns.*.json
if-no-files-found: error
distribute:
name: Distribute
needs: [test]
if: "${{ github.event_name == 'push' && !startsWith(github.event.head_commit.message, 'Bump version: 2') }}"
permissions:
contents: write
runs-on: ubuntu-22.04
steps:
- name: Checkout the repository
uses: actions/checkout@v3
with:
token: ${{ secrets.SEISO_AUTOMATION_PAT }}
fetch-depth: 0
- name: Setup python
uses: actions/setup-python@v4
with:
python-version: ${{ env.python_version }}
- uses: actions/cache@v3
with:
path: ~/.local/share/virtualenvs
key: ${{ runner.os }}-python-${{ env.python_version }}-pipenv-${{ hashFiles('Pipfile.lock') }}
- name: Install the dependencies
run: |
python -m pip install --upgrade pipenv
mkdir "${RUNNER_TEMP}/bin"
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/syft"
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b "${RUNNER_TEMP}/bin"
chmod +x "${RUNNER_TEMP}/bin/grype"
echo "${RUNNER_TEMP}/bin" >> "${GITHUB_PATH}"
- name: Install Task
uses: arduino/setup-task@v1
- name: Initialize the repo
run: task -v init
- name: Update and bump the version
run: |
task -v release
TAG="$(git describe --tags)"
echo "TAG=${TAG}" >> "${GITHUB_ENV}"
- name: Log in to Docker Hub
uses: docker/login-action@v2
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Set up QEMU for cross-platform emulation
uses: docker/setup-qemu-action@v2
- name: Build and publish all the supported images to Docker Hub
run: task -v publish
env:
PLATFORM: all
- name: Generate the SBOMs
run: task -v sbom
env:
PLATFORM: all
- name: Upload the SBOMs to GitHub
uses: actions/upload-artifact@v3
with:
name: SBOM
path: sbom.*.json
if-no-files-found: error
- name: Generate vuln scan results
run: task -v vulnscan
env:
PLATFORM: all
- name: Upload the vuln scan results to GitHub
uses: actions/upload-artifact@v3
with:
name: Vulns
path: vulns.*.json
if-no-files-found: error
- name: Publish the release README to Docker Hub
uses: peter-evans/dockerhub-description@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
repository: seiso/goat
short-description: Seiso's Grand Opinionated AutoTester (GOAT)
- name: Push the release commit
run: |
BRANCH="$(git branch --show-current)"
git push --atomic origin "${BRANCH}" "${{ env.TAG }}"
- name: Publish the release to GitHub
uses: softprops/action-gh-release@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
name: ${{ env.TAG }}
tag_name: ${{ env.TAG }}
generate_release_notes: true
files: |
vulns.*.json
sbom.*.json
draft: false
prerelease: false