build(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 #2120
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: PR | |
on: | |
pull_request: | |
push: | |
jobs: | |
pr-short-tests: | |
name: Run short go tests | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- name: checkout | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Ensure go version | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: run tests | |
run: make test | |
- name: Annotate tests | |
if: always() | |
uses: guyarb/golang-test-annoations@2941118d7ef622b1b3771d1ff6eae9e90659eb26 # v0.8.0 | |
with: | |
test-results: test.json | |
pr-check-docs-links: | |
name: Check docs for incorrect links | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Link Checker | |
uses: lycheeverse/lychee-action@f81112d0d2814ded911bd23e3beaa9dda9093915 | |
env: | |
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} | |
with: | |
args: --verbose --no-progress '*.md' '*.yaml' '*/*/*.go' --exclude-link-local | |
fail: true | |
# This should not be made a mandatory test | |
# It is only used to make us aware of any potential security failure, that | |
# should trigger a bump of the image in build/. | |
pr-vuln-scan: | |
name: Build image and scan it against known vulnerabilities | |
runs-on: ubuntu-latest | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Ensure go version | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Setup GoReleaser | |
run: make bootstrap-tools | |
- name: Find current tag version | |
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
id: tags | |
- name: Build image | |
run: VERSION="${{ steps.tags.outputs.sha_short }}" DH_ORG="${{ github.repository_owner }}" make image | |
- name: Run Trivy vulnerability scanner | |
uses: aquasecurity/trivy-action@18f2510ee396bbf400402947b394f2dd8c87dbb0 | |
with: | |
image-ref: 'ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }}' | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
vuln-type: 'os,library' | |
severity: 'CRITICAL,HIGH' | |
# This ensures the latest code works with the manifests built from tree. | |
# It is useful for two things: | |
# - Test manifests changes (obviously), ensuring they don't break existing clusters | |
# - Ensure manifests work with the latest versions even with no manifest change | |
# (compared to helm charts, manifests cannot easily template changes based on versions) | |
# Helm charts are _trailing_ releases, while manifests are done during development. | |
# This test uses the "command" reboot-method. | |
e2e-manifests: | |
name: End-to-End test with kured with code and manifests from HEAD | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
testname: | |
- "TestE2EWithCommand" | |
- "TestE2EWithSignal" | |
- "TestE2EConcurrentWithCommand" | |
kubernetes_version: | |
- "previous" | |
- "current" | |
- "next" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Ensure go version | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Setup GoReleaser | |
run: make bootstrap-tools | |
- name: Find current tag version | |
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
id: tags | |
- name: Install kind | |
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
with: | |
install_only: true | |
version: v0.22.0 | |
- name: Run specific e2e tests | |
run: make e2e-test ARGS="-run ^${{ matrix.testname }}/${{ matrix.kubernetes_version }}" | |
e2e-tests-singleversion: | |
name: End-to-End test targetting a single version of kubernetes | |
runs-on: ubuntu-latest | |
strategy: | |
fail-fast: false | |
matrix: | |
testname: | |
- "TestCordonningIsKept/concurrency1" | |
- "TestCordonningIsKept/concurrency2" | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@91182cccc01eb5e619899d80e4e971d6181294a7 # v2.10.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- name: Ensure go version | |
uses: actions/setup-go@41dfa10bad2bb2ae585af6ee5bb4d7d973ad74ed # v5.1.0 | |
with: | |
go-version-file: 'go.mod' | |
check-latest: true | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@49b3bc8e6bdd4a60e6116a5414239cba5943d3cf # v3.2.0 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@c47758b77c9736f4b2ef4073d4d51994fabfe349 # v3.7.1 | |
- name: Setup GoReleaser | |
run: make bootstrap-tools | |
- name: Find current tag version | |
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT | |
id: tags | |
- name: Install kind | |
uses: helm/kind-action@0025e74a8c7512023d06dc019c617aa3cf561fde # v1.10.0 | |
with: | |
install_only: true | |
version: v0.22.0 | |
- name: Run specific e2e tests | |
run: make e2e-test ARGS="-run ^${{ matrix.testname }}" |