Skip to content

Commit

Permalink
CI updates and bump deps (#27)
Browse files Browse the repository at this point in the history
* add deps scan workflow

* Create codeql.yml

* remove codeql

* add upload feature

* add output file

* update ci jobs

* update deps

* minor ci tweaks

* remove build test

* combine ci jobs

* require security scan

* more ci concurrency

* add SBOM to release flow
  • Loading branch information
silas-x authored Jan 5, 2023
1 parent 546e5fe commit c85e56d
Show file tree
Hide file tree
Showing 12 changed files with 1,487 additions and 835 deletions.
16 changes: 11 additions & 5 deletions .github/workflows/js-lint.yml → .github/workflows/ci-js-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,6 @@ on:
paths:
- '**.ts'
- '**.js'

pull_request:
branches:
- master
Expand All @@ -18,18 +17,25 @@ on:
jobs:
js-lint:
name: Prettier check
runs-on: ubuntu-20.04
runs-on: ubuntu-latest
defaults:
run:
working-directory: ./dex/tests/permissioned
steps:
- uses: actions/checkout@v3
- name: Checkout code
uses: actions/checkout@v3

- name: Use Node.js
uses: actions/setup-node@v3
with:
node-version: 18
- run: corepack enable

- name: Enable corepack
run: corepack enable
shell: bash
- run: yarn

- name: Install yarn
run: yarn

- name: Run prettier
run: yarn prettier '*/**/*{.js,.ts}' --check
122 changes: 122 additions & 0 deletions .github/workflows/ci-test.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,122 @@
name: Scan & Test

on:
push:
branches:
- master
pull_request:
branches:
- master

env:
CARGO_TERM_COLOR: always

jobs:
trivy:
name: Dependency security scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3

# Report all vulnerabilities in security tab
- name: Report on all vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
hide-progress: true
format: 'sarif'
output: 'trivy-results.sarif'

# Fail the job on critical vulnerabiliies with fix available
- name: Fail on critical vulnerabilities
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
hide-progress: true
format: 'table'
severity: 'CRITICAL'
exit-code: '1'

- name: Upload scan results
uses: github/codeql-action/upload-sarif@v2
if: always()
with:
sarif_file: 'trivy-results.sarif'

format:
name: Format
needs: ['trivy']
if: ${{ always() }}
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v3

- name: Run cargo fmt
run: cargo fmt --all -- --check

clippy:
name: Clippy
needs: ['trivy']
if: ${{ always() }}
runs-on: ubuntu-latest
steps:
- name: Checkout sources
uses: actions/checkout@v3

- name: Cache binaries
uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
dex/target/
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}

- name: Run cargo clippy
run: cargo clippy -- -D warnings

test:
name: Cargo test
needs: ['trivy']
if: ${{ always() }}
runs-on: ubuntu-latest
strategy:
fail-fast: false
matrix:
path: ['Cargo.toml',
'dex/Cargo.toml']
env:
PROGRAM_PATH: ${{ matrix.path }}
steps:
- name: Checkout sources
uses: actions/checkout@v3

- name: Cache binaries
uses: actions/cache@v3
with:
path: |
~/.cargo/bin/
~/.cargo/registry/index/
~/.cargo/registry/cache/
~/.cargo/git/db/
target/
dex/target/
key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}

- name: Run tests
run: |
cargo test --manifest-path ${{ matrix.path }} --workspace
pass:
name: All tests pass
needs: ['trivy', 'format', 'clippy', 'test']
runs-on: ubuntu-latest
steps:
- run: echo ok
19 changes: 18 additions & 1 deletion .github/workflows/ci-verifiable-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,14 @@ jobs:
- name: Generate Checksum
run: |
echo "CHECKSUM=$(sha256sum ./target/verifiable/${{ env.APP_NAME }}.so | head -c 64)" >> $GITHUB_ENV
- name: Generate SBOM
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
format: 'cyclonedx'
output: '${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json'

- name: Create Release
id: create_release
uses: actions/create-release@v1
Expand All @@ -62,3 +69,13 @@ jobs:
asset_path: ./dex/target/verifiable/${{ env.APP_NAME }}.so
asset_name: ${{ env.APP_NAME }}.so
asset_content_type: application/x-sharedlib

- name: Upload SBOM
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.create_release.outputs.upload_url }}
asset_path: ./dex/${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json
asset_name: ${{ env.APP_NAME }}-${{ github.ref_name }}-sbom.json
asset_content_type: application/json
52 changes: 0 additions & 52 deletions .github/workflows/test.yml

This file was deleted.

Loading

0 comments on commit c85e56d

Please sign in to comment.