chore: bump github.com/aquasecurity/trivy from 0.57.1 to 0.58.2 #2186
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: "[Blocking] Build" | |
on: | |
push: | |
branches: | |
- main | |
- release-* | |
tags: | |
- v* | |
paths-ignore: | |
- "**.md" | |
- "website/**" | |
- "docs/**" | |
- "demo/**" | |
pull_request: | |
branches: | |
- main | |
- release-* | |
paths-ignore: | |
- "**.md" | |
- "website/**" | |
- "docs/**" | |
- "demo/**" | |
workflow_dispatch: | |
env: | |
TRIVY_VERSION: 0.56.2 | |
BUILDKIT_VERSION: 0.16.0 | |
jobs: | |
unit-test: | |
name: Unit Test | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
permissions: read-all | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.3.1 | |
with: | |
egress-policy: audit | |
- name: Check out code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version: "1.23" | |
check-latest: true | |
- name: Add containerd-snapshotter to docker daemon | |
run: | | |
echo '{"features": { "containerd-snapshotter": true }}' | sudo tee /etc/docker/daemon.json | |
sudo systemctl restart docker | |
- name: Unit test | |
shell: bash | |
env: | |
CODECOV_OPTS: "-coverprofile=coverage.txt -covermode=atomic" | |
run: make test | |
- name: Upload coverage to Codecov | |
uses: codecov/codecov-action@1e68e06f1dbfde0e4cefc87efeba9e4643565303 # v5.1.2 | |
env: | |
CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }} | |
build: | |
name: Build | |
runs-on: ${{ matrix.os }} | |
timeout-minutes: 5 | |
permissions: | |
packages: write | |
contents: read | |
strategy: | |
matrix: | |
os: [ubuntu-latest] | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.3.1 | |
with: | |
egress-policy: audit | |
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version: "1.23" | |
check-latest: true | |
- name: Build copa | |
shell: bash | |
run: | | |
make build | |
make archive | |
- name: Upload copa to build artifacts | |
uses: actions/upload-artifact@65c4c4a1ddee5b72f698fdd19549f0f0fb45cf08 # v4.6.0 | |
with: | |
name: copa_edge_linux_amd64.tar.gz | |
path: dist/linux_amd64/release/copa_edge_linux_amd64.tar.gz | |
- name: Load test cases for patch testing | |
id: load-test-envs-matrix | |
shell: bash | |
run: echo "buildkitenvs=$(.github/workflows/scripts/buildkit-env-matrix.sh)" | tee -a "${GITHUB_OUTPUT}" | |
outputs: | |
buildkitenvs: ${{ steps.load-test-envs-matrix.outputs.buildkitenvs }} | |
test-patch-trivy: | |
needs: build | |
name: Test patch with trivy ${{ matrix.buildkit_mode }} | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
permissions: read-all | |
strategy: | |
fail-fast: false | |
matrix: | |
buildkit_mode: ${{fromJson(needs.build.outputs.buildkitenvs)}} | |
steps: | |
- name: Download copa from build artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: copa_edge_linux_amd64.tar.gz | |
- run: docker system prune -a -f --volumes | |
- name: Check out code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version: "1.23" | |
check-latest: true | |
- name: Install required tools | |
shell: bash | |
run: .github/workflows/scripts/download-tooling.sh | |
- name: Download copa from build artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: copa_edge_linux_amd64.tar.gz | |
- name: Extract copa | |
shell: bash | |
run: | | |
tar xzf copa_edge_linux_amd64.tar.gz | |
./copa --version | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 | |
- name: Run functional test | |
shell: bash | |
run: | | |
set -eu -o pipefail | |
. .github/workflows/scripts/buildkitenvs/${{ matrix.buildkit_mode}} | |
go test -v ./integration --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" -timeout 0 --report-file | |
test-patch-no-report: | |
needs: build | |
name: Test patch no report ${{ matrix.buildkit_mode }} | |
runs-on: ubuntu-latest | |
timeout-minutes: 30 | |
permissions: read-all | |
strategy: | |
fail-fast: false | |
matrix: | |
buildkit_mode: ${{fromJson(needs.build.outputs.buildkitenvs)}} | |
steps: | |
- name: Download copa from build artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: copa_edge_linux_amd64.tar.gz | |
- run: docker system prune -a -f --volumes | |
- name: Check out code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version: "1.23" | |
check-latest: true | |
- name: Install required tools | |
shell: bash | |
run: .github/workflows/scripts/download-tooling.sh | |
- name: Download copa from build artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: copa_edge_linux_amd64.tar.gz | |
- name: Extract copa | |
shell: bash | |
run: | | |
tar xzf copa_edge_linux_amd64.tar.gz | |
./copa --version | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 | |
- name: Run functional test | |
shell: bash | |
run: | | |
set -eu -o pipefail | |
. .github/workflows/scripts/buildkitenvs/${{ matrix.buildkit_mode}} | |
go test -v ./integration --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" -timeout 0 | |
test-plugin: | |
needs: build | |
name: Test plugin | |
runs-on: ubuntu-latest | |
timeout-minutes: 5 | |
permissions: read-all | |
steps: | |
- name: Harden Runner | |
uses: step-security/harden-runner@c95a14d0e5bab51a9f56296a4eb0e416910cd350 # v2.3.1 | |
with: | |
egress-policy: audit | |
- name: Check out code | |
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 | |
- uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5.2.0 | |
with: | |
go-version: "1.23" | |
check-latest: true | |
- name: Install scanner-plugin-template | |
shell: bash | |
run: | | |
go install github.com/project-copacetic/scanner-plugin-template@latest | |
mv $(go env GOPATH)/bin/scanner-plugin-template $(go env GOPATH)/bin/copa-fake | |
mv $(go env GOPATH)/bin/copa-fake /usr/local/bin | |
- name: Install required tools | |
shell: bash | |
run: .github/workflows/scripts/download-tooling.sh | |
- name: Download copa from build artifacts | |
uses: actions/download-artifact@fa0a91b85d4f404e444e00e005971372dc801d16 # v4.1.8 | |
with: | |
name: copa_edge_linux_amd64.tar.gz | |
- name: Extract copa | |
shell: bash | |
run: | | |
tar xzf copa_edge_linux_amd64.tar.gz | |
./copa --version | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@53851d14592bedcffcf25ea515637cff71ef929a # v3.3.0 | |
- name: Run e2e tests | |
shell: bash | |
run: | | |
set -eu -o pipefail | |
. .github/workflows/scripts/buildkitenvs/direct/tcp | |
go test -v ./test/e2e --addr="${COPA_BUILDKIT_ADDR}" --copa="$(pwd)/copa" --scanner fake -timeout 0 |