From 2c39d3e1dfcdbb75717a3061b89f1555d1aa4f18 Mon Sep 17 00:00:00 2001 From: Niels Hofmans Date: Thu, 15 Oct 2020 14:23:26 +0200 Subject: [PATCH 1/3] Delete .whitesource --- .whitesource | 8 -------- 1 file changed, 8 deletions(-) delete mode 100644 .whitesource diff --git a/.whitesource b/.whitesource deleted file mode 100644 index e0aaa3e..0000000 --- a/.whitesource +++ /dev/null @@ -1,8 +0,0 @@ -{ - "checkRunSettings": { - "vulnerableCheckRunConclusionLevel": "failure" - }, - "issueSettings": { - "minSeverityLevel": "LOW" - } -} \ No newline at end of file From 93d1ae0c33d232fed7222287d3d992a27ea6a1fa Mon Sep 17 00:00:00 2001 From: Niels Hofmans Date: Thu, 15 Oct 2020 14:24:11 +0200 Subject: [PATCH 2/3] Create security.yaml --- .github/workflows/security.yaml | 60 +++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 .github/workflows/security.yaml diff --git a/.github/workflows/security.yaml b/.github/workflows/security.yaml new file mode 100644 index 0000000..4bf1ba3 --- /dev/null +++ b/.github/workflows/security.yaml @@ -0,0 +1,60 @@ +name: Security + +on: + push: + branches: [master] + schedule: + - cron: '0 11 * * 2' + +jobs: + dockerscan: + name: Docker Scan + runs-on: ubuntu-latest + steps: + - + uses: actions/checkout@v1 + - + name: Set env + run: echo ::set-env name=RELEASE_VERSION::$(git describe --tags $(git rev-list --tags --max-count=1)) + - + name: Docker login + env: + USER: hazcod + REGISTRY: docker.pkg.github.com + run: echo "${{ secrets.PACKAGE_TOKEN }}" | docker login -u "${USER}" --password-stdin "${REGISTRY}" + - + name: Docker pull + run: docker pull "docker.pkg.github.com/ironpeakservices/iron-debian:${{ env.RELEASE_VERSION }}" + - + name: Run vulnerability scanner + uses: aquasecurity/trivy-action@master + with: + image-ref: 'docker.pkg.github.com/ironpeakservices/iron-debian:${{ env.RELEASE_VERSION }}' + format: 'template' + template: '@/contrib/sarif.tpl' + output: 'trivy-results.sarif' + ignore-unfixed: true + severity: 'CRITICAL,HIGH,MEDIUM' + - + name: Upload Trivy scan results to Security tab + uses: github/codeql-action/upload-sarif@v1 + with: + sarif_file: 'trivy-results.sarif' + + goscan: + name: Go Scan + runs-on: ubuntu-latest + steps: + - + uses: actions/checkout@v2 + - + run: git checkout HEAD^2 + if: ${{ github.event_name == 'pull_request' }} + - + name: Initialize CodeQL + uses: github/codeql-action/init@v1 + with: + languages: go + - + name: Perform CodeQL Analysis + uses: github/codeql-action/analyze@v1 From 7bb8c1526f7630bc8fe535d1d3b64ae6c1d8fbac Mon Sep 17 00:00:00 2001 From: Niels Hofmans Date: Thu, 15 Oct 2020 14:25:15 +0200 Subject: [PATCH 3/3] feat(docker): use ghcr --- .github/workflows/publish.yaml | 30 --------------------------- .github/workflows/release.yaml | 38 ++++++++++++++++++++++++++++++++++ 2 files changed, 38 insertions(+), 30 deletions(-) delete mode 100644 .github/workflows/publish.yaml create mode 100644 .github/workflows/release.yaml diff --git a/.github/workflows/publish.yaml b/.github/workflows/publish.yaml deleted file mode 100644 index baa20c6..0000000 --- a/.github/workflows/publish.yaml +++ /dev/null @@ -1,30 +0,0 @@ -on: - push: - branches: - - master - -name: push image -jobs: - dockerpush: - name: docker build - runs-on: ubuntu-latest - steps: - - uses: actions/checkout@v2.3.3 - - name: extract tag - id: vars - run: echo ::set-output name=cdb_version::$(grep '^FROM cockroachdb' Dockerfile | cut -d ' ' -f 2 | cut -d ':' -f 2 | cut -d 'v' -f 2) - - run: echo "Pushing version ${{ steps.vars.outputs.cdb_version }}" - - name: Publish to Registry - uses: elgohr/Publish-Docker-Github-Action@2.22 - with: - registry: docker.pkg.github.com - name: "ironpeakservices/iron-cockroachdb/iron-cockroachdb:${{ steps.vars.outputs.cdb_version }}" - username: hazcod - password: ${{ secrets.GITHUB_TOKEN }} - - name: Create GitHub release - uses: sondreb/action-release@master - with: - token: ${{ secrets.GITHUB_TOKEN }} - draft: false - prerelease: false - tag: ${{ steps.vars.outputs.cdb_version }} diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..7010e20 --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,38 @@ +on: + push: + branches: + - master + +name: Publish Image +jobs: + dockerpush: + name: docker build + runs-on: ubuntu-latest + steps: + - + uses: actions/checkout@v2.0.0 + - + uses: go-semantic-release/action@v1 + id: version + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + - + run: echo "Pushing version ${{ steps.version.outputs.version }}" + - + name: Publish to Registry + uses: elgohr/Publish-Docker-Github-Action@2.22 + with: + registry: ghcr.io + name: "ghcr.io/ironpeakservices/iron-cockroachdb:${{ steps.version.outputs.version }}" + username: hazcod + password: ${{ secrets.PACKAGE_TOKEN }} + - + name: Create GitHub release + uses: actions/create-release@v1.1.4 + with: + tag_name: ${{ steps.version.outputs.version }} + release_name: iron-cockroachdb + draft: false + prerelease: false + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}