Skip to content

chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 #269

chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0

chore(deps): bump aquasecurity/trivy-action from 0.28.0 to 0.29.0 #269

Workflow file for this run

name: Node CI
on:
push:
branches:
- "**"
tags:
- "v**"
pull_request:
workflow_dispatch:
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
continue-on-error: true
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
package-name:
- "@sofie-prompter-editor/shared-model"
- "@sofie-prompter-editor/shared-lib"
- "@sofie-prompter-editor/apps-backend"
- "@sofie-prompter-editor/apps-client"
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- run: corepack enable
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version-file: ".node-version"
cache: "yarn"
- name: Prepare Environment
run: |
yarn install
yarn lerna run --scope ${{ matrix.package-name }} --include-dependencies --stream build
env:
CI: true
- name: Run typecheck and linter
run: |
yarn lerna run --scope ${{ matrix.package-name }} --stream lint
env:
CI: true
test:
name: Test
runs-on: ubuntu-latest
timeout-minutes: 15
strategy:
fail-fast: false
matrix:
package-name:
- "@sofie-prompter-editor/shared-model"
- "@sofie-prompter-editor/shared-lib"
- "@sofie-prompter-editor/apps-backend"
- "@sofie-prompter-editor/apps-client"
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- run: corepack enable
- name: Use Node.js
uses: actions/setup-node@v4
with:
node-version-file: ".node-version"
cache: "yarn"
- name: Prepare Environment
run: |
yarn install
yarn lerna run --scope ${{ matrix.package-name }} --include-dependencies --stream build
env:
CI: true
- name: Run tests
run: |
yarn lerna run --scope ${{ matrix.package-name }} --stream test
env:
CI: true
build-docker-image:
name: Build docker image
runs-on: ubuntu-latest
timeout-minutes: 30
steps:
- uses: actions/checkout@v4
with:
persist-credentials: false
- name: Determine if images should be published to DockerHub
id: dockerhub
run: |
# HACK: Never publish to dockerhub for now
# check if a release branch, or main, or a tag
# if [[ "${{ github.ref }}" =~ ^refs/heads/release([0-9]+)$ || "${{ github.ref }}" == "refs/heads/main" || "${{ github.ref }}" == "refs/tags/*" ]]
# then
# DOCKERHUB_PUBLISH="1"
# else
DOCKERHUB_PUBLISH="0"
# fi
# debug output
echo "dockerhub-publish $DOCKERHUB_PUBLISH"
echo "dockerhub-publish=$DOCKERHUB_PUBLISH" >> $GITHUB_OUTPUT
- name: Check if push to GHCR is enabled
id: check-ghcr
env:
GHCR_ENABLED: ${{ vars.GHCR_ENABLED }}
run: |
echo "Enable push to GHCR: ${{ env.GHCR_ENABLED != '' }}"
echo "enable=${{ env.GHCR_ENABLED != '' }}" >> $GITHUB_OUTPUT
- name: Check if there is access to repo secrets (needed for build and push)
if: steps.dockerhub.outputs.dockerhub-publish == '1' || steps.check-ghcr.outputs.enable == 'true'
id: check-build-and-push
env:
SECRET_ACCESS: ${{ secrets.GITHUB_TOKEN }}
run: |
echo "Enable build and push: ${{ env.SECRET_ACCESS != '' }}"
echo "enable=${{ env.SECRET_ACCESS != '' }}" >> $GITHUB_OUTPUT
- name: Get the Docker tag for GHCR
id: ghcr-tag
if: steps.check-ghcr.outputs.enable == 'true'
uses: docker/metadata-action@v5
with:
images: |
ghcr.io/${{ github.repository }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=tag
type=raw,value=latest,enable={{is_default_branch}}
- name: Get the Docker tag for DockerHub
id: dockerhub-tag
if: steps.check-build-and-push.outputs.enable == 'true'
uses: docker/metadata-action@v5
with:
images: |
${{ secrets.DOCKERHUB_IMAGE_PREFIX }}
tags: |
type=schedule
type=ref,event=branch
type=ref,event=tag
type=raw,value=latest,enable={{is_default_branch}}
- name: Use Node.js
uses: actions/setup-node@v4
if: steps.check-build-and-push.outputs.enable == 'true'
with:
node-version-file: ".node-version"
- name: Set up Docker Buildx
if: steps.check-build-and-push.outputs.enable == 'true'
uses: docker/setup-buildx-action@v3
- name: Login to DockerHub
if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
uses: docker/login-action@v3
with:
username: ${{ secrets.DOCKERHUB_USERNAME }}
password: ${{ secrets.DOCKERHUB_TOKEN }}
- name: Login to GitHub Container Registry
if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true'
uses: docker/login-action@v3
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Build and push to GHCR
if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
uses: docker/build-push-action@v6
with:
push: true
provenance: false
labels: ${{ steps.ghcr-tag.outputs.labels }}
tags: "${{ steps.ghcr-tag.outputs.tags }}"
- name: Build and push to DockerHub
if: steps.check-build-and-push.outputs.enable == 'true' && steps.dockerhub.outputs.dockerhub-publish == '1'
uses: docker/build-push-action@v6
with:
push: true
provenance: false
labels: ${{ steps.dockerhub-tag.outputs.labels }}
tags: "${{ steps.dockerhub-tag.outputs.tags }}"
- name: Get image for Trivy scanning
id: trivy-image
if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
run: |
image=$(echo ${{ steps.ghcr-tag.outputs.tags }} | head -n 1)
echo "image=$image" >> $GITHUB_OUTPUT
- name: Trivy scanning
if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
uses: aquasecurity/trivy-action@0.29.0
with:
image-ref: "${{ steps.trivy-image.outputs.image }}"
format: "table"
output: trivy-scan-result.txt
ignore-unfixed: true
severity: "CRITICAL,HIGH"
- name: Post all Trivy scan results to Github Summary as a table
if: steps.check-build-and-push.outputs.enable == 'true' && steps.check-ghcr.outputs.enable == 'true' && steps.ghcr-tag.outputs.tags != 0
env:
CODE_BLOCK: "```"
run: |
echo "# Trivy scan results" >> $GITHUB_STEP_SUMMARY
echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY
cat trivy-scan-result.txt >> $GITHUB_STEP_SUMMARY
echo $CODE_BLOCK >> $GITHUB_STEP_SUMMARY