Skip to content

fix: Security fixes/dependency updates #4457

fix: Security fixes/dependency updates

fix: Security fixes/dependency updates #4457

Workflow file for this run

name: Plural UI
on:
push:
branches:
- master
- "renovate/frontend/*"
pull_request:
branches:
- "**"
jobs:
build:
name: Build image
runs-on: ubuntu-20.04
permissions:
contents: 'read'
id-token: 'write'
packages: 'write'
security-events: write
actions: read
steps:
- uses: actions/checkout@v3
- name: Docker meta
id: meta
uses: docker/metadata-action@v4
with:
# list of Docker images to use as base name for tags
images: |
ghcr.io/pluralsh/plural-www
# generate Docker tags based on the following events/attributes
tags: |
type=sha
type=ref,event=pr
type=ref,event=branch
- name: Set up QEMU
uses: docker/setup-qemu-action@v2
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v2
- name: Login to GHCR
uses: docker/login-action@v2
with:
registry: ghcr.io
username: ${{ github.repository_owner }}
password: ${{ secrets.GITHUB_TOKEN }}
- uses: docker/build-push-action@v3
with:
context: ./www
file: ./www/Dockerfile
push: true
load: false
tags: ${{ steps.meta.outputs.tags }}
labels: ${{ steps.meta.outputs.labels }}
platforms: linux/amd64
cache-from: type=gha
cache-to: type=gha,mode=max
- name: Run Trivy vulnerability scanner on frontend image
uses: aquasecurity/trivy-action@master
with:
scan-type: 'image'
image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }}
hide-progress: false
format: 'sarif'
output: 'trivy-results.sarif'
security-checks: 'vuln,secret'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
trivy-scan:
name: Trivy fs scan
runs-on: ubuntu-20.04
permissions:
contents: read # for actions/checkout to fetch code
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
actions: read # only required for a private repository by github/codeql-action/upload-sarif to get the Action run status
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Run Trivy vulnerability scanner in fs mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
hide-progress: false
skip-dirs: '.github,.stoat,apps,bin,config,plural,rel,testdata'
format: 'sarif'
output: 'trivy-results.sarif'
security-checks: 'vuln,secret'
ignore-unfixed: true
#severity: 'CRITICAL,HIGH'
# env:
# TRIVY_SKIP_DB_UPDATE: true
# TRIVY_SKIP_JAVA_DB_UPDATE: true
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
test:
name: Unit test
runs-on: ubuntu-20.04
defaults:
run:
shell: bash
working-directory: www
steps:
- name: 'Checkout'
uses: actions/checkout@v3
- name: Read Node.js version from package.json
run: echo ::set-output name=nodeVersion::$(node -p "require('./package.json').engines.node")
id: engines
- name: 'Setup Node'
uses: actions/setup-node@v3
with:
node-version: ${{ steps.engines.outputs.nodeVersion }}
- run: yarn --immutable
- run: yarn test
lint:
name: Lint
runs-on: ubuntu-20.04
defaults:
run:
shell: bash
working-directory: www
steps:
- name: 'Checkout'
uses: actions/checkout@v3
- name: Read Node.js version from package.json
run: echo ::set-output name=nodeVersion::$(node -p "require('./package.json').engines.node")
id: engines
- name: 'Setup Node'
uses: actions/setup-node@v3
with:
node-version: ${{ steps.engines.outputs.nodeVersion }}
- run: yarn --immutable
- run: yarn lint
# e2e:
# name: End-to-end test
# runs-on: ubuntu-20.04
# env:
# CYPRESS_EMAIL: ${{ secrets.CYPRESS_EMAIL }}
# CYPRESS_PASSWORD: ${{ secrets.CYPRESS_PASSWORD }}
# defaults:
# run:
# shell: bash
# working-directory: www
# steps:
# - name: 'Checkout'
# uses: actions/checkout@v3
# - name: Read Node.js version from package.json
# run: echo ::set-output name=nodeVersion::$(node -p "require('./package.json').engines.node")
# id: engines
# - name: 'Setup Node'
# uses: actions/setup-node@v3
# with:
# node-version: ${{ steps.engines.outputs.nodeVersion }}
# - run: yarn # Should run the --immutable in the CI by default
# - run: cd e2e && yarn
# - run: yarn e2e
# - uses: 8398a7/action-slack@v3
# if: failure()
# with:
# status: ${{ job.status }}
# fields: workflow,repo,commit,author,pullRequest
# env:
# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_CYPRESS_WEBHOOK }}
# - name: Upload Screenshots and Videos to Slack
# if: failure()
# uses: trymbill/[email protected]
# with:
# token: ${{ secrets.SLACK_CYPRESS_TOKEN }}
# workdir: www/e2e/cypress
# channels: cypress-artifacts
# message-text: "See the attached videos and screenshots for more information."