Skip to content

golang and docker workflows: Update trivy configuration to last github action version #1010

golang and docker workflows: Update trivy configuration to last github action version

golang and docker workflows: Update trivy configuration to last github action version #1010

Workflow file for this run

# Copyright 2024 Zaphiro Technologies
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
name: Release
on:
push:
tags:
- '*'
pull_request_review:
pull_request:
types:
- labeled
- unlabeled
- edited
- synchronize
branches:
- main
release:
types:
- published
workflow_call:
inputs:
config-release-path:
required: false
default: '.github/config/release-config.json'
type: string
skip-sbom:
required: false
default: false
type: boolean
description: True to skip sbom exec
concurrency:
group: ${{ github.ref_name }}-release
cancel-in-progress: true
permissions:
# Give the default GITHUB_TOKEN write permission to commit and push the
# updated CHANGELOG back to the repository.
# https://github.blog/changelog/2023-02-02-github-actions-updating-the-default-github_token-permissions-to-read-only/
contents: write
pull-requests: write
jobs:
check_reviews:
runs-on: ubuntu-latest
outputs:
reviews: ${{ steps.reviews.outputs.state }}
steps:
- name: PR approval check
if: ${{ github.event_name == 'pull_request' }}
id: reviews
env:
pr: ${{ github.event.number }}
GH_TOKEN: ${{ github.token }}
run: |
state=$(gh pr view "$pr" \
--repo "$GITHUB_REPOSITORY" \
--json reviewDecision \
--jq '.reviewDecision')
echo "state=$state" >> "$GITHUB_OUTPUT"
release_notes:
needs: check_reviews
name: Release Notes
runs-on: ubuntu-latest
if: ${{ ( github.event_name == 'pull_request' && needs.check_reviews.outputs.reviews == 'APPROVED') || github.event.review.state == 'approved' || startsWith(github.ref, 'refs/tags/') }}
steps:
- uses: actions/checkout@v4
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.REPO_PAT }}
fetch-depth: 0
- name: 'Get Previous tag'
id: previoustag
uses: "WyriHaximus/github-action-get-previous-tag@v1"
with:
fallback: 0.0.0 # Optional fallback tag to use when no tag can be found
- name: 'Get next minor version'
id: semvers
uses: "WyriHaximus/github-action-next-semvers@v1"
with:
version: ${{ steps.previoustag.outputs.tag }}
- name: Select configuration
if: ${{ github.event_name == ' workflow_call' }}
run: echo "CONFIGURATION=${{ inputs.config-release-path }}" >> $GITHUB_ENV
- name: Select configuration
if: ${{ github.event_name != ' workflow_call' }}
run: echo "CONFIGURATION='.github/config/release-config.json'" >> $GITHUB_ENV
- name: Get Pull Request Number
if: ${{ github.event.review.state == 'approved' }}
run: echo "PULL_NUMBER=$(echo "$GITHUB_REF" | awk -F / '{print $3}')" >> $GITHUB_ENV
shell: bash
- name: "Update changelog config"
id: update_changelog_config
env:
PR: ${{ github.event.review.state == 'approved' && env.PULL_NUMBER || github.event.number }}
run : |
jq --arg match "myPR" \
--arg replace "$PR" \
'walk(if . == $match then $replace else . end)' < ${{ env.CONFIGURATION }} > .github/config/release-config-temp.json
more .github/config/release-config-temp.json
- name: "Build Changelog"
id: build_changelog_1
uses: mikepenz/release-changelog-builder-action@v5
if: ${{ steps.previoustag.outputs.tag != '0.0.0' }}
with:
configuration: '.github/config/release-config-temp.json'
failOnError: true
includeOpen: true
fromTag: ${{ steps.previoustag.outputs.tag }}
toTag: ${{ github.sha }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: "Build Changelog"
id: build_changelog_2
uses: mikepenz/release-changelog-builder-action@v5
if: ${{ steps.previoustag.outputs.tag == '0.0.0' }}
with:
configuration: '.github/config/release-config-temp.json'
failOnError: true
includeOpen: true
toTag: ${{ github.sha }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Clean log
if: ${{ startsWith(github.ref, 'refs/tags/') == false }}
run: |
if [ -f "RELEASE_NOTES.md" ]; then
# more RELEASE_NOTES.md
export line_start=$(grep -m1 -n "## ${{ steps.semvers.outputs.patch }}" RELEASE_NOTES.md | head -n1 |sed 's/:.*//')
# echo $line_start
export line_end=$(grep -m2 -n "^## " RELEASE_NOTES.md | head -2 | tail -1 | sed 's/:.*//')
# echo $line_end
if [[ $line_end -eq $line_start ]] || [[ -z "${line_end}" ]]; then export line_end=$(wc -l < RELEASE_NOTES.md); else export line_end=$(echo $line_end-1 | bc); fi
# echo $line_end
export PATTERN=${line_start},${line_end}d
# echo $PATTERN
if [[ -z "${line_start}" ]]; then echo "Empty"; else sed -i -e $PATTERN RELEASE_NOTES.md; fi
echo "cleaned release note:"
more RELEASE_NOTES.md
rm .github/config/release-config-temp.json
else
echo -en "# ${GITHUB_REPOSITORY#*/} Release Notes\n" > RELEASE_NOTES.md
fi
- name: Clean log
if: ${{ startsWith(github.ref, 'refs/tags/') }}
run: |
if [ -f "RELEASE_NOTES.md" ]; then
more RELEASE_NOTES.md
TAG=${{ steps.previoustag.outputs.tag }}
echo "VERSION=${TAG#v}"
export SEARCH=$VERSION-dev
export REPLACE=$VERSION
sed -i "s/$SEARCH/$REPLACE/g" RELEASE_NOTES.md
echo "cleaned release note:"
more RELEASE_NOTES.md
rm .github/config/release-config-temp.json
else
echo -en "# ${GITHUB_REPOSITORY#*/} Release Notes\n" > RELEASE_NOTES.md
fi
- name: Update Changelog (tag)
uses: stefanzweifel/changelog-updater-action@v1
if: ${{ steps.previoustag.outputs.tag != '0.0.0' }}
with:
latest-version: ${{ steps.semvers.outputs.patch }}-dev
release-notes: ${{ steps.build_changelog_1.outputs.changelog }}
path-to-changelog: RELEASE_NOTES.md
- name: Update Changelog (no tag)
uses: stefanzweifel/changelog-updater-action@v1
if: ${{ steps.previoustag.outputs.tag == '0.0.0' }}
with:
latest-version: ${{ steps.semvers.outputs.patch }}-dev
release-notes: ${{ steps.build_changelog_2.outputs.changelog }}
path-to-changelog: RELEASE_NOTES.md
- name: Prettify RELEASE_NOTES.md
uses: zaphiro-technologies/prettier_action@main
with:
prettier_options: --prose-wrap always --write RELEASE_NOTES.md
dry: true
dry_no_fail: true
- name: Commit updated CHANGELOG
if: startsWith(github.ref, 'refs/tags/') == false
uses: stefanzweifel/git-auto-commit-action@v5
with:
branch: ${{github.event.pull_request.head.ref}}
commit_message: 'docs(release_notes): update RELEASE_NOTES.md [dependabot skip]'
file_pattern: RELEASE_NOTES.md
- name: Commit updated CHANGELOG
if: startsWith(github.ref, 'refs/tags/')
uses: stefanzweifel/git-auto-commit-action@v5
with:
branch: main
commit_message: 'docs(release_notes): update RELEASE_NOTES.md'
file_pattern: RELEASE_NOTES.md
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- if: ${{ ! inputs.skip-sbom || inputs.skip-sbom == '' }}
name: Generate SBOM
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: '.'
format: 'cyclonedx'
output: 'cyclonedx-sbom.json'
- if: ${{ ! inputs.skip-sbom || inputs.skip-sbom == '' }}
name: Upload SBOM as a Github artifact
uses: actions/upload-artifact@v4
with:
name: trivy-sbom-report
path: '${{ github.workspace }}/cyclonedx-sbom.json'
retention-days: 20 # 90 is the default
release:
name: Release
if: startsWith(github.ref, 'refs/tags/')
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
fetch-depth: 0
- name: Select configuration
if: ${{ github.event_name == ' workflow_call' }}
run: echo "CONFIGURATION=${{ inputs.config-release-path }}" >> $GITHUB_ENV
- name: Select configuration
if: ${{ github.event_name != ' workflow_call' }}
run: echo "CONFIGURATION=.github/config/release-config.json" >> $GITHUB_ENV
- name: "Build Changelog"
id: github_release
uses: mikepenz/release-changelog-builder-action@v5
with:
configuration: ${{env.CONFIGURATION}}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Create Release
uses: mikepenz/action-gh-release@v1
with:
body: ${{steps.github_release.outputs.changelog}}
prerelease: ${{ contains(github.ref, '-rc') || contains(github.ref, '-b') || contains(github.ref, '-a') }}
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
release-sbom:
name: Release SBOM
if: ${{ github.event_name == 'release' && (! inputs.skip-sbom || inputs.skip-sbom == '') }}
runs-on: ubuntu-latest
steps:
- name: Generate SBOM
uses: aquasecurity/trivy-action@master
with:
scan-type: fs
scan-ref: '.'
format: 'cyclonedx'
output: 'cyclonedx-sbom.json'
- name: Get Release
id: release
uses: bruceadams/[email protected]
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Attach SBOM to Release
uses: actions/upload-release-asset@v1
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
with:
upload_url: ${{ steps.release.outputs.upload_url }}
asset_path: cyclonedx-sbom.json
asset_name: 'cyclonedx-sbom.json'
asset_content_type: application/json