This repository has been archived by the owner on Aug 25, 2023. It is now read-only.
Bump com.google.guava:guava from 31.0.1-jre to 32.1.2-jre #643
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: Build and test spark image | |
| on: | |
| pull_request: | |
| types: [opened, ready_for_review, reopened, synchronize] | |
| push: | |
| branches: | |
| - master | |
| tags: | |
| - v* | |
| permissions: | |
| actions: read | |
| contents: read | |
| security-events: write | |
| jobs: | |
| build: | |
| runs-on: ubuntu-latest | |
| env: | |
| # list of Docker images to use as base name for tags | |
| IMAGE_REPO: quay.io/basisai/workload-standard | |
| outputs: | |
| image-tags: ${{ env.IMAGE_REPO }}:${{ steps.docker_meta.outputs.version }} | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Docker meta | |
| id: docker_meta | |
| uses: docker/metadata-action@v3 | |
| with: | |
| images: ${{ env.IMAGE_REPO }} | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v1 | |
| - name: Set up Docker Context for Buildx | |
| id: buildx-context | |
| run: | | |
| docker context create builders | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| endpoint: builders | |
| - name: Cache Docker layers | |
| uses: actions/cache@v2 | |
| with: | |
| path: /tmp/.buildx-cache | |
| key: ${{ runner.os }}-buildx-${{ github.sha }} | |
| restore-keys: | | |
| ${{ runner.os }}-buildx- | |
| - name: Login to Quay | |
| if: github.event_name != 'pull_request' | |
| uses: docker/login-action@v1 | |
| with: | |
| registry: quay.io | |
| username: ${{ secrets.DOCKER_USERNAME }} | |
| password: ${{ secrets.DOCKER_PASSWORD }} | |
| - name: Build and push | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| # platforms: linux/amd64,linux/arm64,linux/386 | |
| tags: ${{ steps.docker_meta.outputs.tags }} | |
| labels: ${{ steps.docker_meta.outputs.labels }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache | |
| outputs: type=docker,dest=/tmp/workload-standard-${{ github.sha }}.tar | |
| - name: Build and push | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: docker/build-push-action@v2 | |
| with: | |
| context: . | |
| file: ./Dockerfile | |
| # platforms: linux/amd64,linux/arm64,linux/386 | |
| push: true | |
| tags: ${{ steps.docker_meta.outputs.tags }} | |
| labels: ${{ steps.docker_meta.outputs.labels }} | |
| cache-from: type=local,src=/tmp/.buildx-cache | |
| cache-to: type=local,dest=/tmp/.buildx-cache | |
| - name: Upload artifact | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/upload-artifact@v2 | |
| with: | |
| name: docker-image | |
| path: /tmp/workload-standard-${{ github.sha }}.tar | |
| retention-days: 1 | |
| scan: | |
| runs-on: ubuntu-latest | |
| needs: build | |
| strategy: | |
| matrix: | |
| include: | |
| - severity: "MEDIUM,HIGH" | |
| exit-code: "0" | |
| - severity: "CRITICAL" | |
| exit-code: "1" | |
| steps: | |
| - name: Checkout code | |
| uses: actions/checkout@v2 | |
| - name: Set up Docker Context for Buildx | |
| id: buildx-context | |
| run: | | |
| docker context create builders | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v2 | |
| with: | |
| endpoint: builders | |
| - name: Download artifact | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: actions/download-artifact@v2 | |
| with: | |
| name: docker-image | |
| path: tmp | |
| # Ignore the CVE-2019-17571 about log4j version 1 until Spark 3.3 releases with log4j version 2 | |
| - name: Generate .trivyignore | |
| run: echo "CVE-2019-17571" > .trivyignore | |
| - name: Run Trivy vulnerability scanner for ${{ matrix.severity }} severity | |
| if: ${{ github.event_name == 'pull_request' }} | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| input: tmp/workload-standard-${{ github.sha }}.tar | |
| format: 'table' | |
| exit-code: ${{ matrix.exit-code }} | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: ${{ matrix.severity }} | |
| continue-on-error: true | |
| - name: Run Trivy vulnerability scanner for ${{ matrix.severity }} severity | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: aquasecurity/trivy-action@master | |
| with: | |
| image-ref: ${{ needs.build.outputs.image-tags }} | |
| format: 'sarif' | |
| output: 'trivy-results-${{ matrix.severity }}.sarif' | |
| exit-code: ${{ matrix.exit-code }} | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: ${{ matrix.severity }} | |
| continue-on-error: true | |
| - name: Upload Trivy scan results to GitHub Security tab | |
| if: ${{ github.event_name != 'pull_request' }} | |
| uses: github/codeql-action/upload-sarif@v2 | |
| with: | |
| sarif_file: 'trivy-results-${{ matrix.severity }}.sarif' |