Skip to content

Commit

Permalink
Adding workflows
Browse files Browse the repository at this point in the history
  • Loading branch information
@carmithersh
carmithersh committed May 21, 2024
1 parent 328db83 commit feaadb0
Show file tree
Hide file tree
Showing 4 changed files with 425 additions and 0 deletions.
126 changes: 126 additions & 0 deletions .github/workflows/build-publish.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,126 @@
name: Build-publish-scan
on:
push:
branches:

permissions:
actions: read # for detecting the Github Actions environment.
id-token: write # for creating OIDC tokens for signing.
packages: write # for uploading attestations.
contents: read
jobs:
build-publish-python:
runs-on: ubuntu-latest
env:
DOCKER_REPO: 'testing-docker-local'
IMAGE_NAME: 'carmit-testing:6'
JF_PROJECT: carmit-prj-1
JF_URL: https://${{ vars.JF_URL }}/
outputs:
image: ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
digest: ${{ steps.build.outputs.digest }}
steps:
# Setup Go
- name: Setup Go
uses: actions/setup-go@v5
with:
go-version: 1.22.x
cache: false

# Build the specific CLI branch
- name: Checkout code
uses: actions/checkout@v4
with:
repository: "eyaldelarea/jfrog-cli"
ref: "job_summaries"

- name: Build current CLI
run: go build .

# Use the specific setup-cli branch
- uses: eyaldelarea/setup-jfrog-cli@cleanUpSummaries
name: Setup JFrog CLI
id: setup-cli
env:
JF_URL: https://${{ vars.JF_URL }}/
with:
oidc-provider-name: github-carmit-project-1

- name: check filesystem 1
run: |
mv ./jfrog-cli /tmp/
- name: Checkout the repository
uses: actions/checkout@v4


- name: configure jfrog environment
run: |
/tmp/jfrog-cli pip-config --repo-resolve=python-virtual
- name: configure environment
run: |
python3 -m pip install --upgrade pip setuptools wheel sigstore
wheel -h
pip show setuptools
echo $VIRTUAL_ENV
- name: build project
run: |
/tmp/jfrog-cli pip install -r requirements.txt --module=jfrog-python-example
python setup.py sdist bdist_wheel
cd dist && echo "hashes=$(sha256sum * | base64 -w0)" >> $GITHUB_OUTPUT
- name: publish python package
run: |
/tmp/jfrog-cli rt u dist/ python-virtual/example-projects/ --module=jfrog-python-example
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3

- name: Authenticate Docker
uses: docker/login-action@v3
with:
registry: ${{ vars.JF_URL }}
username: ${{ steps.setup-cli.outputs.oidc-user }}
password: ${{ steps.setup-cli.outputs.oidc-token }}


- name: Build Docker image
uses: docker/build-push-action@v5
id: build
with:
push: true
platforms: linux/amd64 #, linux/arm64
tags: ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}


- name: docker scan
run: |
/tmp/jfrog-cli docker pull ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
/tmp/jfrog-cli docker scan ${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}
- name: add docker package to build
run: |
echo "${{ vars.JF_URL }}/${{ env.DOCKER_REPO }}/${{ env.IMAGE_NAME }}@${{ steps.build.outputs.digest }}" > metadata.json
/tmp/jfrog-cli rt build-docker-create ${{ env.DOCKER_REPO }} --image-file metadata.json
- name: publish build info
run: |
/tmp/jfrog-cli rt bce
/tmp/jfrog-cli rt bp
- name: build scan
run: |
/tmp/jfrog-cli build-scan --fail=false
provenance:
needs: [build-publish-python]
uses: slsa-framework/slsa-github-generator/.github/workflows/generator_container_slsa3.yml@v1.10.0
with:
image: ${{ needs.build-publish-python.outputs.image }}
digest: ${{ needs.build-publish-python.outputs.digest }}
private-repository: true
secrets:
registry-username: ${{ vars.JF_DOCKER_USER }}
registry-password: ${{ secrets.JF_DOCKER_TOKEN }}
142 changes: 142 additions & 0 deletions .github/workflows/frogbot-scan-repo.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,142 @@
name: "Frogbot Scan Repository"
on:
workflow_dispatch:
schedule:
# The repository will be scanned once a day at 00:00 GMT.
- cron: "0 0 * * *"
permissions:
contents: write
pull-requests: write
security-events: write
jobs:
scan-repository:
runs-on: ubuntu-latest
strategy:
matrix:
# The repository scanning will be triggered periodically on the following branches.
branch: ["main"]
steps:
- uses: jfrog/frogbot@v2
env:
# [Mandatory]
# JFrog platform URL
JF_URL: ${{ vars.JF_URL }}

# [Mandatory if JF_USER and JF_PASSWORD are not provided]
# JFrog access token with 'read' permissions on Xray service
JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}

# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog username with 'read' permissions for Xray. Must be provided with JF_PASSWORD
# JF_USER: ${{ secrets.JF_USER }}

# [Mandatory if JF_ACCESS_TOKEN is not provided]
# JFrog password. Must be provided with JF_USER
# JF_PASSWORD: ${{ secrets.JF_PASSWORD }}

# [Mandatory]
# The GitHub token is automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}

# [Mandatory]
# The name of the branch on which Frogbot will perform the scan
JF_GIT_BASE_BRANCH: ${{ matrix.branch }}

# [Optional, default: https://api.github.com]
# API endpoint to GitHub
# JF_GIT_API_ENDPOINT: https://github.example.com

# [Optional]
# By default, the Frogbot workflows download the Frogbot executable as well as other tools
# needed from https://releases.jfrog.io
# If the machine that runs Frogbot has no access to the internet, follow these steps to allow the
# executable to be downloaded from an Artifactory instance, which the machine has access to:
#
# 1. Login to the Artifactory UI, with a user who has admin credentials.
# 2. Create a Remote Repository with the following properties set.
# Under the 'Basic' tab:
# Package Type: Generic
# URL: https://releases.jfrog.io
# Under the 'Advanced' tab:
# Uncheck the 'Store Artifacts Locally' option
# 3. Set the value of the 'JF_RELEASES_REPO' variable with the Repository Key you created.
# JF_RELEASES_REPO: ""

##########################################################################
## If your project uses a 'frogbot-config.yml' file, you can define ##
## the following variables inside the file, instead of here. ##
##########################################################################

# [Optional, default: "."]
# Relative path to the root of the project in the Git repository. If left empty (without providing "." yourself as default), a recursive scan is triggered from the root directory of the project.
# JF_WORKING_DIR: path/to/project/dir

# [Default: "*git*;*node_modules*;*target*;*venv*;*test*"]
# List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans.
# JF_PATH_EXCLUSIONS: "*git*;*node_modules*;*target*;*venv*;*test*"

# [Optional]
# Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
# JF_WATCHES: <watch-1>,<watch-2>...<watch-n>

# [Optional]
# JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
JF_PROJECT: carmit-prj-1

# [Optional, default: "TRUE"]
# Fails the Frogbot task if any security issue is found.
JF_FAIL: "FALSE"

# [Optional]
# Frogbot will download the project dependencies, if they're not cached locally. To download the
# dependencies from a virtual repository in Artifactory, set the name of the repository. There's no
# need to set this value, if it is set in the frogbot-config.yml file.
# JF_DEPS_REPO: ""

# [Optional]
# Template for the branch name generated by Frogbot when creating pull requests with fixes.
# The template must include {BRANCH_NAME_HASH}, to ensure that the generated branch name is unique.
# The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables.
# JF_BRANCH_NAME_TEMPLATE: "frogbot-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}"

# [Optional]
# Template for the commit message generated by Frogbot when creating pull requests with fixes
# The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables.
# JF_COMMIT_MESSAGE_TEMPLATE: "Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}"

# [Optional]
# Template for the pull request title generated by Frogbot when creating pull requests with fixes.
# The template can optionally include the {IMPACTED_PACKAGE} and {FIX_VERSION} variables.
# JF_PULL_REQUEST_TITLE_TEMPLATE: "[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}"

# [Optional, Default: "FALSE"]
# If TRUE, Frogbot creates a single pull request with all the fixes.
# If FALSE, Frogbot creates a separate pull request for each fix.
# JF_GIT_AGGREGATE_FIXES: "FALSE"

# [Optional, Default: "FALSE"]
# Handle vulnerabilities with fix versions only
# JF_FIXABLE_ONLY: "TRUE"

# [Optional]
# Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests
# The following values are accepted: Low, Medium, High or Critical
# JF_MIN_SEVERITY: ""

# [Optional, Default: eco-system+frogbot@jfrog.com]
# Set the email of the commit author
# JF_GIT_EMAIL_AUTHOR: ""

# [Optional]
# Set the list of allowed licenses
# The full list of licenses can be found in:
# https://github.com/jfrog/frogbot/blob/master/docs/licenses.md
# JF_ALLOWED_LICENSES: "MIT, Apache-2.0"

# [Optional]
# Avoid adding extra info to pull request comments. that isn't related to the scan findings.
# JF_AVOID_EXTRA_MESSAGES: "TRUE"

# [Optional]
# Add a title to pull request comments generated by Frogbot.
# JF_PR_COMMENT_TITLE: ""
Loading

0 comments on commit feaadb0

Please sign in to comment.