Bump github/codeql-action from 2.22.5 to 2.22.7 #51
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
--- | |
# Workflow syntax for GitHub Actions: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions | |
# Build Application and Upload Container Image to Docker Hub | |
name: Build and Scan Image | |
# Events: https://docs.github.com/en/actions/using-workflows/events-that-trigger-workflows | |
on: | |
# Run workflow on push except for ignored branches and paths | |
push: | |
# Secrets aren't available for dependabot on push. https://docs.github.com/en/enterprise-cloud@latest/code-security/code-scanning/automatically-scanning-your-code-for-vulnerabilities-and-errors/troubleshooting-the-codeql-workflow#error-403-resource-not-accessible-by-integration-when-using-dependabot | |
branches-ignore: | |
# - 'dependabot/**' | |
- 'cherry-pick-*' | |
paths-ignore: | |
- '**.md' # Ignore documentation changes | |
- '.github/**(!build.yml)' # Ignore other workflow changes | |
# Run workflow on pull request | |
pull_request: # By default, a workflow only runs when a pull_request event's activity type is opened, synchronize, or reopened | |
# Allow user to manually trigger Workflow execution | |
workflow_dispatch: | |
# Set Workflow-level permissions: https://docs.github.com/en/actions/using-jobs/assigning-permissions-to-jobs | |
permissions: | |
contents: read | |
# Run a single job at a time: https://docs.github.com/en/actions/using-jobs/using-concurrency | |
concurrency: | |
group: ${{ github.workflow }}-${{ github.ref }} | |
cancel-in-progress: true | |
jobs: | |
unit-test: | |
# Run job when not triggered by a merge | |
if: (github.event_name == 'push' && contains(toJSON(github.event.head_commit.message), 'Merge pull request ') == false) || (github.event_name != 'push') | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout repository | |
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout | |
# Cache NPM dependencies | |
- name: Cache NPM dependencies | |
id: cache | |
uses: actions/cache@v3 # https://github.com/marketplace/actions/cache#using-a-combination-of-restore-and-save-actions | |
with: | |
path: | | |
node_modules | |
key: npm-${{ hashFiles('package-lock.json') }} | |
# Install NPM dependencies | |
- name: Install NPM dependencies | |
run: npm ci | |
- name: Run tests | |
run: npm run test | |
build: | |
needs: unit-test | |
runs-on: ubuntu-latest | |
environment: docker-hub # Use `docker-hub` repository environment | |
steps: | |
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default | |
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action | |
# Set Complete Container Image URL | |
- name: Set CONTAINER_IMAGE_URL | |
run: | | |
echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.CI_REPOSITORY_NAME }}:${{ env.CI_ACTION_REF_NAME }}" >> $GITHUB_ENV | |
- name: Checkout repository | |
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 # https://github.com/marketplace/actions/docker-setup-build | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 # https://github.com/marketplace/actions/docker-login | |
with: | |
registry: ${{ vars.DOCKER_REGISTRY_URL }} | |
username: ${{ secrets.DOCKER_REGISTRY_USERNAME }} | |
password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} | |
- name: Docker Build and Push | |
uses: docker/build-push-action@v5 # https://github.com/marketplace/actions/build-and-push-docker-images | |
with: | |
context: . | |
file: Containerfile | |
push: true | |
tags: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV | |
cache-from: type=gha | |
cache-to: type=gha,mode=max | |
container-structure-test: | |
needs: build | |
runs-on: ubuntu-latest | |
environment: docker-hub # Use `docker-hub` repository environment | |
steps: | |
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default | |
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action | |
# Set Complete Container Image URL | |
- name: Set CONTAINER_IMAGE_URL | |
run: | | |
echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.CI_REPOSITORY_NAME }}:${{ env.CI_ACTION_REF_NAME }}" >> $GITHUB_ENV | |
- name: Login to DockerHub | |
uses: docker/login-action@v3 # https://github.com/marketplace/actions/docker-login | |
with: | |
registry: ${{ vars.DOCKER_REGISTRY_URL }} | |
username: ${{ secrets.DOCKER_REGISTRY_USERNAME }} | |
password: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} | |
- name: Pull Container Image | |
# CONTAINER_IMAGE_URL is defined in GITHUB_ENV | |
run: | | |
docker pull ${{ env.CONTAINER_IMAGE_URL }} | |
- name: Checkout repository | |
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout | |
- name: Run Container Structure Test | |
uses: ./.github/actions/container-structure-test | |
with: | |
image: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV | |
configFile: ./container-structure-test.yaml | |
scan: | |
needs: build | |
runs-on: ubuntu-latest | |
# Set Job-level permissions: https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#jobsjob_idpermissions | |
permissions: | |
security-events: write # Allow Job to upload scan results to GitHub | |
environment: docker-hub # Use `docker-hub` repository environment | |
env: | |
TRIVY_CACHE_DIR: /tmp/trivy/ | |
steps: | |
# Workaround for the absence of github.branch_name, use github-env-vars-action to define useful environment variables not available by default | |
- uses: FranzDiebold/github-env-vars-action@v2 # https://github.com/marketplace/actions/github-environment-variables-action | |
# Set Complete Container Image URL | |
- name: Set CONTAINER_IMAGE_URL | |
run: | | |
echo "CONTAINER_IMAGE_URL=${{ vars.DOCKER_REGISTRY_URL }}/${{ vars.DOCKER_REPOSITORY }}/${{ env.CI_REPOSITORY_NAME }}:${{ env.CI_ACTION_REF_NAME }}" >> $GITHUB_ENV | |
- name: Checkout repository | |
uses: actions/checkout@v4 # https://github.com/marketplace/actions/checkout | |
- name: Cache Trivy | |
id: cache | |
uses: actions/cache@v3 # https://github.com/marketplace/actions/cache#using-a-combination-of-restore-and-save-actions | |
with: | |
path: ${{ env.TRIVY_CACHE_DIR }} | |
key: trivy-${{ hashFiles('**/package-lock.json', '**/Containerfile*') }} # Trivy scan results are influenced by npm dependencies and Containerfile runtime image | |
- name: Scan Image with Aqua Security Trivy | |
uses: aquasecurity/trivy-action@0.13.0 # https://github.com/marketplace/actions/aqua-security-trivy | |
with: | |
image-ref: ${{ env.CONTAINER_IMAGE_URL }} # CONTAINER_IMAGE_URL is defined in GITHUB_ENV | |
vuln-type: 'os,library' | |
severity: 'LOW,MEDIUM,HIGH,CRITICAL' | |
scanners: 'vuln,secret,config' | |
ignore-unfixed: true | |
exit-code: '1' | |
cache-dir: ${{ env.TRIVY_CACHE_DIR }} | |
format: sarif | |
output: 'trivy-results.sarif' | |
env: | |
TRIVY_USERNAME: ${{ secrets.DOCKER_REGISTRY_USERNAME }} | |
TRIVY_PASSWORD: ${{ secrets.DOCKER_REGISTRY_PASSWORD }} | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2.22.7 # https://github.com/github/codeql-action/tree/main/upload-sarif | |
with: | |
sarif_file: 'trivy-results.sarif' |