mirror of
https://github.com/rancher/k3k.git
synced 2026-05-17 06:46:40 +00:00
d11c7b9256
Co-authored-by: renovate-rancher[bot] <119870437+renovate-rancher[bot]@users.noreply.github.com>
114 lines
3.8 KiB
YAML
114 lines
3.8 KiB
YAML
name: Build
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
pull_request:
|
|
types: [opened, synchronize, reopened]
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
env:
|
|
GORELEASER_VERSION: v2.15.2
|
|
GORELEASER_CHECKSUM_x86_64: 0ebdbf0353aba566b969dde746cc4e4806f96c27aa2f3971b229a9df7611fedc
|
|
|
|
jobs:
|
|
build:
|
|
runs-on: ubuntu-latest
|
|
|
|
permissions:
|
|
contents: read
|
|
security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
|
|
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
|
|
|
|
- name: Set up Go
|
|
uses: actions/setup-go@4a3601121dd01d1626a1e23e37211e3254c1c06c # v6
|
|
with:
|
|
go-version-file: go.mod
|
|
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@ce360397dd3f832beb865e1373c09c0e9f86d70a # v4
|
|
|
|
- name: Setup goreleaser
|
|
env:
|
|
FILENAME: goreleaser.tar.gz
|
|
run: |-
|
|
curl -sSfL -o ${{ env.FILENAME }} https://github.com/goreleaser/goreleaser/releases/download/${{ env.GORELEASER_VERSION }}/goreleaser_Linux_x86_64.tar.gz
|
|
echo "${{ env.GORELEASER_CHECKSUM_x86_64 }} ${{ env.FILENAME }}" | sha256sum --check
|
|
tar -xvzf "${{ env.FILENAME }}" goreleaser
|
|
sudo install -m 755 goreleaser /usr/local/bin/goreleaser
|
|
|
|
rm -f "${{ env.FILENAME }}" goreleaser
|
|
|
|
- name: Run GoReleaser
|
|
env:
|
|
REPO: ${{ github.repository }}
|
|
REGISTRY: ""
|
|
run: |-
|
|
goreleaser --clean --snapshot
|
|
|
|
if [[ ! -f dist/metadata.json ]] || [[ ! -s dist/metadata.json ]]; then
|
|
echo "Missing required file: dist/metadata.json"
|
|
exit 1
|
|
fi
|
|
|
|
if [[ ! -f dist/artifacts.json ]] || [[ ! -s dist/artifacts.json ]]; then
|
|
echo "Missing required file: dist/artifacts.json"
|
|
exit 1
|
|
fi
|
|
|
|
echo "metadata=$(tr -d '\n\r' < dist/metadata.json)" >> "${GITHUB_OUTPUT}"
|
|
echo "artifacts=$(tr -d '\n\r' < dist/artifacts.json)" >> "${GITHUB_OUTPUT}"
|
|
|
|
- name: Run Trivy vulnerability scanner (k3kcli)
|
|
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
|
|
with:
|
|
ignore-unfixed: true
|
|
severity: 'MEDIUM,HIGH,CRITICAL'
|
|
scan-type: 'fs'
|
|
scan-ref: 'dist/k3kcli_linux_amd64_v1/k3kcli'
|
|
format: 'sarif'
|
|
output: 'trivy-results-k3kcli.sarif'
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab (k3kcli)
|
|
uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
|
|
with:
|
|
sarif_file: trivy-results-k3kcli.sarif
|
|
category: k3kcli
|
|
|
|
- name: Run Trivy vulnerability scanner (k3k)
|
|
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
|
|
with:
|
|
ignore-unfixed: true
|
|
severity: 'MEDIUM,HIGH,CRITICAL'
|
|
scan-type: 'image'
|
|
scan-ref: '${{ github.repository }}:v0.0.0-amd64'
|
|
format: 'sarif'
|
|
output: 'trivy-results-k3k.sarif'
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab (k3k)
|
|
uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
|
|
with:
|
|
sarif_file: trivy-results-k3k.sarif
|
|
category: k3k
|
|
|
|
- name: Run Trivy vulnerability scanner (k3k-kubelet)
|
|
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0
|
|
with:
|
|
ignore-unfixed: true
|
|
severity: 'MEDIUM,HIGH,CRITICAL'
|
|
scan-type: 'image'
|
|
scan-ref: '${{ github.repository }}-kubelet:v0.0.0-amd64'
|
|
format: 'sarif'
|
|
output: 'trivy-results-k3k-kubelet.sarif'
|
|
|
|
- name: Upload Trivy scan results to GitHub Security tab (k3k-kubelet)
|
|
uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3
|
|
with:
|
|
sarif_file: trivy-results-k3k-kubelet.sarif
|
|
category: k3k-kubelet
|