mirror of
https://github.com/kubereboot/kured.git
synced 2026-05-06 00:17:24 +00:00
c62ceb1124
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.32.0 to 0.33.0.
- [Release notes](https://github.com/aquasecurity/trivy-action/releases)
- [Commits](dc5a429b52...f9424c10c3)
---
updated-dependencies:
- dependency-name: aquasecurity/trivy-action
dependency-version: 0.33.0
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
164 lines
6.3 KiB
YAML
164 lines
6.3 KiB
YAML
name: PR
|
|
on:
|
|
pull_request:
|
|
push:
|
|
|
|
jobs:
|
|
pr-short-tests:
|
|
name: Run short go tests
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- name: checkout
|
|
uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
- name: Ensure go version
|
|
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
check-latest: true
|
|
- name: run tests
|
|
run: make test
|
|
- name: Annotate tests
|
|
if: always()
|
|
uses: guyarb/golang-test-annoations@2941118d7ef622b1b3771d1ff6eae9e90659eb26 # v0.8.0
|
|
with:
|
|
test-results: test.json
|
|
|
|
# This should not be made a mandatory test
|
|
# It is only used to make us aware of any potential security failure, that
|
|
# should trigger a bump of the image in build/.
|
|
pr-vuln-scan:
|
|
name: Build image and scan it against known vulnerabilities
|
|
runs-on: ubuntu-latest
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
- name: Ensure go version
|
|
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
check-latest: true
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
- name: Setup GoReleaser
|
|
run: make bootstrap-tools
|
|
- name: Find current tag version
|
|
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
|
|
id: tags
|
|
- name: Build image
|
|
run: VERSION="${{ steps.tags.outputs.sha_short }}" DH_ORG="${{ github.repository_owner }}" make image
|
|
- name: Run Trivy vulnerability scanner
|
|
uses: aquasecurity/trivy-action@f9424c10c36e288d5fa79bd3dfd1aeb2d6eae808
|
|
with:
|
|
image-ref: 'ghcr.io/${{ github.repository }}:${{ steps.tags.outputs.sha_short }}'
|
|
format: 'table'
|
|
exit-code: '1'
|
|
ignore-unfixed: true
|
|
vuln-type: 'os,library'
|
|
severity: 'CRITICAL,HIGH'
|
|
|
|
# This ensures the latest code works with the manifests built from tree.
|
|
# It is useful for two things:
|
|
# - Test manifests changes (obviously), ensuring they don't break existing clusters
|
|
# - Ensure manifests work with the latest versions even with no manifest change
|
|
# (compared to helm charts, manifests cannot easily template changes based on versions)
|
|
# Helm charts are _trailing_ releases, while manifests are done during development.
|
|
# This test uses the "command" reboot-method.
|
|
e2e-manifests:
|
|
name: End-to-End test with kured with code and manifests from HEAD
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
testname:
|
|
- "TestE2EWithCommand"
|
|
- "TestE2EWithSignal"
|
|
- "TestE2EConcurrentWithCommand"
|
|
- "TestE2EConcurrentWithSignal"
|
|
kubernetes_version:
|
|
- "previous"
|
|
- "current"
|
|
- "next"
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
- name: Ensure go version
|
|
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
check-latest: true
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
- name: Setup GoReleaser
|
|
run: make bootstrap-tools
|
|
- name: Find current tag version
|
|
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
|
|
id: tags
|
|
- name: Install kind
|
|
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
|
|
with:
|
|
install_only: true
|
|
version: v0.29.0
|
|
- name: Run specific e2e tests
|
|
run: make e2e-test ARGS="-run ^${{ matrix.testname }}/${{ matrix.kubernetes_version }}"
|
|
|
|
|
|
e2e-tests-singleversion:
|
|
name: End-to-End test targetting a single version of kubernetes
|
|
runs-on: ubuntu-latest
|
|
strategy:
|
|
fail-fast: false
|
|
matrix:
|
|
testname:
|
|
- "TestCordonningIsKept/concurrency1"
|
|
- "TestCordonningIsKept/concurrency2"
|
|
- "TestE2EBlocker/podblocker"
|
|
steps:
|
|
- name: Harden Runner
|
|
uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
|
|
with:
|
|
egress-policy: audit
|
|
|
|
- uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
|
|
- name: Ensure go version
|
|
uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5.5.0
|
|
with:
|
|
go-version-file: 'go.mod'
|
|
check-latest: true
|
|
- name: Set up QEMU
|
|
uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
|
|
- name: Set up Docker Buildx
|
|
uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
|
|
- name: Setup GoReleaser
|
|
run: make bootstrap-tools
|
|
- name: Find current tag version
|
|
run: echo "sha_short=$(git rev-parse --short HEAD)" >> $GITHUB_OUTPUT
|
|
id: tags
|
|
- name: Install kind
|
|
uses: helm/kind-action@a1b0e391336a6ee6713a0583f8c6240d70863de3 # v1.12.0
|
|
with:
|
|
install_only: true
|
|
version: v0.29.0
|
|
# Keep this until v1.31 (or superior) becomes the default kubectl version for the kind-action.
|
|
# It is used in podblocker shell script test to use --all-pods.
|
|
# If the podblocker e2e test relies on another way, this can also be removed.
|
|
kubectl_version: v1.31.0
|
|
- name: Run specific e2e tests
|
|
run: make e2e-test ARGS="-run ^${{ matrix.testname }}"
|