ci(actions): scan image for vulnerabilities #82
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| name: Verify pull request | |
| "on": | |
| pull_request: | |
| branches: | |
| - "master" | |
| types: | |
| - "opened" | |
| - "reopened" | |
| - "synchronize" | |
| concurrency: | |
| group: ${{ github.ref }}-${{ github.workflow }} | |
| cancel-in-progress: true | |
| jobs: | |
| preparation: | |
| name: Prepare for build | |
| runs-on: ubuntu-latest | |
| timeout-minutes: 10 | |
| if: ${{ github.event.pull_request.draft == false }} | |
| outputs: | |
| has_changed: ${{ steps.changed-files.outputs.any_changed }} | |
| steps: | |
| - name: Checkout Code | |
| uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Get changed modules | |
| id: changed-files | |
| uses: tj-actions/changed-files@v40 | |
| if: github.event_name == 'pull_request' | |
| with: | |
| files: | | |
| Dockerfile | |
| run.sh | |
| .github/workflows/python-pubsub/** | |
| .github/workflows/publish.yaml | |
| .github/workflows/verify-pullrequest.yaml | |
| verify_pull_request: | |
| runs-on: ubuntu-latest | |
| needs: preparation | |
| timeout-minutes: 30 | |
| if: ${{ github.event.pull_request.draft == false && needs.preparation.outputs.has_changed == 'true' }} | |
| env: | |
| image_tag: "tungbeier/gcloud-pubsub-emulator:test" | |
| steps: | |
| - name: Checkout | |
| uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build image | |
| uses: docker/build-push-action@v5 | |
| with: | |
| context: . | |
| load: true | |
| tags: ${{ env.image_tag }} | |
| - name: Scan image | |
| uses: aquasecurity/trivy-action@0.16.0 | |
| with: | |
| image-ref: ${{ env.image_tag }} | |
| format: 'table' | |
| exit-code: '1' | |
| ignore-unfixed: true | |
| vuln-type: 'os,library' | |
| severity: 'CRITICAL,HIGH' | |
| - name: Set up python | |
| uses: actions/setup-python@v5 | |
| with: | |
| python-version: '3.11' | |
| - name: Verify image | |
| env: | |
| project: 'test-project' | |
| topic: 'test-topic' | |
| subscription: 'test-subscription' | |
| run: | | |
| docker run --detach --rm \ | |
| --name emulator \ | |
| --publish 8681:8681 \ | |
| --env PUBSUB_PROJECT1=${{ env.project }},${{ env.topic }} \ | |
| ${{ env.image_tag }} | |
| export PUBSUB_EMULATOR_HOST=localhost:8681 | |
| cd .github/workflows/python-pubsub | |
| echo "[INFO] Install python requirements" | |
| pip install -q -r requirements.txt | |
| echo "[INFO] Create pull subscription" | |
| python subscriber.py ${{ env.project }} create ${{ env.topic }} ${{ env.subscription }} | |
| echo "[INFO] Publish message" | |
| python publisher.py ${{ env.project }} publish ${{ env.topic }} | |
| echo "[INFO] Receive message" | |
| python subscriber.py ${{ env.project }} receive ${{ env.subscription }} 10 |