Fix Trivy #72
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: Build and publish xk6-kafka | |
on: | |
push: | |
tags: | |
- "v*" | |
jobs: | |
build: | |
name: Build xk6-kafka | |
runs-on: ubuntu-latest | |
steps: | |
- name: Checkout 🛎️ | |
uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
- name: Install Go 🧑💻 | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
uses: actions/setup-go@v5 | |
with: | |
go-version: "1.23" | |
- name: Install xk6 and build xk6-kafka for different platforms 🏗️ | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
run: | | |
mkdir dist | |
go install go.k6.io/xk6/cmd/xk6@latest | |
# ------------------------- Linux amd64 ------------------------- | |
GOOS=linux GOARCH=amd64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_linux_amd64 --with github.com/mostafa/xk6-kafka@${{ github.ref_name }} | |
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_linux_amd64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_linux_amd64 | |
# ------------------------- Linux arm64 ------------------------- | |
GOOS=linux GOARCH=arm64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_linux_arm64 --with github.com/mostafa/xk6-kafka@${{ github.ref_name }} | |
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_linux_arm64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_linux_arm64 | |
# ------------------------- macOS amd64 ------------------------- | |
GOOS=darwin GOARCH=amd64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_darwin_amd64 --with github.com/mostafa/xk6-kafka@${{ github.ref_name }} | |
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_darwin_amd64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_darwin_amd64 | |
# ------------------------- macOS arm64 ------------------------- | |
GOOS=darwin GOARCH=arm64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_darwin_arm64 --with github.com/mostafa/xk6-kafka@${{ github.ref_name }} | |
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_darwin_arm64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_darwin_arm64 | |
# ------------------------- Windows amd64 ------------------------- | |
GOOS=windows GOARCH=amd64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_windows_amd64.exe --with github.com/mostafa/xk6-kafka@${{ github.ref_name }} | |
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_windows_amd64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_windows_amd64.exe | |
# ------------------------- Windows arm64 ------------------------- | |
GOOS=windows GOARCH=arm64 xk6 build --output dist/xk6-kafka_${{ github.ref_name }}_windows_arm64.exe --with github.com/mostafa/xk6-kafka@${{ github.ref_name }} | |
tar cvzf dist/xk6-kafka_${{ github.ref_name }}_windows_arm64.tar.gz dist/xk6-kafka_${{ github.ref_name }}_windows_arm64.exe | |
- name: Generate CycloneDX SBOM artifacts 📃 | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
run: | | |
go install github.com/CycloneDX/cyclonedx-gomod/cmd/cyclonedx-gomod@latest | |
cyclonedx-gomod mod -json -licenses -output code-cyclonedx-xk6-kafka-${{ github.ref_name }}.json | |
- name: Docker meta 📝 | |
id: meta | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
uses: docker/metadata-action@v4 | |
with: | |
images: mostafamoradian/xk6-kafka | |
tags: | | |
type=semver,pattern={{version}} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Set up Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
- name: Login to DockerHub 🔒 | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
uses: docker/login-action@v3 | |
with: | |
username: ${{ secrets.DOCKERHUB_USERNAME }} | |
password: ${{ secrets.DOCKERHUB_TOKEN }} | |
- name: Build and push Docker image 🛳️ | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
uses: docker/build-push-action@v5 | |
with: | |
context: . | |
push: true | |
platforms: linux/amd64,linux/arm64 | |
build-args: VERSION_TAG=${{ github.ref_name }} | |
tags: ${{ steps.meta.outputs.tags }} | |
labels: ${{ steps.meta.outputs.labels }} | |
- name: Install cosign ⬇️ | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
uses: sigstore/cosign-installer@main | |
- name: Sign the Docker image ✍️ | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
run: echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign sign -y docker.io/{} | |
- name: Verify the Docker image signature ✅ | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
run: | | |
echo "${{ steps.meta.outputs.tags }}" | xargs -I {} cosign verify --certificate-identity ${IDENTITY} --certificate-oidc-issuer ${OIDC_ISSUER_URL} docker.io/{} | |
env: | |
IDENTITY: ${{ secrets.IDENTITY }} | |
OIDC_ISSUER_URL: ${{ secrets.OIDC_ISSUER_URL }} | |
- name: Scan code with Trivy vulnerability scanner 🔍 | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
uses: aquasecurity/trivy-action@0.28.0 | |
with: | |
scan-type: "fs" | |
format: "sarif" | |
output: "trivy-results.sarif" | |
exit-code: 1 | |
ignore-unfixed: true | |
severity: "CRITICAL,HIGH" | |
skip-dirs: "fixtures" | |
- name: Upload Trivy scan results to GitHub Security tab ⬆️ | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
uses: github/codeql-action/upload-sarif@v1 | |
with: | |
sarif_file: "trivy-results.sarif" | |
- name: Scan Docker image with Syft and generate SBOM 🦉 | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
uses: anchore/sbom-action@v0 | |
with: | |
artifact-name: docker-image-cyclonedx-xk6-kafka-${{ github.ref_name }}.json | |
format: cyclonedx-json | |
dependency-snapshot: true | |
- name: Create Release 📦 and add binaries and SBOM files 💾 | |
if: github.event_name == 'push' && startsWith(github.ref, 'refs/tags') | |
uses: softprops/action-gh-release@v1 | |
with: | |
files: | | |
dist/*.tar.gz | |
code-cyclonedx-xk6-kafka-${{ github.ref_name }}.json | |
docker-image-cyclonedx-xk6-kafka-${{ github.ref_name }}.json |