-
Notifications
You must be signed in to change notification settings - Fork 1
/
action.yml
168 lines (165 loc) · 5.21 KB
/
action.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
---
name: mcvs-golang-action
description: |
The Mission Critical Vulnerability Scanner (MCVS) Golang action.
inputs:
code_coverage_expected:
description: |
The minimum code coverage.
default: "80"
golang-unit-tests-exclusions:
description: |
The Golang paths that should be excluded from unit testing.
default: " "
golangci-lint-version:
description: |
The Golangci-lint version that has to be installed and used.
default: v1.55.2
golang-number-of-tests-in-parallel:
description: |
Number of test in parallel.
trivy-action-db:
default: "ghcr.io/aquasecurity/trivy-db:2"
description: |
OCI repository to retrieve trivy-db from.
trivy-action-java-db:
description: |
OCI repository to retrieve trivy-java-db from.
default: "ghcr.io/aquasecurity/trivy-java-db:1"
token:
description: |
A token is required to allow the mcvs-golang-action to pull the
cached trivy DBs to prevent bump into pull rate limits.
required: true
runs:
using: "composite"
steps:
#
# YAML linting.
#
- run: |
pip install --user yamllint==1.35.1
yamllint .
shell: bash
#
# Install the golang version that has been defined in the go.mod file.
#
- uses: actions/setup-go@v5.0.2
with:
go-version-file: "go.mod"
cache: false
#
# Verify downloaded dependencies.
#
- name: verify golang modules
shell: bash
run: |
go mod verify
- uses: golang/govulncheck-action@v1.0.4
with:
go-version-file: go.mod
go-package: ./...
#
# Check for 'incorrect import order', let pipeline fail if true and provide
# instruction to remediate it. Note: check is included in golangci-lint,
# but it does not provide clarity how to resolve it when positive.
#
- name: gci
shell: bash
run: |
go install github.com/daixiang0/gci@v0.13.4
if ~/go/bin/gci list --skip-generated . | grep "\.go$"; then
echo "One or more golang files detected with: 'incorrect import order':"
echo " * Observe: '~/go/bin/gci diff --skip-generated .'"
echo " * Resolve: '~/go/bin/gci write --skip-generated .'"
exit 1
fi
#
# Code security scanning.
#
- uses: anchore/scan-action@v5.0.1
with:
only-fixed: false
output-format: table
path: "."
severity-cutoff: high
- uses: 030/trivyignore-validator-action@v0.1.2
- name: Log in to GitHub Packages Docker registry
shell: bash
run: |
echo "${{ inputs.token }}" |\
docker login ghcr.io -u ${{ github.actor }} --password-stdin
- uses: aquasecurity/trivy-action@0.28.0
env:
TRIVY_DB_REPOSITORY: ${{ inputs.trivy-action-db }}
TRIVY_JAVA_DB_REPOSITORY: ${{ inputs.trivy-action-java-db }}
TRIVY_PASSWORD: ${{ inputs.token }}
TRIVY_USERNAME: ${{ github.actor }}
with:
scan-type: "fs"
scan-ref: "."
exit-code: "1"
ignore-unfixed: true
severity: "CRITICAL,HIGH"
trivyignores: .trivyignore
#
# Run golangci-lint.
#
- uses: golangci/golangci-lint-action@v6.1.1
with:
args: |-
--enable-all \
--out-format=colored-line-number \
--timeout 2m30s \
-v
version: ${{ inputs.golangci-lint-version }}
#
# Unit tests.
#
- name: unit tests
shell: bash
run: |
${GITHUB_ACTION_PATH}/src/go-test.sh \
"" \
"" \
"${{ inputs.golang-number-of-tests-in-parallel }}" \
"${{ inputs.golang-unit-tests-exclusions }}" \
""
#
# Unit & integration tests including code coverage.
#
- name: unit & integrations tests and code coverage
shell: bash
run: |
${GITHUB_ACTION_PATH}/src/go-test.sh \
"./..." \
"profile.cov" \
"${{ inputs.golang-number-of-tests-in-parallel }}" \
"${{ inputs.golang-unit-tests-exclusions }}" \
"integration"
code_coverage_output=$(go tool cover -func profile.cov)
code_coverage_actual=$(echo "${code_coverage_output}" |\
grep total: |\
awk '{print $3}' |\
sed 's/%//')
echo "Code coverage overview:"
echo "${code_coverage_output}"
if (( $(echo "${{ inputs.code_coverage_expected }} > ${code_coverage_actual}" | bc -l) )); then
echo "The actual code coverage: '${code_coverage_actual}' is too low. Expected: '${{ inputs.code_coverage_expected }}'."
exit 1
elif (( $(echo "${code_coverage_actual} > ${{ inputs.code_coverage_expected }}" | bc -l) )); then
echo "The actual code coverage: '${code_coverage_actual}' exceeds the expected coverage. Please adjust the threshold to align with the expected: '${{ inputs.code_coverage_expected }}'."
exit 1
fi
#
# Component tests.
#
- name: component tests
shell: bash
run: |
${GITHUB_ACTION_PATH}/src/go-test.sh \
"" \
"" \
"${{ inputs.golang-number-of-tests-in-parallel }}" \
"${{ inputs.golang-unit-tests-exclusions }}" \
"component"