This repository has been archived by the owner on Mar 20, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 16
166 lines (140 loc) · 6.05 KB
/
public-ci.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
name: 'Public-CI'
on: [push, pull_request]
permissions: # added using https://github.com/step-security/secure-repo
contents: read
jobs:
# Super-linter consists of several lint tools
# lint tools are assigned to the pipeline via the env field
# For more information, please see https://github.com/github/super-linter
super-linter:
permissions:
contents: read # for actions/checkout to fetch code
statuses: write # for github/super-linter to mark status of each linter run
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: super-linter
uses: github/super-linter@985ef206aaca4d560cb9ee2af2b42ba44adc1d55 # v4.10.0
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
LINTER_RULES_PATH: /
VALIDATE_BASH: true
VALIDATE_GO: true
VALIDATE_DOCKERFILE_HADOLINT: true
VALIDATE_CLANG_FORMAT: true
VALIDATE_JSON: true
# Build stage executes binary builds for CNI and device-plugin
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Set up Go
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
with:
go-version: 1.19
- name: Install libbpf and libxdp
run: |
sudo apt update
sudo apt install -y wget build-essential golang
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf1_1.1.0-1_amd64.deb
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf-dev_1.1.0-1_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libbpf1_1.1.0-1_amd64.deb
sudo apt install -y ./libbpf-dev_1.1.0-1_amd64.deb
sudo apt install -y ./libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y clang
sudo apt install -y llvm
sudo apt install -y gcc-multilib
- name: Run build
run: make build
# go-static-tools scans code base and packages using go-vet, go mod verify and staticcheck
go-static-tools:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Set up Go
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0
with:
go-version: 1.19
- name: Install libbpf and libxdp
run: |
sudo apt update
sudo apt install -y wget build-essential golang
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf1_1.1.0-1_amd64.deb
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf-dev_1.1.0-1_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libbpf1_1.1.0-1_amd64.deb
sudo apt install -y ./libbpf-dev_1.1.0-1_amd64.deb
sudo apt install -y ./libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libxdp-dev_1.3.0-2ubuntu2_amd64.deb
- name: Install staticcheck
run: go install honnef.co/go/tools/cmd/staticcheck@latest
- name: run static analysis
run: make static-ci
# unit-test stage
unit-tests:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Set up Go
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0
with:
go-version: 1.19
- name: Install libbpf and libxdp
run: |
sudo apt update
sudo apt install -y wget build-essential golang
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf1_1.1.0-1_amd64.deb
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf-dev_1.1.0-1_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libbpf1_1.1.0-1_amd64.deb
sudo apt install -y ./libbpf-dev_1.1.0-1_amd64.deb
sudo apt install -y ./libxdp1_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y ./libxdp-dev_1.3.0-2ubuntu2_amd64.deb
sudo apt install -y clang
sudo apt install -y llvm
sudo apt install -y gcc-multilib
- name: unit-tests
run: make test
# Trivy Scan
trivy-scan:
runs-on: ubuntu-latest
permissions:
contents: read
security-events: write
steps:
- name: Checkout code
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0
- name: Run Trivy vulnerability scanner in repo mode
uses: aquasecurity/trivy-action@master
with:
scan-type: 'fs'
ignore-unfixed: true
format: 'sarif'
output: 'trivy-results.sarif'
severity: 'CRITICAL'
- name: Build Docker image
run: make docker
- name: Generate .tar image
run: docker save -o vul-image.tar afxdp-device-plugin:latest
- name: Run Trivy on tarballed image
uses: aquasecurity/trivy-action@master
with:
image-ref: /github/workspace/vul-image.tar
scan-type: 'fs'
ignore-unfixed: false
format: 'sarif'
output: 'trivy-image-results.sarif'
severity: 'CRITICAL'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
- name: Print sarif file
run: cat < trivy-results.sarif
- name: Print image sarif file
run: cat trivy-image-results.sarif