workflow: create image-build #104
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: 'Public-CI' | |
on: [push, pull_request] | |
permissions: # added using https://github.com/step-security/secure-repo | |
contents: read | |
jobs: | |
# Super-linter consists of several lint tools | |
# lint tools are assigned to the pipeline via the env field | |
# For more information, please see https://github.com/github/super-linter | |
super-linter: | |
permissions: | |
contents: read # for actions/checkout to fetch code | |
statuses: write # for github/super-linter to mark status of each linter run | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
- name: super-linter | |
uses: github/super-linter@985ef206aaca4d560cb9ee2af2b42ba44adc1d55 # v4.10.0 | |
env: | |
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} | |
LINTER_RULES_PATH: / | |
VALIDATE_BASH: true | |
VALIDATE_GO: true | |
VALIDATE_DOCKERFILE_HADOLINT: true | |
VALIDATE_CLANG_FORMAT: true | |
VALIDATE_JSON: true | |
# Build stage executes binary builds for CNI and device-plugin | |
build: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
- name: Set up Go | |
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 | |
with: | |
go-version: 1.19 | |
- name: Install libbpf and libxdp | |
run: | | |
sudo apt update | |
sudo apt install -y wget build-essential golang | |
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf1_1.1.0-1_amd64.deb | |
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf-dev_1.1.0-1_amd64.deb | |
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp1_1.3.0-2ubuntu2_amd64.deb | |
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp-dev_1.3.0-2ubuntu2_amd64.deb | |
sudo apt install -y ./libbpf1_1.1.0-1_amd64.deb | |
sudo apt install -y ./libbpf-dev_1.1.0-1_amd64.deb | |
sudo apt install -y ./libxdp1_1.3.0-2ubuntu2_amd64.deb | |
sudo apt install -y ./libxdp-dev_1.3.0-2ubuntu2_amd64.deb | |
sudo apt install -y clang | |
sudo apt install -y llvm | |
sudo apt install -y gcc-multilib | |
- name: Run build | |
run: make build | |
# go-static-tools scans code base and packages using go-vet, go mod verify and staticcheck | |
go-static-tools: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
- name: Set up Go | |
uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568 # v3.5.0 | |
with: | |
go-version: 1.19 | |
- name: Install libbpf and libxdp | |
run: | | |
sudo apt update | |
sudo apt install -y wget build-essential golang | |
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf1_1.1.0-1_amd64.deb | |
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf-dev_1.1.0-1_amd64.deb | |
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp1_1.3.0-2ubuntu2_amd64.deb | |
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp-dev_1.3.0-2ubuntu2_amd64.deb | |
sudo apt install -y ./libbpf1_1.1.0-1_amd64.deb | |
sudo apt install -y ./libbpf-dev_1.1.0-1_amd64.deb | |
sudo apt install -y ./libxdp1_1.3.0-2ubuntu2_amd64.deb | |
sudo apt install -y ./libxdp-dev_1.3.0-2ubuntu2_amd64.deb | |
- name: Install staticcheck | |
run: go install honnef.co/go/tools/cmd/staticcheck@latest | |
- name: run static analysis | |
run: make static-ci | |
# unit-test stage | |
unit-tests: | |
runs-on: ubuntu-latest | |
steps: | |
- uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
- name: Set up Go | |
uses: actions/setup-go@bfdd3570ce990073878bf10f6b2d79082de49492 # v2.2.0 | |
with: | |
go-version: 1.19 | |
- name: Install libbpf and libxdp | |
run: | | |
sudo apt update | |
sudo apt install -y wget build-essential golang | |
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf1_1.1.0-1_amd64.deb | |
sudo wget http://security.ubuntu.com/ubuntu/pool/main/libb/libbpf/libbpf-dev_1.1.0-1_amd64.deb | |
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp1_1.3.0-2ubuntu2_amd64.deb | |
sudo wget https://mirrors.edge.kernel.org/ubuntu/pool/main/x/xdp-tools/libxdp-dev_1.3.0-2ubuntu2_amd64.deb | |
sudo apt install -y ./libbpf1_1.1.0-1_amd64.deb | |
sudo apt install -y ./libbpf-dev_1.1.0-1_amd64.deb | |
sudo apt install -y ./libxdp1_1.3.0-2ubuntu2_amd64.deb | |
sudo apt install -y ./libxdp-dev_1.3.0-2ubuntu2_amd64.deb | |
sudo apt install -y clang | |
sudo apt install -y llvm | |
sudo apt install -y gcc-multilib | |
- name: unit-tests | |
run: make test | |
# Trivy Scan | |
trivy-scan: | |
runs-on: ubuntu-latest | |
permissions: | |
contents: read | |
security-events: write | |
steps: | |
- name: Checkout code | |
uses: actions/checkout@ac593985615ec2ede58e132d2e21d2b1cbd6127c # v3.3.0 | |
- name: Run Trivy vulnerability scanner in repo mode | |
uses: aquasecurity/trivy-action@master | |
with: | |
scan-type: 'fs' | |
ignore-unfixed: true | |
format: 'sarif' | |
output: 'trivy-results.sarif' | |
severity: 'CRITICAL' | |
- name: Build Docker image | |
run: make docker | |
- name: Generate .tar image | |
run: docker save -o vul-image.tar afxdp-device-plugin:latest | |
- name: Run Trivy on tarballed image | |
uses: aquasecurity/trivy-action@master | |
with: | |
image-ref: /github/workspace/vul-image.tar | |
scan-type: 'fs' | |
ignore-unfixed: false | |
format: 'sarif' | |
output: 'trivy-image-results.sarif' | |
severity: 'CRITICAL' | |
- name: Upload Trivy scan results to GitHub Security tab | |
uses: github/codeql-action/upload-sarif@v2 | |
with: | |
sarif_file: 'trivy-results.sarif' | |
- name: Print sarif file | |
run: cat < trivy-results.sarif | |
- name: Print image sarif file | |
run: cat trivy-image-results.sarif |