Update Trivy action version to v0.35.0 (#18) #171
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: "ndc-python-lambda connector" | |
| on: | |
| pull_request: | |
| branches: | |
| - main | |
| - test-ci/** | |
| push: | |
| branches: | |
| - "main" | |
| - test-ci/** | |
| tags: | |
| - v** | |
| env: | |
| DOCKER_REGISTRY: ghcr.io | |
| DOCKER_IMAGE_NAME: hasura/ndc-python-lambda | |
| jobs: | |
| build-and-test: | |
| name: Build and test ndc-lambda-sdk | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Install dependencies | |
| run: | | |
| python -m pip install --upgrade pip | |
| if [ -f requirements.txt ]; then pip install -r requirements.txt; fi | |
| - name: Run tests | |
| run: | | |
| if command -v pytest &> /dev/null; then | |
| pytest | |
| else | |
| echo "pytest not found, skipping tests" | |
| fi | |
| test-connector: | |
| name: Test connector | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 | |
| - name: Test example functions.py works | |
| run: ./scripts/test-container.sh | |
| build-connector: | |
| name: Build connector | |
| runs-on: ubuntu-latest | |
| outputs: | |
| commit_hash: ${{ steps.get_commit_hash.outputs.commit_hash }} | |
| sha256: ${{ steps.calculate_checksum.outputs.sha256 }} | |
| steps: | |
| - uses: actions/checkout@v4 | |
| with: | |
| fetch-depth: 0 # This is important for git describe to work correctly | |
| - uses: actions/setup-python@v5 | |
| with: | |
| python-version: "3.12" | |
| - name: Build connector | |
| run: | | |
| cd connector-definition | |
| make build | |
| - name: Calculate SHA256 checksum | |
| id: calculate_checksum | |
| run: | | |
| SHA256=$(sha256sum ./connector-definition/dist/connector-definition.tgz | awk '{ print $1 }') | |
| echo "sha256=$SHA256" >> $GITHUB_OUTPUT | |
| - name: Get commit hash | |
| id: get_commit_hash | |
| run: | | |
| COMMIT_HASH=$(git rev-parse HEAD) | |
| echo "commit_hash=$COMMIT_HASH" >> $GITHUB_OUTPUT | |
| - name: Debug information | |
| run: | | |
| echo "Contents of connector-definition/dist:" | |
| ls -la connector-definition/dist | |
| echo "Contents of connector-definition/dist/.hasura-connector:" | |
| ls -la connector-definition/dist/.hasura-connector | |
| - uses: actions/upload-artifact@v4 | |
| with: | |
| name: connector-definition | |
| path: ./connector-definition/dist | |
| compression-level: 0 # Already compressed | |
| security-scan: | |
| name: Build and scan Docker image | |
| runs-on: ubuntu-latest | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Build Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| load: true | |
| tags: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }} | |
| - name: Run Trivy vulnerability scanner (json output) | |
| uses: aquasecurity/trivy-action@0.32.0 | |
| with: | |
| image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }} | |
| format: json | |
| output: trivy-results.json | |
| scanners: vuln | |
| - name: Upload Trivy scan results to Security Agent | |
| uses: hasura/security-agent-tools/upload-file@v1 | |
| with: | |
| file_path: trivy-results.json | |
| security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} | |
| tags: | | |
| service=ndc-python-lambda | |
| source_code_path=. | |
| docker_file_path=Dockerfile | |
| scanner=trivy | |
| image_name=${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }} | |
| product_domain=hasura-ddn-data-plane,promptql-data-plane | |
| team=engine | |
| - name: Fail build on High/Critical Vulnerabilities | |
| uses: aquasecurity/trivy-action@v0.35.0 | |
| with: | |
| skip-setup-trivy: true | |
| image-ref: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${{ github.sha }} | |
| format: table | |
| severity: CRITICAL,HIGH | |
| scanners: vuln | |
| ignore-unfixed: true | |
| exit-code: 1 | |
| build-and-push-docker: | |
| name: Build and push Docker image | |
| needs: build-connector | |
| runs-on: ubuntu-latest | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Set up QEMU | |
| uses: docker/setup-qemu-action@v3 | |
| - name: Set up Docker Buildx | |
| uses: docker/setup-buildx-action@v3 | |
| - name: Login to GitHub Container Registry | |
| uses: docker/login-action@v3 | |
| with: | |
| registry: ${{ env.DOCKER_REGISTRY }} | |
| username: ${{ github.actor }} | |
| password: ${{ secrets.GITHUB_TOKEN }} | |
| - name: Extract metadata (tags, labels) for Docker | |
| id: docker-metadata | |
| uses: docker/metadata-action@v5 | |
| with: | |
| images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }} | |
| - name: Build and Push Docker image | |
| uses: docker/build-push-action@v6 | |
| with: | |
| context: . | |
| push: true | |
| platforms: linux/amd64,linux/arm64 | |
| tags: ${{ steps.docker-metadata.outputs.tags }} | |
| labels: ${{ steps.docker-metadata.outputs.labels }} | |
| - name: Get image tag for scanning | |
| id: get-image-tag | |
| run: | | |
| IMAGE_TAG="${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }}:${GITHUB_REF#refs/tags/}" | |
| echo "image_tag=$IMAGE_TAG" >> $GITHUB_OUTPUT | |
| - name: Run Trivy vulnerability scanner (json output) | |
| uses: aquasecurity/trivy-action@0.32.0 | |
| with: | |
| image-ref: ${{ steps.get-image-tag.outputs.image_tag }} | |
| format: json | |
| output: trivy-results.json | |
| scanners: vuln | |
| - name: Upload Trivy scan results to Security Agent | |
| uses: hasura/security-agent-tools/upload-file@v1 | |
| with: | |
| file_path: trivy-results.json | |
| security_agent_api_key: ${{ secrets.SECURITY_AGENT_API_KEY }} | |
| tags: | | |
| service=ndc-python-lambda | |
| source_code_path=. | |
| docker_file_path=Dockerfile | |
| scanner=trivy | |
| image_name=${{ steps.get-image-tag.outputs.image_tag }} | |
| product_domain=hasura-ddn-data-plane,promptql-data-plane | |
| team=engine | |
| - name: Fail build on High/Critical Vulnerabilities | |
| uses: aquasecurity/trivy-action@v0.35.0 | |
| with: | |
| skip-setup-trivy: true | |
| image-ref: ${{ steps.get-image-tag.outputs.image_tag }} | |
| format: table | |
| severity: CRITICAL,HIGH | |
| scanners: vuln | |
| ignore-unfixed: true | |
| exit-code: 1 | |
| release-connector: | |
| name: Release connector | |
| runs-on: ubuntu-latest | |
| needs: | |
| - build-and-test | |
| - build-connector | |
| - build-and-push-docker | |
| if: startsWith(github.ref, 'refs/tags/v') | |
| steps: | |
| - uses: actions/checkout@v4 | |
| - name: Download connector definition | |
| uses: actions/download-artifact@v4 | |
| with: | |
| name: connector-definition | |
| path: ./connector-definition/dist | |
| - name: Get version from tag | |
| id: get-version | |
| run: | | |
| echo "tagged_version=${GITHUB_REF#refs/tags/v}" >> $GITHUB_OUTPUT | |
| shell: bash | |
| - uses: mindsers/changelog-reader-action@v2 | |
| id: changelog-reader | |
| with: | |
| version: ${{ steps.get-version.outputs.tagged_version }} | |
| path: ./CHANGELOG.md | |
| - uses: softprops/action-gh-release@v1 | |
| with: | |
| draft: false | |
| tag_name: v${{ steps.get-version.outputs.tagged_version }} | |
| body: ${{ steps.changelog-reader.outputs.changes }} | |
| files: | | |
| ./connector-definition/dist/connector-definition.tgz | |
| fail_on_unmatched_files: true |