-
Notifications
You must be signed in to change notification settings - Fork 6
132 lines (119 loc) · 3.69 KB
/
reusable_nightly.yaml
File metadata and controls
132 lines (119 loc) · 3.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
name: Nightly Build and Test
on:
workflow_call:
secrets:
docker_username:
required: true
docker_password:
required: true
slack_channel:
required: true
slack_token:
required: true
inputs:
target_branches:
type: string
required: false
default: "master,main"
integration_name:
type: string
required: false
default: ""
docker_image:
type: string
required: true
docker_tag:
type: string
required: false
default: "nightly"
build_command:
type: string
required: true
setup_qemu:
type: boolean
required: false
default: false
setup_buildx:
type: boolean
required: false
default: false
setup_go:
type: boolean
required: false
default: false
go_version_file:
type: string
required: false
default: "go.mod"
generate_packages:
type: boolean
required: false
default: false
fetch_depth:
type: number
required: false
default: 0
trivy_scan:
type: boolean
required: false
default: true
jobs:
nightly:
name: Nightly Build and Test
runs-on: ubuntu-latest
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
DOCKER_IMAGE: ${{ inputs.docker_image }}
TAG: ${{ inputs.docker_tag }}
INTEGRATION: ${{ inputs.integration_name }}
TEST_IMAGE: ${{ inputs.docker_image }}:${{ inputs.docker_tag }}
GENERATE_PACKAGES: ${{ inputs.generate_packages }}
TAG_SUFFIX: "-${{ inputs.docker_tag }}"
steps:
- uses: actions/checkout@v4
with:
fetch-depth: ${{ inputs.fetch_depth }}
- name: Login to DockerHub
uses: docker/login-action@v3
with:
username: ${{ secrets.docker_username }}
password: ${{ secrets.docker_password }}
- name: Set up QEMU
if: ${{ inputs.setup_qemu }}
uses: docker/setup-qemu-action@v3
- name: Set up Buildx
if: ${{ inputs.setup_buildx }}
uses: docker/setup-buildx-action@v3
- name: Set up Go
if: ${{ inputs.setup_go }}
uses: actions/setup-go@v6
with:
go-version-file: ${{ inputs.go_version_file }}
- name: Build Image
run: ${{ inputs.build_command }}
shell: bash
continue-on-error: false
- name: Run Trivy to check Docker image for vulnerabilities
if: ${{ inputs.trivy_scan }}
uses: aquasecurity/trivy-action@0.35.0
with:
image-ref: ${{ env.TEST_IMAGE }}
format: 'table'
exit-code: '1' # Fail the workflow if vulnerabilities are found
ignore-unfixed: true
vuln-type: 'os,library'
severity: "CRITICAL,HIGH"
env:
TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db
TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db
notify-failure:
if: ${{ always() && failure() }}
needs: [nightly]
runs-on: ubuntu-latest
steps:
- name: Notify failure via Slack
uses: archive/github-actions-slack@master
with:
slack-bot-user-oauth-access-token: ${{ secrets.slack_token }}
slack-channel: ${{ secrets.slack_channel }}
slack-text: "❌ `${{ inputs.docker_image }}:${{ inputs.docker_tag }}`: [Nightly tests/release failed](${{ github.server_url }}/${{ inputs.docker_image }}/actions/runs/${{ github.run_id }})."