Skip to content

ci: add missing permission to Trivy scan job (#4298) #9019

ci: add missing permission to Trivy scan job (#4298)

ci: add missing permission to Trivy scan job (#4298) #9019

Workflow file for this run

on:
push:
branches:
- main
pull_request:
branches:
- main
workflow_dispatch:
permissions:
contents: read # for actions/checkout to fetch code
env:
CI_CONTAINER_REGISTRY: europe-west1-docker.pkg.dev
CI_CONTAINER_REPOSITORY: europe-west1-docker.pkg.dev/weave-gitops-clusters/weave-gitops
name: PR CI Workflow
jobs:
ci-js:
name: CI Test JS
runs-on: ubuntu-latest
strategy:
matrix:
node-version: [22.x]
steps:
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Node modules cache
uses: actions/cache@704facf57e6136b1bc63b828d79edcd491f0ee84 # v3.3.2
id: yarn-cache
env:
cache-name: cache-node-modules
with:
path: ~/.cache/yarn
key: ${{ runner.os }}-build-${{ env.cache-name }}-${{ hashFiles('**/yarn.lock') }}
restore-keys: |
${{ runner.os }}-build-${{ env.cache-name }}-
${{ runner.os }}-build-
${{ runner.os }}-
- name: Use Node.js ${{ matrix.node-version }}
uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: ${{ matrix.node-version }}
- run: make node_modules
- name: Check that package.json & package-lock.json were updated in commit
run: |
echo "Using node.js "$(node --version)
echo "Using Yarn "$(yarn --version)
git diff --no-ext-diff --exit-code
- run: make ui-audit
- run: make ui
- run: make ui-lint
- run: make ui-prettify-check
- run: make ui-test
- run: make ui-lib
ci-go:
name: CI Test Go
runs-on: ubuntu-latest
strategy:
matrix:
go-version: [1.23.X]
steps:
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- name: Setup Flux CLI
uses: fluxcd/flux2/action@709b17ce59d184427c1395bc70f496ba528d3bee # main
with:
token: ${{ secrets.GITHUB_TOKEN }}
- run: make unit-tests
# server core fails if ui-tests have not just been run.
# was this all the case
# - run: make lib-test
ci-static:
name: CI Check Static Checks
runs-on: ubuntu-latest
strategy:
matrix:
go-version: [1.23.X]
node-version: [22.x]
steps:
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Setup Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: ${{ matrix.go-version }}
- run: make check-format
- run: make lint
- run: go mod tidy
- name: Check that go mod tidy has been run
run: git diff --no-ext-diff --exit-code
- run: make proto
- name: Check that make proto has been run
run: git diff --no-ext-diff --exit-code
- run: make fakes
- name: Check that make fakes has been run
run: git diff --no-ext-diff --exit-code
ci-generate-tag:
name: CI Generate Image Tag
runs-on: ubuntu-latest
outputs:
tag: ${{ steps.generate-tag.outputs.tag }}
steps:
- id: generate-tag
run: echo "::set-output name=tag::$(date -u +%s)-${{ github.sha }}"
ci-build-gitops-image:
name: CI Build Gitops Docker Image
runs-on: ubuntu-latest
needs: [ci-generate-tag]
strategy:
matrix:
docker-image:
- gitops
- gitops-server
steps:
- uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- name: Set build-time flags
run: |
echo "LDFLAGS=$(make echo-ldflags)" >> $GITHUB_ENV
echo "FLUX_VERSION=$(make echo-flux-version)" >> $GITHUB_ENV
- name: Build and export
uses: docker/build-push-action@0565240e2d4ab88bba5387d719585280857ece09 # v5.0.0
with:
tags: "${{ env.CI_CONTAINER_REPOSITORY }}/${{ matrix.docker-image }}:${{ needs.ci-generate-tag.outputs.tag }}"
outputs: type=docker,dest=/tmp/${{ matrix.docker-image }}.tar
file: ${{ matrix.docker-image }}.dockerfile
build-args: |
FLUX_VERSION=${{ env.FLUX_VERSION }}
LDFLAGS=${{ env.LDFLAGS }}
GIT_COMMIT=${{ github.sha }}
- name: Load docker image
run: docker load --input /tmp/${{ matrix.docker-image }}.tar
- name: Cache docker image
uses: actions/upload-artifact@a8a3f3ad30e3422c9c7b888a15615d19a852ae32 # v3.1.3
with:
name: ${{ matrix.docker-image }}
path: /tmp/${{ matrix.docker-image }}.tar
ci-upload-images:
name: CI Upload Images - Disabled
runs-on: ubuntu-latest
# Make sure we only upload images if tests etc have passed
needs: [ci-go, ci-static, ci-js, ci-build-gitops-image, ci-generate-tag]
permissions:
contents: 'read'
id-token: 'write'
if: github.event_name == 'push'
strategy:
matrix:
docker-image:
- gitops
- gitops-server
steps:
- uses: docker/setup-buildx-action@f95db51fddba0c2d1ec667646a06c2ce06100226 # v3.0.0
- uses: google-github-actions/setup-gcloud@e30db14379863a8c79331b04a9969f4c1e225e0b # v1.1.1
- name: Download cached docker image
uses: actions/download-artifact@9bc31d5ccc31df68ecc42ccf4149144866c47d8a # v3.0.2
with:
name: ${{ matrix.docker-image }}
path: /tmp
# - name: Authenticate to Google Cloud
# id: gcloud-auth
# uses: google-github-actions/auth@35b0e87d162680511bf346c299f71c9c5c379033 # v1.1.1
# with:
# service_account: ${{ secrets.service_account }}
# workload_identity_provider: ${{ secrets.workload_identity_provider }}
# - name: Login to gcloud for docker
# run: gcloud --quiet auth configure-docker ${{ env.CI_CONTAINER_REGISTRY }}
# - name: Push images to gcloud
# run: |
# docker load --input /tmp/${{ matrix.docker-image }}.tar
# docker push "${{ env.CI_CONTAINER_REPOSITORY }}/${{ matrix.docker-image }}:${{ needs.ci-generate-tag.outputs.tag }}"
ci-upload-binary:
name: Upload Binary - Disabled
runs-on: ${{matrix.os}}
needs: [ci-go, ci-static, ci-js, ci-build-gitops-image]
strategy:
matrix:
os: [ubuntu-latest, macOS-latest]
if: github.event_name == 'push'
steps:
- name: Install Go
uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0
with:
go-version: 1.23.X
- name: Checkout code
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
- name: Clean
run: make clean
- id: gitsha
run: |
gitsha=$(git rev-parse --short ${{ github.sha }})
echo "::set-output name=sha::$gitsha"
- name: build
run: |
make gitops
# - name: publish to s3
# uses: aws-actions/configure-aws-credentials@8c3f20df09ac63af7b3ae3d7c91f105f857d8497 # v4.0.0
# with:
# aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
# aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
# aws-region: us-east-2
# - run: |
# aws s3 cp bin/gitops s3://weave-gitops/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}}
# aws s3 cp s3://weave-gitops/gitops-${{matrix.os}}-${{steps.gitsha.outputs.sha}} s3://weave-gitops/gitops-${{matrix.os}}
ci-publish-js-lib:
name: Publish js library
runs-on: ubuntu-latest
if: ${{ !github.event.pull_request.head.repo.fork }}
needs: [ci-js]
permissions:
packages: write
outputs:
js-version: ${{ steps.package-version.outputs.js-version }}
steps:
- name: Checkout
uses: actions/checkout@3df4ab11eba7bda6032a0b82a6bb43b11571feac # v4.0.0
with:
# avoid the merge commit that on.pull_request creates
# fallback to github.sha if not present (e.g. on.push(main))
# https://github.com/actions/checkout#checkout-pull-request-head-commit-instead-of-merge-commit
# We want the correct sha so we can tag the npm package correctly
ref: ${{ github.event.pull_request.head.sha || github.sha }}
fetch-depth: 0
- uses: actions/setup-node@39370e3970a6d050c480ffad4ff0ed4d3fdee5af # v4.1.0
with:
node-version: "22.x"
registry-url: "https://npm.pkg.github.com"
scope: "@weaveworks"
- run: yarn
- run: make ui-lib
- name: Update package version
id: package-version
run: |
GITOPS_VERSION=$(git describe)
echo "::set-output name=js-version::$GITOPS_VERSION"
jq '.version = "'$GITOPS_VERSION'" | .name = "@weaveworks/weave-gitops-main"' < dist/package.json > dist/package-new.json
mv dist/package-new.json dist/package.json
cp .npmrc dist
- run: cd dist && npm publish
env:
NODE_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# We only push images on merge so create a passing check if everything finished
finish-ci-pr:
name: PR CI Pipeline
runs-on: ubuntu-latest
needs:
- ci-go
- ci-static
- ci-js
- ci-build-gitops-image
if: github.event_name != 'push'
steps:
- run: echo "All done"
finish-ci-merge:
# must match https://github.com/weaveworks/corp/blob/master/github-repo-weave-gitops.tf
name: PR CI Pipeline
runs-on: ubuntu-latest
needs:
- ci-upload-images
- ci-upload-binary
- ci-publish-js-lib
steps:
- run: echo "All done"
# release step updates 'release' status check for non releases branches. See ../../doc/incidents/issues-3907 for full context.
release:
if: ${{ github.event_name == 'pull_request' && !startsWith(github.event.pull_request.head.ref, 'releases/') && !github.event.pull_request.head.repo.fork }}
runs-on: ubuntu-latest
steps:
- name: Release
run: |
curl --fail --request POST \
--url https://api.github.com/repos/${{ github.repository }}/statuses/${{ github.event.pull_request.head.sha }} \
--header 'authorization: Bearer ${{ secrets.WEAVE_GITOPS_BOT_ACCESS_TOKEN }}' \
--header 'content-type: application/json' \
--data '{
"state":"success",
"description":"release not required",
"context":"release"
}'