network-operator/.github/workflows/validate-common.yaml at f2dde5f40a11b5e56c3cd49a717e6a43ac389b8d · tkatila/network-operator · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
name: validation common
on:
  workflow_call:
    inputs:
      runner:
        required: true
        type: string

permissions:
  pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
  contents: read

env:
  isubuntu: ${{ startsWith (inputs.runner, 'ubuntu') }}

jobs:
  golangci:
    name: Run lint
    runs-on: ${{ inputs.runner }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          clean: true
      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - run: |
          sudo apt-get -y install libpcap-dev libdbus-1-dev libdbus-1-3 libibverbs-dev libibverbs1 libcap-dev libsystemd-dev
        if: ${{ env.isubuntu == 'true' }}
      - run: |
          make lint
  build:
    name: Build all
    runs-on: ${{ inputs.runner }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          clean: true
      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - run: |
          sudo apt-get -y install libpcap-dev libdbus-1-dev libdbus-1-3 libibverbs-dev libibverbs1 libcap-dev libsystemd-dev
        if: ${{ env.isubuntu == 'true' }}
      - run: make build
      - run: make operator-image
      - run: make discover-image
      - name: Run Trivy for operator image
        if: always()
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
        with:
          scan-type: image
          scan-ref: intel/intel-network-operator:latest
          format: json
          trivy-config: trivy.yaml
          output: operator-image-vulnerabilities.json
      - name: Run Trivy for discover image
        if: always()
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
        with:
          scan-type: image
          scan-ref: intel/intel-network-linkdiscovery:latest
          format: json
          trivy-config: trivy.yaml
          output: discover-image-vulnerabilities.json
      - name: Store image reports as artifacts
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: trivy-image-vulnerabilities-json
          path: |
            discover-image-vulnerabilities.json
            operator-image-vulnerabilities.json
          retention-days: 14
  tests:
    name: Run tests
    runs-on: ${{ inputs.runner }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          clean: true
      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - run: |
          sudo apt-get -y install libpcap-dev libdbus-1-dev libdbus-1-3 libibverbs-dev libibverbs1 libcap-dev libsystemd-dev
        if: ${{ env.isubuntu == 'true' }}
      - name: Run tests
        run: |
          make envtest
          make test
  trivy_dockerfiles:
    name: Run trivy dockerfiles
    runs-on: ${{ inputs.runner }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          clean: true
      - name: Run Trivy for dockerfiles
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
        with:
          scan-type: config
          scan-ref: build/
          format: table
          trivy-config: trivy.yaml
          exit-code: 1
          severity: CRITICAL,HIGH,MEDIUM

      - name: Run Trivy for dockerfiles (json)
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
        if: always()
        with:
          scan-type: config
          scan-ref: build/
          format: json
          trivy-config: trivy.yaml
          exit-code: 1
          severity: CRITICAL,HIGH,MEDIUM
          output: trivy-dockerfiles.json
      - run: |
          cp .trivyignore.yaml trivyignore.yaml
      - name: Store dockerfiles analysis report as artifact
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: trivy-dockerfiles-json
          path: |
            trivy-dockerfiles.json
            trivyignore.yaml
          retention-days: 14

  trivy_vulnerabilities:
    name: Run trivy vulnerabilities
    runs-on: ${{ inputs.runner }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          clean: true
      - name: Run Trivy for vulnerabilities
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
        with:
          scan-type: fs
          scan-ref: go.mod
          format: table
          trivy-config: trivy.yaml
          exit-code: 1
          severity: CRITICAL,HIGH,MEDIUM

      - name: Run Trivy for vulnerabilities (json)
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
        if: always()
        with:
          scan-type: fs
          scan-ref: go.mod
          format: json
          trivy-config: trivy.yaml
          exit-code: 1
          severity: CRITICAL,HIGH,MEDIUM
          output: trivy-vulnerabilities.json
          list-all-pkgs: true
      - run: |
          cp .trivyignore.yaml trivyignore.yaml
      - name: Store vulnerability report as artifact
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: trivy-vulnerabilities-json
          path: |
            trivy-vulnerabilities.json
            trivyignore.yaml
          retention-days: 14

  trivy_deployments:
    name: Run trivy deployments
    runs-on: ${{ inputs.runner }}
    steps:
      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
        with:
          clean: true
      - uses: actions/setup-go@3041bf56c941b39c61721a86cd11f3bb1338122a # v5
        with:
          go-version-file: go.mod
          check-latest: true
          cache: false
      - name: Prepare env
        run: |
          DEPL_YAML_DIR=trivy-depl make trivy-deployments
      - name: Run Trivy for deployments
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
        with:
          scan-type: config
          scan-ref: trivy-depl
          format: table
          trivy-config: trivy.yaml
          exit-code: 1
          severity: CRITICAL,HIGH,MEDIUM
      - name: Run Trivy for deployments (json)
        uses: aquasecurity/trivy-action@97e0b3872f55f89b95b2f65b3dbab56962816478 # 0.34.2
        if: always()
        with:
          scan-type: config
          scan-ref: trivy-depl
          format: json
          trivy-config: trivy.yaml
          exit-code: 1
          severity: CRITICAL,HIGH,MEDIUM
          output: trivy-deployments.json
      - run: |
          cp .trivyignore.yaml trivyignore.yaml
      - name: Store vulnerability report as artifact
        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
        if: always()
        with:
          name: trivy-deployments-json
          path: |
            trivy-deployments.json
            trivyignore.yaml
          retention-days: 14