Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Run vulnerability scan on latest release version #355

Merged
merged 1 commit into from
Oct 14, 2024
Merged

Run vulnerability scan on latest release version #355

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions .github/workflows/pull_request.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,9 @@ jobs:
test:
uses: ./.github/workflows/test.yml

scan:
uses: ./.github/workflows/scan.yml

pull-request:
needs: test
name: Pull request success
Expand Down
10 changes: 2 additions & 8 deletions .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,10 +34,7 @@ jobs:
with:
distribution: 'temurin'
java-version: '11'
cache: 'gradle'
- name: Validate Gradle wrapper
uses: gradle/actions/wrapper-validation@v3
- uses: gradle/actions/setup-gradle@v3
- uses: gradle/actions/setup-gradle@v4
- name: Push to registry ${{ matrix.publish_target }}
run: |
set -xev
Expand Down Expand Up @@ -69,10 +66,7 @@ jobs:
with:
distribution: 'temurin'
java-version: '11'
cache: 'gradle'
- name: Validate Gradle wrapper
uses: gradle/actions/wrapper-validation@v3
- uses: gradle/actions/setup-gradle@v3
- uses: gradle/actions/setup-gradle@v4
- name: Build the dependencies needed for the image
run: ./gradlew :fabric-chaincode-docker:copyAllDeps
- name: Set up QEMU
Expand Down
33 changes: 33 additions & 0 deletions .github/workflows/scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
name: "Scheduled vulnerability scan"

on:
workflow_call:
inputs:
ref:
description: Branch, tag or SHA to scan.
type: string
required: false
default: ""

permissions:
contents: read

jobs:
osv-scanner:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.ref }}
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 11
- uses: gradle/actions/setup-gradle@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: stable
cache: false
- name: Scan
run: make scan
21 changes: 13 additions & 8 deletions .github/workflows/scheduled-scan.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,13 +9,18 @@ permissions:
contents: read

jobs:
osv-scanner:
latest-release-version:
name: Get latest release tag
runs-on: ubuntu-latest
outputs:
tag_name: ${{ steps.tag-name.outputs.value }}
steps:
- uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v5
with:
go-version: stable
- name: Scan
run: make scan
- id: tag-name
run: echo "value=$(curl --location --silent --fail "https://api.github.com/repos/${GITHUB_REPOSITORY}/releases/latest" | jq --raw-output '.tag_name')" >> "${GITHUB_OUTPUT}"

scan:
name: Scan ${{ needs.latest-release-version.outputs.tag_name }}
needs: latest-release-version
uses: ./.github/workflows/scan.yml
with:
ref: ${{ needs.latest-release-version.outputs.tag_name }}
16 changes: 7 additions & 9 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ name: Test
on:
workflow_call:
inputs:
checkout-ref:
ref:
default: ''
required: false
type: string
Expand All @@ -18,14 +18,12 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.checkout-ref }}
ref: ${{ inputs.ref }}
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 11
- name: Validate Gradle wrapper
uses: gradle/actions/wrapper-validation@v3
- uses: gradle/actions/setup-gradle@v3
- uses: gradle/actions/setup-gradle@v4
- name: Build and Unit test
run: ./gradlew :fabric-chaincode-shim:build

Expand All @@ -34,11 +32,12 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.checkout-ref }}
ref: ${{ inputs.ref }}
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 11
- uses: gradle/actions/setup-gradle@v4
- name: Populate chaincode with latest java-version
run: |
./gradlew -I $GITHUB_WORKSPACE/fabric-chaincode-integration-test/chaincodebootstrap.gradle -PchaincodeRepoDir=$GITHUB_WORKSPACE/fabric-chaincode-integration-test/src/contracts/fabric-shim-api/repository publishShimPublicationToFabricRepository
Expand All @@ -58,7 +57,6 @@ jobs:
run: |
peer version
weft --version
- uses: gradle/actions/setup-gradle@v3
- name: Integration Tests
run: ./gradlew :fabric-chaincode-integration-test:build

Expand All @@ -67,11 +65,11 @@ jobs:
steps:
- uses: actions/checkout@v4
with:
ref: ${{ inputs.checkout-ref }}
ref: ${{ inputs.ref }}
- uses: actions/setup-java@v4
with:
distribution: temurin
java-version: 11
- uses: gradle/actions/setup-gradle@v3
- uses: gradle/actions/setup-gradle@v4
- name: Build Docker image
run: ./gradlew :fabric-chaincode-docker:buildImage