Skip to content

Infra: CVE checks

Infra: CVE checks #6

Workflow file for this run

name: "Infra: CVE checks"
on:
workflow_dispatch:
schedule:
# * is a special character in YAML so you have to quote this string
- cron: '0 8 15 * *'
permissions:
contents: read
jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
with:
token: ${{ github.token }}
- name: Set up JDK
uses: actions/setup-java@v4
with:
java-version: '17'
distribution: 'zulu'
cache: 'maven'
- name: Build project
id: build
run: |
./mvnw -B -ntp versions:set -DnewVersion=$GITHUB_SHA
./mvnw -B -V -ntp clean package -DskipTests
export VERSION=$(./mvnw -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
echo "version=${VERSION}" >> $GITHUB_OUTPUT
- name: Set up QEMU
uses: docker/setup-qemu-action@v3
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Cache Docker layers
uses: actions/cache@v4
with:
path: /tmp/.buildx-cache
key: ${{ runner.os }}-buildx-${{ github.sha }}
restore-keys: |
${{ runner.os }}-buildx-
- name: Build docker image
uses: docker/build-push-action@v5
with:
builder: ${{ steps.buildx.outputs.name }}
context: api
platforms: linux/amd64
push: false
load: true
tags: |
ghcr.io/kafbat/kafka-ui:${{ steps.build.outputs.version }}
build-args: |
JAR_FILE=api-${{ steps.build.outputs.version }}.jar
cache-from: type=local,src=/tmp/.buildx-cache
cache-to: type=local,dest=/tmp/.buildx-cache
- name: Run CVE checks
uses: aquasecurity/[email protected]
with:
image-ref: "ghcr.io/kafbat/kafka-ui:${{ steps.build.outputs.version }}"
format: "table"
exit-code: "1"