docs: add badges for alpine/distroless daily security scans #234
Workflow file for this run
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
name: CI | |
on: | |
push: | |
branches: [ 'v8' ] | |
paths-ignore: | |
- '**.md' # Don't run CI on markdown changes. | |
pull_request: | |
branches: [ 'v8', 'feat/**' ] | |
paths-ignore: | |
- '**.md' | |
jobs: | |
go-versions: | |
uses: ./.github/workflows/go-versions.yml | |
# Runs the common tasks (unit tests, lint, benchmarks, installation test) | |
# against each Go version in the matrix. | |
go-matrix: | |
name: ${{ format('Go {0}', matrix.go-version) }} | |
needs: go-versions | |
strategy: | |
# Let jobs fail independently, in case it's a single version that's broken. | |
fail-fast: false | |
matrix: | |
go-version: ${{ fromJSON(needs.go-versions.outputs.matrix) }} | |
uses: ./.github/workflows/common_ci.yml | |
with: | |
go-version: ${{ matrix.go-version }} | |
# Integration tests run only on the latest Go version since they are more | |
# time intensive, and we'd likely be rate-limited by LaunchDarkly SaaS if we | |
# ran them in parallel for multiple Go versions. | |
integration-test: | |
needs: go-versions | |
uses: ./.github/workflows/integration-test.yml | |
with: | |
environment: 'staging' | |
go-version: ${{ needs.go-versions.outputs.latest }} | |
security-scan: | |
needs: go-versions | |
runs-on: ubuntu-latest | |
name: "Trivy Scan of Docker Image" | |
steps: | |
- uses: actions/checkout@v4 | |
with: | |
fetch-depth: 0 | |
fetch-tags: 'true' | |
- name: Setup Go ${{ inputs.go-version }} | |
uses: actions/setup-go@v4 | |
with: | |
go-version: ${{ needs.go-versions.outputs.latest }} | |
- name: Set up QEMU | |
uses: docker/setup-qemu-action@v3 | |
- name: Setup Docker Buildx | |
uses: docker/setup-buildx-action@v3 | |
with: | |
platforms: linux/amd64,linux/arm64/v8,linux/arm/v7,linux/386 | |
- name: Build Docker Images | |
run: make products-for-release | |
- name: Get current Relay version | |
id: image-tag | |
run: | |
echo "value=$(jq -r '.version' < dist/metadata.json)" >> $GITHUB_OUTPUT | |
- uses: aquasecurity/trivy-action@master | |
id: scan-alpine | |
continue-on-error: true | |
with: | |
# Using an explicit tag rather than ld-relay:latest to ensure we're scanning the local image that we just built. | |
# It's not clear why, but it seems goreleaser doesn't create the :latest tag when skipping the publish step | |
# as we do for CI, so the scan will end up checking the public image instead of the one we just built. | |
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-amd64 | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
- uses: aquasecurity/trivy-action@master | |
id: scan-distroless | |
continue-on-error: true | |
with: | |
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-nonroot-amd64 | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
- uses: aquasecurity/trivy-action@master | |
continue-on-error: true | |
id: scan-debug-distroless | |
with: | |
image-ref: launchdarkly/ld-relay:${{ steps.image-tag.outputs.value }}-static-debian12-debug-nonroot-amd64 | |
format: 'table' | |
exit-code: '1' | |
ignore-unfixed: true | |
- name: Fail if any of scan-alpine, scan-distroless, or scan-distroless-debug failed | |
if: ${{ steps.scan-alpine.outcome != 'success' || steps.scan-distroless.outcome != 'success' || steps.scan-debug-distroless.outcome != 'success' }} | |
run: exit 1 |