Skip to content
Pipeline

chore(deps): Bump trufflesecurity/trufflehog from 3.78.1 to 3.86.1 #1521

Sign in to view logs

chore(deps): Bump trufflesecurity/trufflehog from 3.78.1 to 3.86.1

chore(deps): Bump trufflesecurity/trufflehog from 3.78.1 to 3.86.1 #1521

Workflow file for this run

.github/workflows/pipeline.yaml at cb477fa
name: Pipeline
on:
push:
branches:
- develop
- feat/*
- hotfix/*
- main
pull_request:
branches:
- develop
- feat/*
- hotfix/*
- main
env:
CONTAINER_NAME: ${{ github.repository }}
CONTAINER_REGISTRY_GHCR: ghcr.io
CONTAINER_PLATFORMS: linux/amd64,linux/arm64/v8
# https://github.com/docker/buildx/releases
BUILDX_VERSION: 0.17.1
jobs:
init:
name: Init
runs-on: ubuntu-24.04
outputs:
VERSION: ${{ steps.version.outputs.version }}
VERSION_FULL: ${{ steps.version.outputs.version_full }}
steps:
- name: Checkout
uses: actions/[email protected]
with:
# We need all Git history for "version.sh"
fetch-depth: 0
# Ensure "version.sh" submodule are up-to-date
submodules: recursive
- name: Generate versions
id: version
run: |
echo "version=$(bash cicd/version/version.sh -g . -c)" >> $GITHUB_OUTPUT
echo "version_full=$(bash cicd/version/version.sh -g . -c -m)" >> $GITHUB_OUTPUT
sast-creds:
name: SAST - Credentials
runs-on: ubuntu-24.04
steps:
- name: Checkout
uses: actions/[email protected]
with:
# We need all Git history for testing credentials
fetch-depth: 0
# Ensure all submodules up-to-date
submodules: recursive
- name: Run tests
uses: trufflesecurity/[email protected]
with:
base: ${{ github.event.repository.default_branch }}
extra_args: --only-verified
head: HEAD~1
sast-semgrep:
name: SAST - Semgrep
runs-on: ubuntu-24.04
permissions:
# Allow to write to GitHub Security
security-events: write
container:
image: returntocorp/semgrep
steps:
- name: Checkout
uses: actions/[email protected]
- name: Run tests
# Semgrep can be used to break the build when it detects security issues. In this case we want to upload the issues to GitHub Security
continue-on-error: true
env:
SEMGREP_RULES: p/cwe-top-25 p/owasp-top-ten p/dockerfile
run: semgrep ci --sarif --output=semgrep.sarif
- name: Upload results to GitHub Security
uses: github/codeql-action/[email protected]
with:
sarif_file: semgrep.sarif
test:
name: Test
permissions:
id-token: write
runs-on: ubuntu-24.04
needs:
- init
strategy:
fail-fast: false
matrix:
# Run all test suites
step:
- static
# TODO: Enable unit tests (Azure login and config file required)
# - unit
steps:
- name: Checkout
uses: actions/[email protected]
- name: Set up uv
uses: astral-sh/[email protected]
with:
enable-cache: true
python-version: "3.12"
version: "0.5.x"
- name: Set up Azure CLI
run: curl -sL https://aka.ms/InstallAzureCLIDeb | sudo bash
# - name: Login to Azure
# uses: Azure/[email protected]
# with:
# client-id: ${{ secrets.AZURE_CLIENT_ID }}
# subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
# tenant-id: ${{ secrets.AZURE_TENANT_ID }}
- name: Cache pytest
uses: actions/[email protected]
with:
key: pytest-${{ github.head_ref || github.ref_name }}-${{ hashFiles('requirements-dev.txt') }}
path: .pytest_cache
- name: Cache Ruff
uses: actions/[email protected]
with:
key: ruff-${{ github.head_ref || github.ref_name }}-${{ hashFiles('requirements-dev.txt') }}
path: .ruff_cache
- name: Set up dependencies
run: make install-deps
- name: Set up local config
run: mv config-remote-example.yaml config.yaml
# - name: Configure environment variables
# run: echo "${{ secrets.DOTENV_UNIT_TESTS }}" > .env
- name: Run tests
run: make test-${{ matrix.step }} version_full=${{ needs.init.outputs.VERSION_FULL }}
- name: Upload artifacts
uses: actions/[email protected]
if: always()
with:
compression-level: 9
name: test-${{ matrix.step }}
path: test-reports/*
build-image:
name: Build & publish image
needs:
- init
- sast-creds
- sast-semgrep
runs-on: ubuntu-24.04
permissions:
attestations: write
id-token: write
packages: write
steps:
- name: Checkout
uses: actions/[email protected]
- name: Configure Git
run: |
git config user.name "${{ github.actor }}"
git config user.email "${{ github.actor }}@users.noreply.github.com"
- name: Setup QEMU
id: setup-qemu
uses: docker/[email protected]
with:
platforms: ${{ env.CONTAINER_PLATFORMS }}
- name: Setup Docker Buildx
uses: docker/[email protected]
with:
version: v${{ env.BUILDX_VERSION }}
- name: Login to registry
uses: docker/[email protected]
with:
registry: ${{ env.CONTAINER_REGISTRY_GHCR }}
username: ${{ github.actor }}
password: ${{ secrets.GITHUB_TOKEN }}
- name: Container meta
id: meta
uses: docker/[email protected]
with:
images: ${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }}
tags: |
type=raw,value=latest,enable={{is_default_branch}}
type=ref,event=branch
type=ref,event=pr
type=schedule
type=schedule,pattern={{date 'YYYYMMDD'}}
type=semver,pattern={{version}},value=${{ needs.init.outputs.VERSION_FULL }}
type=sha
labels: |
org.opencontainers.image.documentation=https://github.com/${{ env.CONTAINER_NAME }}
org.opencontainers.image.vendor=${{ github.actor }}
- name: Build/push container
id: build
uses: docker/[email protected]
with:
build-args: |
VERSION=${{ needs.init.outputs.VERSION_FULL }}
cache-from: |
type=gha,scope=buildkit-${{ github.ref_name }}
type=gha,scope=buildkit-develop
type=gha,scope=buildkit-main
cache-to: type=gha,scope=buildkit-${{ github.ref_name }}
context: .
file: cicd/Dockerfile
labels: ${{ steps.meta.outputs.labels }}
outputs: type=registry,oci-mediatypes=true,compression=estargz,compression-level=9,force-compression=true
platforms: ${{ env.CONTAINER_PLATFORMS }}
push: true
sbom: true
tags: ${{ steps.meta.outputs.tags }}
- name: Generate attestations
uses: actions/[email protected]
with:
push-to-registry: true
subject-digest: ${{ steps.build.outputs.digest }}
subject-name: ${{ env.CONTAINER_REGISTRY_GHCR }}/${{ env.CONTAINER_NAME }}
create-release:
name: Create release
needs:
- build-image
- init
- test
permissions:
# Allow to create releases
contents: write
runs-on: ubuntu-24.04
outputs:
RELEASE_ID: ${{ steps.create-release.outputs.result }}
# Only publish on non-scheduled main branch, as there is only one Helm repo and we cannot override an existing version
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main')
steps:
- name: Checkout
uses: actions/[email protected]
- name: Create release
id: create-release
uses: actions/[email protected]
with:
script: |
const isMain = context.ref == `refs/heads/main`;
const repoName = context.repo.repo;
console.log(isMain ? 'Creating release for default branch' : 'Creating release for non-default branch');
const { data } = await github.rest.repos.createRelease({
draft: true,
generate_release_notes: true,
name: `${repoName} v${{ needs.init.outputs.VERSION }}`,
owner: context.repo.owner,
prerelease: !isMain,
repo: repoName,
tag_name: 'v${{ needs.init.outputs.VERSION }}',
target_commitish: context.ref,
});
return data.id
publish-release:
name: Publish release
permissions:
# Allow to write releases
contents: write
runs-on: ubuntu-24.04
needs:
- create-release
# Only publish on non-scheduled default branch
if: (github.event_name != 'schedule') && (github.ref == 'refs/heads/main')
steps:
- name: publish release
id: publish-release
uses: actions/[email protected]
with:
script: |
github.rest.repos.updateRelease({
draft: false,
owner: context.repo.owner,
release_id: ${{ needs.create-release.outputs.RELEASE_ID }},
repo: context.repo.repo,
});