|
@@ -0,0 +1,68 @@
|
|
|
|
|
+name: CVE checks docker master
|
|
|
|
|
+on:
|
|
|
|
|
+ workflow_dispatch:
|
|
|
|
|
+ schedule:
|
|
|
|
|
+ # * is a special character in YAML so you have to quote this string
|
|
|
|
|
+ - cron: '0 8 15 * *'
|
|
|
|
|
+jobs:
|
|
|
|
|
+ build-and-test:
|
|
|
|
|
+ runs-on: ubuntu-latest
|
|
|
|
|
+ steps:
|
|
|
|
|
+ - uses: actions/checkout@v2
|
|
|
|
|
+
|
|
|
|
|
+ - name: Cache local Maven repository
|
|
|
|
|
+ uses: actions/cache@v2
|
|
|
|
|
+ with:
|
|
|
|
|
+ path: ~/.m2/repository
|
|
|
|
|
+ key: ${{ runner.os }}-maven-${{ hashFiles('**/pom.xml') }}
|
|
|
|
|
+ restore-keys: |
|
|
|
|
|
+ ${{ runner.os }}-maven-
|
|
|
|
|
+
|
|
|
|
|
+ - name: Set up JDK 1.13
|
|
|
|
|
+ uses: actions/setup-java@v1
|
|
|
|
|
+ with:
|
|
|
|
|
+ java-version: 1.13
|
|
|
|
|
+
|
|
|
|
|
+ - name: Build project
|
|
|
|
|
+ id: build
|
|
|
|
|
+ run: |
|
|
|
|
|
+ mvn versions:set -DnewVersion=$GITHUB_SHA
|
|
|
|
|
+ mvn clean package -DskipTests
|
|
|
|
|
+ export VERSION=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --non-recursive exec:exec)
|
|
|
|
|
+ echo "::set-output name=version::${VERSION}"
|
|
|
|
|
+
|
|
|
|
|
+ - name: Set up QEMU
|
|
|
|
|
+ uses: docker/setup-qemu-action@v1
|
|
|
|
|
+
|
|
|
|
|
+ - name: Set up Docker Buildx
|
|
|
|
|
+ uses: docker/setup-buildx-action@v1
|
|
|
|
|
+
|
|
|
|
|
+ - name: Cache Docker layers
|
|
|
|
|
+ uses: actions/cache@v2
|
|
|
|
|
+ with:
|
|
|
|
|
+ path: /tmp/.buildx-cache
|
|
|
|
|
+ key: ${{ runner.os }}-buildx-${{ github.sha }}
|
|
|
|
|
+ restore-keys: |
|
|
|
|
|
+ ${{ runner.os }}-buildx-
|
|
|
|
|
+
|
|
|
|
|
+ - name: Build docker image
|
|
|
|
|
+ uses: docker/build-push-action@v2
|
|
|
|
|
+ with:
|
|
|
|
|
+ builder: ${{ steps.buildx.outputs.name }}
|
|
|
|
|
+ context: kafka-ui-api
|
|
|
|
|
+ platforms: linux/amd64
|
|
|
|
|
+ push: false
|
|
|
|
|
+ load: true
|
|
|
|
|
+ tags: |
|
|
|
|
|
+ provectuslabs/kafka-ui:${{ steps.build.outputs.version }}
|
|
|
|
|
+ build-args: |
|
|
|
|
|
+ JAR_FILE=kafka-ui-api-${{ steps.build.outputs.version }}.jar
|
|
|
|
|
+ cache-from: type=local,src=/tmp/.buildx-cache
|
|
|
|
|
+ cache-to: type=local,dest=/tmp/.buildx-cache
|
|
|
|
|
+
|
|
|
|
|
+ - name: Run CVE checks
|
|
|
|
|
+ uses: aquasecurity/trivy-action@0.2.2
|
|
|
|
|
+ with:
|
|
|
|
|
+ image-ref: "provectuslabs/kafka-ui:${{ steps.build.outputs.version }}"
|
|
|
|
|
+ format: "table"
|
|
|
|
|
+ exit-code: "1"
|
Ruslan Ibragimov