diff --git a/.github/workflows/workflow.yml b/.github/workflows/workflow.yml index 69498b3..a434d51 100644 --- a/.github/workflows/workflow.yml +++ b/.github/workflows/workflow.yml @@ -41,8 +41,85 @@ env: IMAGE_NAME: ${{ github.repository }} jobs: + gitleaks: + runs-on: ubuntu-latest + permissions: + contents: read + pull-requests: read + + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + with: + fetch-depth: 0 + + - name: Scan repository for secrets + uses: gitleaks/gitleaks-action@dcedce43c6f43de0b836d1fe38946645c9c638dc # v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + + hadolint: + runs-on: ubuntu-latest + needs: [gitleaks] + strategy: + matrix: + dockerfile: [Dockerfile, Dockerfile.migration] + + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + + - name: Lint ${{ matrix.dockerfile }} + uses: hadolint/hadolint-action@3fc49fb50d59c6ab7917a2e4195dba633e515b29 # v3.2.0 + with: + dockerfile: ${{ matrix.dockerfile }} + failure-threshold: warning + + actionlint: + runs-on: ubuntu-latest + needs: [hadolint] + + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + + - name: Lint GitHub Actions workflows + uses: raven-actions/actionlint@3d39aea434753780c3b3d4a1a31c854b4dbf49d7 # v2 + + dependency-audit: + runs-on: ubuntu-latest + needs: [hadolint] + strategy: + fail-fast: false + matrix: + include: + - project: application + working-directory: . + - project: scenario-tests + working-directory: scenario-tests + + steps: + - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 + + - uses: astral-sh/setup-uv@11f9893b081a58869d3b5fccaea48c9e9e46f990 # v8.3.2 + with: + version: "0.11.28" + + - name: Audit ${{ matrix.project }} dependencies + working-directory: ${{ matrix.working-directory }} + run: uv audit --locked + + dependency-review: + if: github.event_name == 'pull_request' + runs-on: ubuntu-latest + needs: [hadolint] + permissions: + contents: read + + steps: + - name: Review dependency changes + uses: actions/dependency-review-action@a1d282b36b6f3519aa1f3fc636f609c47dddb294 # v5.0.0 + ruff: runs-on: ubuntu-latest + needs: [hadolint] steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -57,6 +134,7 @@ jobs: ty: runs-on: ubuntu-latest + needs: [hadolint] steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -71,6 +149,7 @@ jobs: import-linter: runs-on: ubuntu-latest + needs: [hadolint] steps: - uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7.0.0 @@ -85,6 +164,7 @@ jobs: test: runs-on: ubuntu-latest + needs: [hadolint] strategy: fail-fast: false matrix: @@ -112,7 +192,7 @@ jobs: build: runs-on: ubuntu-latest - needs: [ruff, ty, import-linter, test] + needs: [actionlint, dependency-audit, ruff, ty, import-linter, test] permissions: contents: read strategy: @@ -142,6 +222,16 @@ jobs: tags: ${{ matrix.tag }} cache-from: type=gha cache-to: type=gha,mode=max + load: true + + - name: Scan ${{ matrix.image-name }} image + uses: aquasecurity/trivy-action@ed142fd0673e97e23eac54620cfb913e5ce36c25 # v0.36.0 + with: + image-ref: ${{ matrix.tag }} + format: table + exit-code: "1" + ignore-unfixed: true + severity: HIGH,CRITICAL e2e: name: Scenario tests